Mitre COA - MITRE Layout
MITRE ATT&CK - Courses of Action Incident
Details
| ID | Mitre COA - MITRE Layout |
|---|---|
| Group | incident |
| Version | -1 |
| From Version | 6.5.0 |
Layout Structure
Legacy Summary 0 sections
No sections defined.
Incident Info 14 sections
Case Details
| Field ID | Position |
|---|---|
| type | Col 0-2, Height: 22 |
| severity | Col 0-2, Height: 22 |
| owner | Col 0-2, Height: 22 |
| dbotsource | Col 0-2, Height: 22 |
| sourcebrand | Col 0-2, Height: 22 |
| sourceinstance | Col 0-2, Height: 22 |
| playbookid | Col 0-2, Height: 22 |
Notes
Linked Incidents
Child Incidents
Evidence
Team Members
Indicators
Timeline Information
| Field ID | Position |
|---|---|
| occurred | Col 0-1, Height: 53 |
| dbotduedate | Col 0-2, Height: 53 |
| dbotcreated | Col 0-2, Height: 53 |
| dbotmodified | Col 0-2, Height: 53 |
| dbotclosed | Col 1-2, Height: 53 |
Closing Information
| Field ID | Position |
|---|---|
| dbotclosed | Col 0-2, Height: 22 |
| closereason | Col 0-2, Height: 22 |
| closenotes | Col 0-2, Height: 22 |
Techniques to Handle
Handled Techniques
Work Plan
Handled Techniques
This section dynamically displays the handled techniques in a MITRE ATT&CK - Courses of Action investigation.
| Field ID | Position |
|---|---|
| remediatedtechniques | Col 0-2, Height: 22 |
Techniques to Handle
This section dynamically displays the list of MITRE ATT&CK techniques that were not yet handled using the Courses of Action playbook.
| Field ID | Position |
|---|---|
| techniquestohandle | Col 0-2, Height: 22 |
Executed Remediation Summary 13 sections
1. Initial Access Remediation
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.
| Field ID | Position |
|---|---|
| initialaccessremediationproducts | Col 0-2, Height: 22 |
2. Execution Remediation
Execution consists of techniques that result in adversary-controlled code running on a local or remote system.
| Field ID | Position |
|---|---|
| executionremediationproducts | Col 0-2, Height: 22 |
6. Credential Access Remediation
Credential Access consists of techniques for stealing credentials like account names and passwords.
| Field ID | Position |
|---|---|
| credentialaccessremediationproducts | Col 0-2, Height: 22 |
5. Defense Evasion Remediation
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.
| Field ID | Position |
|---|---|
| defenseevasionremediationproducts | Col 0-2, Height: 22 |
9. Collection Remediation
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.
| Field ID | Position |
|---|---|
| collectionremediationproducts | Col 0-2, Height: 22 |
3. Persistence Remediation
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
| Field ID | Position |
|---|---|
| persistenceremediationproducts | Col 0-2, Height: 22 |
8. Lateral Movement Remediation
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.
| Field ID | Position |
|---|---|
| lateralmovementremediationproducts | Col 0-2, Height: 106 |
7. Discovery Remediation
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.
| Field ID | Position |
|---|---|
| discoveryremediationproducts | Col 0-2, Height: 106 |
4. Privilege Escalation Remediation
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.
| Field ID | Position |
|---|---|
| privilegeescalationremediationproducts | Col 0-2, Height: 22 |
12. Impact Remediation
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.
| Field ID | Position |
|---|---|
| impactremediationproducts | Col 0-2, Height: 22 |
11. Exfiltration Remediation
Exfiltration consists of techniques that adversaries may use to steal data from your network.
| Field ID | Position |
|---|---|
| exfiltrationremediationproducts | Col 0-2, Height: 22 |
10. Command and Control Remediation
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network.
| Field ID | Position |
|---|---|
| commandandcontrolremediationproducts | Col 0-2, Height: 22 |
Tab Description
| Field ID | Position |
|---|---|
| executedremediationsummarydescription | Col 0-6, Height: 44 |
Best Practices 19 sections
Anti-Spyware Best Practices
You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware and command-and-control (C2) malware installed on systems on your network.
| Field ID | Position |
|---|---|
| antispywareprofilename | Col 0-2, Height: 53 |
| antispywareprofilestatus | Col 0-2, Height: 53 |
| antispywarerules | Col 0-2, Height: 53 |
Anti-Spyware Best Practices
Anti-Spyware related passed BPA checks results.
| Field ID | Position |
|---|---|
| bpapassedchecksantispyware | Col 0-4, Height: 106 |
Tab Description
| Field ID | Position |
|---|---|
| bestpracticesdescription | Col 0-6, Height: 44 |
WildFire Best Practices
Use a WildFire Analysis profile to specify for WildFire file analysis to be performed locally on the WildFire appliance or in the WildFire cloud. You can specify traffic to be forwarded to the public cloud or private cloud based on file type, application, or the transmission direction of the file (upload or download).
| Field ID | Position |
|---|---|
| wildfireprofilename | Col 0-2, Height: 22 |
| wildfireprofilestatus | Col 0-2, Height: 22 |
| wildfirerules | Col 0-2, Height: 22 |
WildFire Best Practices
WildFire related passed BPA checks results.
| Field ID | Position |
|---|---|
| bpapassedcheckswildfire | Col 0-4, Height: 106 |
Anti-Virus Best Practices
Use the Antivirus Profiles page to configure options to have the firewall scan for viruses on the defined traffic. Set the applications that should be inspected for viruses and the action to take when a virus is detected.
| Field ID | Position |
|---|---|
| antivirusprofilename | Col 0-2, Height: 53 |
| antivirusprofilestatus | Col 0-2, Height: 53 |
| antivirusrules | Col 0-2, Height: 53 |
Anti-Virus Best Practices
Anti-Virus related passed BPA checks results.
| Field ID | Position |
|---|---|
| bpapassedchecksantivirus | Col 0-4, Height: 106 |
File Blocking Best Practices
You can attach a File Blocking profile to a Security policy rule to block users from uploading or downloading specified file types or to generate an alert when a user attempts to upload or download specified file types.
| Field ID | Position |
|---|---|
| fileblockingprofilename | Col 0-2, Height: 53 |
| fileblockingprofilestatus | Col 0-2, Height: 53 |
| fileblockingrules | Col 0-2, Height: 53 |
File Blocking Best Practices
File Blocking related passed BPA checks results.
| Field ID | Position |
|---|---|
| bpapassedchecksfileblocking | Col 0-4, Height: 106 |
URL Filtering Best Practices
You can use URL filtering profiles to control access to web content.
| Field ID | Position |
|---|---|
| urlfilteringprofilename | Col 0-2, Height: 53 |
| urlfilteringprofilestatus | Col 0-2, Height: 53 |
| urlfilteringrules | Col 0-2, Height: 53 |
URL Filtering Best Practices
URL Filtering related passed BPA checks results.
| Field ID | Position |
|---|---|
| bpapassedchecksurlfiltering | Col 0-4, Height: 106 |
Vulnerability Protection Best Practices
A Security policy rule can include specification of a Vulnerability Protection profile that determines the level of protection against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities.
| Field ID | Position |
|---|---|
| vulnerabilityprotectionprofilename | Col 0-2, Height: 53 |
| vulnerabilityprotectionprofilestatus | Col 0-2, Height: 53 |
| vulnerabilityprotectionrules | Col 0-2, Height: 22 |
Vulnerability Protection Best Practices
Vulnerability Protection related passed BPA checks results.
| Field ID | Position |
|---|---|
| bpapassedchecksvulnerabilityprotection | Col 0-4, Height: 106 |
New Section
Anti-Spyware related failed BPA checks results.
| Field ID | Position |
|---|---|
| bpafailedchecksantispyware | Col 0-4, Height: 106 |
New Section
Anti-Virus related failed BPA checks results.
| Field ID | Position |
|---|---|
| bpafailedchecksantivirus | Col 0-4, Height: 106 |
New Section
File Blocking related failed BPA checks results.
| Field ID | Position |
|---|---|
| bpafailedchecksfileblocking | Col 0-4, Height: 106 |
New Section
URL Filtering related failed BPA checks results.
| Field ID | Position |
|---|---|
| bpafailedchecksurlfiltering | Col 0-4, Height: 106 |
New Section
Vulnerability Protection related failed BPA checks results.
| Field ID | Position |
|---|---|
| bpafailedchecksvulnerabilityprotection | Col 0-4, Height: 106 |
New Section
WildFire related failed BPA checks results.
| Field ID | Position |
|---|---|
| bpafailedcheckswildfire | Col 0-4, Height: 106 |
War Room 0 sections
No sections defined.
Work Plan 0 sections
No sections defined.
Evidence Board 0 sections
No sections defined.
Related Incidents 0 sections
No sections defined.
Canvas 0 sections
No sections defined.