RSA Threat Content mapping with MITRE ATT&CK™

Introduction to MITRE ATT&CK™ Navigator

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows, Linux and MacOS. This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified.

All RSA Application Rules, ESA Rules and Lua Parsers have been mapped to one or more ATT&CK™ techniques. This mapped content can be viewed in JSON format and can be graphically represented to measure ATT&CK™ matrix coverage by RSA Threat Content.

See the following blog posts on RSA Link for more information:


Multiple blog posts on RSA Link contain samples of JSON.

Generate of MITRE ATT&CK™ Metadata for RSA NetWitness Content

The Investigation Feed generates the metadata for the MITRE ATT&CK™ framework for RSA Application Rules and RSA Lua Parser logic. The keys ATT&CK Tactic and ATT&CK Technique are populated on a match to an out-of-the-box rule.

You can view populated meta in the Investigate > Navigate view.


Analysts can query on a specific MITRE ATT&CK technique to investigate further.


You can also view an query on MITRE ATT&CK keys in Investigation.


Configure RSA NetWitness for Mitre ATT&CK™ Metadata

In RSA NetWitness 11.4 and above, all MITRE ATT&CK™ metadata is generated out-of-the-box and does not require any customization.

For RSA NetWitness Platform 11.3 and lower, follow these steps to generate the metadata:

  1. Add the custom keys, ATT&CK Tactic and ATT&CK Technique, to the table-map-custom.xml file on the Decoder.

    1. In the NetWitness menu, select ADMIN > Services.
    2. In the Services grid, select a Log Decoder.
    3. From the Actions menu, select View > Config, then select the Files tab in the Services Config view.
    4. Select table-map-custom.xml from the drop-down list, and in the <mappings> section of the file, add the following new mappings:

      <mapping envisionName="attack.tactic" nwName="attack.tactic" flags="None" format="Text"/>
      <mapping envisionName="attack.technique" nwName="attack.technique" flags="None" format="Text"/>


    5. Click Apply and push changes to other Log Decoders as desired.
  2. Add the custom keys, ATT&CK Tactic and ATT&CK Technique, to the Concentrator custom index file.

    1. In the NetWitness menu, select ADMIN > Services.
    2. In the Services grid, select the Concentrator and in the toolbar, select View > Config, then select the Files tab.

      The Device Config view is displayed with the Concentrator Files tab open.

    3. Select index-concentrator-custom.xml from the drop-down list, and add the new keys as shown below and then click Apply.

      <key description="ATT&amp;CK Tactic" name="attack.tactic" format="Text" level="IndexValues" valueMax="10000"/>

      <key description="ATT&amp;CK Technique" name="attack.technique" format="Text" level="IndexValues" valueMax="10000"/>


    4. Push changes to other Concentrators as desired.
    5. For changes to take effect immediately, restart all concentrators onto which changes were pushed.
  3. Get the latest Investigation Feed from Live and deploy to the desired log decoders or decoders.