Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 25.4.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    25.4.a
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    MITRE ATT&CK

    MITRE ATT&CK

    The MITRE ATT&CK Matrix dashboard displays detection coverage based on detectors developed by FortiGuard Labs.

    MITRE ATT&CK is a globally recognized knowledge base of threat behaviors and techniques used by security professionals to understand and respond to threats. FortiGuard Lab detectors can be mapped to MITRE ATT&CK to provide visibility into the threat coverage offered by FortiNDR Cloud.

    The dashboard presents detections by behavior type (behavioral and non-behavioral) and by technique type (primary and secondary):

    • Primary Technique: The main technique used to detect the behavior.
    • Secondary Technique: A related technique that may not be directly observed on the network but is associated with the threat. This is not displayed in most cases.

      To view the secondary technique, click the plus (+) symbol in the bottom-right corner of a Primary Technique box.

    Detection indicators

    • A blue shield icon indicates active detections for a technique or sub-technique, and that you have permission to view them on the Detections page.
    • An empty shield icon indicates that detections are resolved, but still viewable.
    • Techniques shown as plain text either have no detections or you lack permission to view them.

    MITRE Attack Matrix

    Viewing the MITRE ATT&CK Matrix

    To view the MITRE ATT&CK Matrix:
    1. Click the Dashboard tab. Do one of the following:
      • At the top left-side of the page, click Default Dashboard > MITRE ATT&CK Dashboard.
      • In the MITRE ATT&CK widget, click Go to MITRE Coverage Dashboard.
    2. Click the Attack Behaviors drop-down at the top-right of the dashboard to filter the dashboard by behaviors:

      • All
      • Ransomware
      • Insider Threat
      • Cyber Espionage
    3. Click a technique in the table. A summary of the technique is displayed.

      Column

      Description

      TacticThe tactic of the behavior.
      CoverageThe coverage status of the technique and the sub-techniques.
      NameThe behavior name.
      ID

      ID number of the technique and the sub-techniques.

      For techniques and sub-techniques with active detections (indicated by a blue shield icon), the ID number is a hyperlink that directs you to the Detections page.

    To download the coverage details:
    • Click the Download Coverage Details button to download the coverage details as a CSV file which contains the Date Updated, Name, Primary Attack ID, Secondary Attack ID and Description.
    Previous
    Next

    MITRE ATT&CK

    MITRE ATT&CK

    The MITRE ATT&CK Matrix dashboard displays detection coverage based on detectors developed by FortiGuard Labs.

    MITRE ATT&CK is a globally recognized knowledge base of threat behaviors and techniques used by security professionals to understand and respond to threats. FortiGuard Lab detectors can be mapped to MITRE ATT&CK to provide visibility into the threat coverage offered by FortiNDR Cloud.

    The dashboard presents detections by behavior type (behavioral and non-behavioral) and by technique type (primary and secondary):

    • Primary Technique: The main technique used to detect the behavior.
    • Secondary Technique: A related technique that may not be directly observed on the network but is associated with the threat. This is not displayed in most cases.

      To view the secondary technique, click the plus (+) symbol in the bottom-right corner of a Primary Technique box.

    Detection indicators

    • A blue shield icon indicates active detections for a technique or sub-technique, and that you have permission to view them on the Detections page.
    • An empty shield icon indicates that detections are resolved, but still viewable.
    • Techniques shown as plain text either have no detections or you lack permission to view them.

    MITRE Attack Matrix

    Viewing the MITRE ATT&CK Matrix

    To view the MITRE ATT&CK Matrix:
    1. Click the Dashboard tab. Do one of the following:
      • At the top left-side of the page, click Default Dashboard > MITRE ATT&CK Dashboard.
      • In the MITRE ATT&CK widget, click Go to MITRE Coverage Dashboard.
    2. Click the Attack Behaviors drop-down at the top-right of the dashboard to filter the dashboard by behaviors:

      • All
      • Ransomware
      • Insider Threat
      • Cyber Espionage
    3. Click a technique in the table. A summary of the technique is displayed.

      Column

      Description

      TacticThe tactic of the behavior.
      CoverageThe coverage status of the technique and the sub-techniques.
      NameThe behavior name.
      ID

      ID number of the technique and the sub-techniques.

      For techniques and sub-techniques with active detections (indicated by a blue shield icon), the ID number is a hyperlink that directs you to the Detections page.

    To download the coverage details:
    • Click the Download Coverage Details button to download the coverage details as a CSV file which contains the Date Updated, Name, Primary Attack ID, Secondary Attack ID and Description.
    Previous
    Next