generated from fortinet-fortisoar/connector-template-repository
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #25 from cs-abhishek-shukla/release/1.0.1
1.0.1 Doc Changes
- Loading branch information
Showing
8 changed files
with
122 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,25 +1,24 @@ | ||
| ## Release Information | ||
|
|
||
| - **Version**: 1.0.1 <sup>Preview</sup> | ||
| - **Version**: 1.0.1 | ||
|
|
||
| - **Certified**: No | ||
| - **Certified**: Yes | ||
|
|
||
| - **Publisher**: Fortinet | ||
|
|
||
| - **Compatibility**: 7.2.2 and later | ||
|
|
||
| - **Applicable**: Dashboards, View Panel | ||
|
|
||
| **Note**: Preview releases are a beta release. This means that release is intended to get feedback and might not be best suited for production level deployments. The functionality might change in backward-incompatible ways or have limited support. A beta release is not subject to any SLA, Quality Assurance or deprecation policy. Feature availability and support for preview releases will continue to improve as the solution/feature matures. | ||
|
|
||
| - [Release Notes](./widget/release_notes.md) | ||
|
|
||
| ## Overview | ||
|
|
||
| The MITRE ATT&CK Alert/Incident Spread Widget provides a consolidated look into Alert and Incident threats under MITRE ATT&CK records. You can seamlessly view and Alert or Incident record related to MITRE ATT&CK Techniques and Subtechniques with a table view and access all of the mentioned records in detail directly from the widget. Requires MITRE ATT&CK Enrichment Framework installed and MITRE ATT&CK records ingested into FortiSOAR via MITRE ATT&CK Connector. | ||
| Explore threats seamlessly with the MITRE ATT&CK Alert/Incident Spread widget. This powerful tool provides a consolidated table view of alerts and incidents related to MITRE ATT&CK techniques. Access detailed records directly from the widget, offering a swift response to potential threats. Ensure MITRE ATT&CK Enrichment Framework and records via MITRE ATT&CK Connector for optimal functionality. Enhance threat visibility effortlessly. | ||
|
|
||
| The MITRE ATT&CK Alert/Incident Spread widget consolidates alert and incident threats to provide specific details about MITRE ATT&CK techniques and sub-techniques. The table view facilitates easy access to MITRE ATT&CK records, and helps users navigate to detailed information directly. | ||
|
|
||
| ## Next Steps | ||
|
|
||
| | [Installation](./docs/setup.md#installation) | [Configuration](./docs/setup.md#configuration) | [Usage](./docs/usage.md) | | ||
| |----------------------------------------------|------------------------------------------------|--------------------------| | ||
|
|
||
| |----------------------------------------------|------------------------------------------------|--------------------------| |
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,35 +1,98 @@ | ||
| | [Home](../README.md) | | ||
| |--------------------------------------------| | ||
| |----------------------| | ||
|
|
||
| # Usage | ||
|
|
||
| ## Technical Overview of MITRE ATT&CK Alerts and Incident Spread in FortiSOAR | ||
|
|
||
| **MITRE ATT&CK Alert Incident Spread Widget Edit View**: | ||
| FortiSOAR™'s **MITRE ATT&CK Alerts and Incident Spread** widget offers a comprehensive view of security threats using the MITRE ATT&CK framework. Here's a breakdown of its key features: | ||
|
|
||
| <img src="https://raw.githubusercontent.com/fortinet-fortisoar/widget-mitre-attack-spread/develop/docs/media/edit_view.png" alt="Editing the MITRE ATT&CK Alert Incident Spread Widget" style="border: 1px solid #A9A9A9; border-radius: 4px; padding: 10px; display: block; margin-left: auto; margin-right: auto;"> | ||
| **1. Tactics Overview:** | ||
|
|
||
| **MITRE ATT&CK Alert Incident Spread Widget - Dashboard View**: | ||
| - The top row displays **MITRE ATT&CK Tactics** present in your FortiSOAR environment. | ||
| - Visible tactics depend on: | ||
| - **Ingested MITRE ATT&CK Matrices:** Which attack frameworks are used? | ||
| - **Widget filters:** Are *Hide Empty Tactics* and *Hide Tactics If All Related Techniques Are Hidden* enabled? | ||
|
|
||
| <img src="https://raw.githubusercontent.com/fortinet-fortisoar/widget-mitre-attack-spread/develop/docs/media/dashboard_view.png" alt="Viewing the MITRE ATT&CK Alert Incident Spread Widget on the Dashboard page" style="border: 1px solid #A9A9A9; border-radius: 4px; padding: 10px; display: block; margin-left: auto; margin-right: auto;"> | ||
| **2. Techniques and Subtechniques:** | ||
|
|
||
| **MITRE ATT&CK Alert Incident Spread Widget - Dashboard View with Alert and Incident Coverage**: | ||
| - **Technique rows:** | ||
| - Display technique names and links. | ||
| - Show if techniques have **linked Subtechniques, Alerts, or Incidents**. | ||
| - Clicking links expands the cell for details. | ||
| - **Subtechnique rows:** | ||
| - Similar to Techniques, but can have their own linked Alerts and Incidents. | ||
| - Clicking links expands the cell further for Alert and Incident details. | ||
|
|
||
| <img src="https://raw.githubusercontent.com/fortinet-fortisoar/widget-mitre-attack-spread/develop/docs/media/dashboard_view_heatmap.png" alt="Viewing the MITRE ATT&CK Alert Incident Spread Widget on the Dashboard page with Alert and Incident Coverage" style="border: 1px solid #A9A9A9; border-radius: 4px; padding: 10px; display: block; margin-left: auto; margin-right: auto;"> | ||
| **3. Alerts and Incidents:** | ||
|
|
||
| **MITRE ATT&CK Alert Incident Spread Widget - Detail View**: | ||
| - **Alert and Incident names** are displayed with **severity information**. | ||
| - **Heatmap filter** (if enabled) highlights all Alerts and Incidents for immediate attention. | ||
| - Clicking on these links opens the respective Alert or Incident details in FortiSOAR. | ||
|
|
||
| <img src="https://raw.githubusercontent.com/fortinet-fortisoar/widget-mitre-attack-spread/develop/docs/media/detail_view.png" alt="Viewing the MITRE ATT&CK Alert Incident Spread Widget on the Incident detail page" style="border: 1px solid #A9A9A9; border-radius: 4px; padding: 10px; display: block; margin-left: auto; margin-right: auto;"> | ||
| **Overall, this widget provides a valuable insight into:** | ||
|
|
||
| Prerequisites to using the MITRE ATT&CK Alert Incident Spread Widget: | ||
| - **Potential attack vectors:** Which MITRE ATT&CK Tactics are present in your environment? | ||
| - **Specific techniques and subtechniques used:** Get details about individual attack steps. | ||
| - **Alerts and incidents triggered:** Identify potential threats and their severity. | ||
| - **Heatmap visualization:** Quickly prioritize critical issues. | ||
|
|
||
| - Make sure MITRE ATT&CK Enrichment Framework is installed via Content Hub. This will install all necessary MITRE ATT&CK modules and the MITRE ATT&CK Connector responsible for ingesting MITRE ATT&CK records into your FortiSOAR environment. | ||
| - Make sure MITRE ATT&CK Connector's ingestion is configured and is executed at least once to ingest MITRE ATT&CK records to be displayed on the widget. | ||
| - All MITRE ATT&CK module read permissions are required for the widget to be visible and operable. | ||
| This information equips security analysts with a **structured and actionable view** of threats, enabling them to **efficiently prioritize and respond** to security incidents. | ||
|
|
||
| The following details are displayed by the MITRE ATT&CK Alert Incident Spread Widget's Dashboard View: | ||
| ## Mitre ATT&CK Alert/Incident Spread | ||
|
|
||
| - The first row consists of MITRE ATT&CK Tactics found in the FortiSOAR environment. The number of Tactics visible in the widget can look different based on which MITRE ATT&CK Matrices you decided to perform ingestion with as well as the filters enabled on the widget. In our screenshot example we have both "Hide Empty Tactics" and "Hide Tactics If All Related Techniques Are Hidden" filters enabled, which causes some Tactics to be hidden. This can be overridden at will by clicking the "Show Hidden Tactics" button found above the widget table to display all Tactics available in your FortiSOAR environment regardless of the filter settings on the widget. | ||
| - The following rows display MITRE ATT&CK Technique information and shows if these Techniques have any linked Subtechniques, Alerts, or Incidents. If there's a link available, clicking on them will expand the cell and reveal information about the linked record(s). | ||
| - MITRE ATT&CK Subtechniques are handled the same way where they can also have unique Alerts and/or Incidents linked independent from the parent Technique. Clicking on any available links will expand the cell even further and display information about the Alert(s) and Incident(s). | ||
| - Alerts and Incidents will have their severity information displayed along with their names to make it easier for the user to gauge whether there's a critical case to respond. In the screenshot you can also observe that the heatmap filter is turned on that will highlight all of the Alerts and Incidents available on the widget to draw immediate attention. | ||
| 1. Edit a *Dashboard*'s view template and select the **Add Widget** button. | ||
|
|
||
| 2. Select **MITRE ATT&CK Alert Incident Spread** from the list to bring up the **MITRE ATT&CK Alert Incident Spread** widget's edit view. | ||
|
|
||
| 3. Specify the title of the spread in the **Title** field. | ||
|
|
||
|  | ||
|
|
||
| 4. Select to toggle **Show Alert and Incident Coverage** to highlight and expand Techniques and Subtechniques. Only the techniques and subtechniques linked to alerts and incidents are displayed. | ||
|
|
||
|  | ||
|
|
||
| 5. Select to toggle **Expand All Techniques** to highlight and expand all Techniques. This toggle is available only when *Show Alert and Incident Coverage* is off. | ||
|
|
||
|  | ||
|
|
||
| 6. Select to toggle **Hide Empty Tactics** to hide tactics without any Technique relationships. | ||
|
|
||
|  | ||
|
|
||
| 7. Select to toggle **Hide Empty Techniques** to hide Techniques without any Subtechnique, Alert, or Incident relationships. | ||
|
|
||
|  | ||
|
|
||
| 8. Select to toggle **Filter Based on Groups** and select threat actor groups to filter the Mitre ATT&CK spread. | ||
|
|
||
|  | ||
|
|
||
| 9. Define the filter criteria using which to hide alerts from being rendered by this widget. | ||
|
|
||
|  | ||
|
|
||
| 10. Define the filter criteria using which to hide incidents from being rendered by this widget. | ||
|
|
||
|  | ||
|
|
||
| 11. Click **Save** to save the changes and exit widget's edit view. | ||
|
|
||
| ### MITRE ATT&CK Alert Incident Spread Widget Edit View | ||
|
|
||
| " | ||
|
|
||
| ### MITRE ATT&CK Alert Incident Spread Widget - Dashboard View | ||
|
|
||
|  | ||
|
|
||
| ### MITRE ATT&CK Alert Incident Spread Widget - Dashboard View with Alert and Incident Coverage | ||
|
|
||
|  | ||
|
|
||
|
|
||
| ## Next Steps | ||
|
|
||
| | [Installation](./setup.md#installation) | [Configuration](./setup.md#configuration) | | ||
| |-----------------------------------------|-------------------------------------------| |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,7 @@ | ||
| ## What's New | ||
| - null severity condition has been handled in UI. | ||
| - custom date variable calculation done and then added in payload. | ||
| - technique counts updated as per the selected filter criteria. | ||
|
|
||
| - Following issues have been fixed: | ||
|
|
||
| - Fixed an issue where alerts and incidents did not render on the MITRE ATT&CK Matrices dashboard if their *Severity* field was blank. | ||
| - Fixed an issue where selecting a custom time duration for the filter condition *Created On or After* did not reflect on the MITRE ATT&CK Matrices dashboard. | ||
| - Fixed an issue where the *Technique* count did not reflect the count of techniques under the *Tactics* column. |