Detections

To guard your environment against malicious activities, LogicHub provides use cases to detect attacker techniques. A use case is a package that contains a playbook and the associated resources that are required for the playbook to work. The use cases are based on the MITRE system for the management of detection coverage and risk. MITRE is an organization that maintains a catalog of techniques used by attackers to breach security.

You can deploy available use cases by importing them and then setting up the playbook that is created to work in your environment.

To view and manage detections and use cases, click Detections on the left navigation.

The panels at the top provide a summary view of the following information:

  • LogicHub Technique Coverage: Number of techniques for which LogicHub has at least one use case relative to the total number of available techniques.
  • Techniques Defended: Number of techniques for which your organization already has use cases relative to the total number of available techniques.
  • Use Cases Configured: Number of use cases that your organization has configured relative to the total number of use cases that LogicHub offers. This number is typically higher than the number of techniques defended because a technique can have multiple use cases.
  • MITRE Detections Configured: Number of MITRE use cases that your organization has configured relative to the total number of use cases that LogicHub offers. This number is typically higher than the number of techniques defended because a technique can have multiple use cases.

📘

Note

Click on Check for updates when you make any changes to view the updated results. A successful message will appear once the updates are checked.

The main body of the page below the summary area contains a table of coverage or use cases. MITRE Coverage is the default view. To change to a different view, select one of the following options from the drop-down list above and to the right of the table.

  • MITRE Coverage (default): Lists all detection techniques in matrix form. The table is organized by MITRE categories, such as Initial Access and Execution. Each color-coded cell represents an individual technique.
  • MITRE Detections: Lists all of the use cases that are in the MITRE category.
  • All Use Cases: List all of the use cases that are available, including MITRE-related use cases and ones that your organization has imported.

The color codes for the MITRE Coverage cells are listed above the table:

  • Available (green): The use case is available for import
  • Imported (teal): The use case is already imported by you.
  • Request (white): LogicHub doesn’t yet have a use case for this technique. To request the technique, click the cell and then click Request.
  • Requested (light blue): We have received a request for a technique from you and are processing your request. When the use case is available, the status will become Available and you can import the use case.

Search and filtering controls are available for the table. Enter a search string or select options from the filter dropdowns and the display updates with the matching results.

Import Use Cases

To import a use case into your environment, click the cell for that technique. The side panel opens to show details about the technique and the available use cases along with suggested situations where the use case can be helpful.

To import a use case, click Import. The list of dependencies and conflicts for the use case is presented, along with options to resolve comments and rename items. For more information, see Export and import playbooks.

When the import is complete, the text ‘Imported’ appears in place of the button on the Detections page. If an update to the use case is available, an Update button is displayed.

Following import, the use case is now available on the Playbooks page. You can open and edit the playbook as you would any other playbook that you created or has been shared with you.


Did this page help you?