Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

MITRE ATT&CK framework

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

General information about MITRE ATT&CK framework

MITRE ATT&CK is a globally-accessible knowledge base of techniques that adversaries use to compromise the target network environment. The entire knowledge base is based on real-world observations. The framework describes the possible activities of an adversary from the initial stage of obtaining access into the network until the adversary's final malicious activities that may cause damage to the environment of a victim.

The MITRE ATT&CK framework uses two main terms, which will be referred to in the following paragraphs - tactics, and techniques. The tactic represents one of the general stages of the attack and describes how far an adversary is in the process of compromising the target environment (for example, Initial Access represents the stage when an adversary enters the network, Persistence represents obtaining persistence in the compromised environment, and so on). The individual tactics follow each other, depending on what activities the attacker usually performs in the network. Under each tactic, there are several techniques listed. These techniques specifically describe the activities that an adversary performs to successfully move to the subsequent stage of the attack. The techniques may also be divided into one or more sub-techniques.

In the following text, the summary term MITRE ATT&CK categories is used instead of using the terms MITRE ATT&CK techniques and tactics separately.

More information about the MITRE ATT&CK framework can be found on its official pages.

MITRE ATT&CK framework in the Anomaly Detection System

In the Flowmon Anomaly Detection System, the assigning of the MITRE ATT&CK categories to the detected events is performed to help a user to better understand what a particular event could indicate and to provide deeper information about the event in the context of the MITRE ATT&CK framework. For each event, it is possible to display the assigned MITRE ATT&CK techniques and tactics in the Event detail of a particular event (more information can be found in the Event Detail chapter) or in the Simple list (the columns with the MITRE ATT&CK techniques and tactics are hidden by default - you must manually add them in the user interface. More information about the Simple list can be found in the Simple List chapter).

Assigning the MITRE ATT&CK categories to the events

When an event is detected in the Anomaly Detection System, the contextual analysis of the event is performed to determine the MITRE ATT&CK categories that correspond the most to the newly detected event. Various aspects and characteristics of the event are taken into account when performing the analysis. This leads to the fact that the events detected by the same method (for example, two different events detected by the HIGHTRANSF method) may have different MITRE ATT&CK categories assigned because the contextual analyzer evaluated that both events have different characteristics. Also, the MITRE ATT&CK categories may change when the event is updated (more about event updates can be found in the Stream Processing chapter).

It is also necessary to mention that one event may have assigned more than one MITRE ATT&CK tactic (simply said - one event may represent more different stages of the attacker's activities at the same time). This may happen because one event can have more targets which may signalize an adversary moving through the different attack stages. Also, an event update may add another tactic to the event when an adversary proceeds to the next stage of the attack and when the event reflects this fact.

For some events there may be no MITRE ATT&CK categories assigned - this may happen in the following cases:

  • The detected event represents too generic an anomaly and therefore assigning the MITRE ATT&CK category could be misleading.

  • The detected event is considered to be a security incident (for example, a security policy violation) but the MITRE ATT&CK has no corresponding technique for the event.

  • The detected event was evaluated to be the result of misconfiguration instead of a security incident.

  • The contextual analysis does not consider the event to be a security incident.

The contextual analysis works with the Assigned filters during the process of assigning of the MITRE ATT&CK categories (more information about Assigned filters can be found in the Data Feeds and Assigned Filters chapter). For the best user experience, we recommend setting the assigned filters for all detection methods if possible. The effect of the assigned filter may be different for each detection method, so ensure that you set the assigned filter according to the instructions stated in the user guide chapter that describes the respective method.

TitleResults for “How to create a CRG?”Also Available inAlert