Skip to main content
CENEDRIL MANUAL
Open Cenedril
Security Operations & Threat Intel · ATT&CK Mapping

Map threats to MITRE ATT&CK

Updated on 2 min Pro plan Open in Cenedril

Goal Map the relevant MITRE ATT&CK techniques to a threat in the threat register and save the mapping.

In the threat register you map MITRE ATT&CK techniques to a threat by opening Security Operations, switching to the Threat Register tab, creating or editing a threat, and marking the relevant techniques in the ATT&CK Mapping section. The selector is grouped by ATT&CK tactics and can be narrowed by ID or name. Once you save, the techniques appear in the register and in the ATT&CK coverage views.

Open the threat

Open Security Operations

In the ISMS Assistant open the Security Operations area and switch to the Threat Register tab. The page lists every logged threat with its category, relevance and an ATT&CK column.

The threat register with the “ATT&CK” column per threat.

Create or edit a threat

Click Add entry at the top right to log a new threat, or open an existing one with the pencil icon. The Log threat or Edit threat form opens.

Check the required fields

In the Threat section, Title is the only required field. Entries such as Elementary threat (category), Relevance to our organization and the linked vulnerabilities are not needed for the ATT&CK mapping. You can scroll straight to the ATT&CK Mapping section.

Map the techniques

Go to the ATT&CK Mapping section

Scroll to the ATT&CK Mapping section. Below it sits the hint “Map relevant ATT&CK techniques to this threat scenario.” and the selector grouped by tactic.

The ATT&CK selector, grouped by tactic, with a search box and technique selection.

Expand a tactic or search

Expand a tactic (e.g. Initial Access or Impact) to see its techniques. For techniques with sub-items, reveal the sub-techniques with the arrow. Alternatively, type a technique ID such as T1566 or a name in the search box, and the selector jumps to the matches.

Tick the techniques

Tick every technique that fits the threat. The selected techniques appear at the top as coloured tags showing their ID and name. Remove a technique with the X on its tag or by clicking it again in the list.

Save the mapping

Click Save at the bottom of the form. Cenedril stores the threat with its mapped techniques and closes the form.

Result: the threat sits in the threat register, the ATT&CK column shows the number of mapped techniques, and the mapping feeds the ATT&CK coverage views that set threats, incidents and controls side by side.

Frequently asked questions

What does mapping a threat to ATT&CK mean?

You assign a threat the attack techniques from the MITRE ATT&CK framework that adversaries use to carry it out. A general threat then becomes a concrete behaviour pattern that you can later compare against incidents and controls.

How do I find the right technique?

The selector is grouped by ATT&CK tactics (e.g. Initial Access, Execution, Impact). Expand a tactic to see its techniques, or use the search box and type a technique ID (e.g. T1566) or a name.

Can I map several techniques to one threat?

Yes. Select as many techniques as you like. Each selected technique appears at the top as a coloured tag in its tactic's colour. Remove a technique with the X on its tag or by clicking it again in the list.

Do I have to pick a threat category first?

Not for the ATT&CK mapping. The elementary threat only drives the suggested list of linkable vulnerabilities higher up in the form. You choose the ATT&CK techniques independently of it.

Where does the mapping show up later?

The mapped techniques appear in the ATT&CK column of the threat register and feed the ATT&CK coverage views, which set threats, incidents and implemented controls side by side.

Public Portals

Enable the vulnerability disclosure portal

How to enable Cenedril's public vulnerability disclosure portal, expose your products for selection, and share the reporting link with security researchers.

Security Operations & Threat Intel

Schwachstellen aus einem Scanner importieren

So laden Sie in Cenedril den CSV-Export eines Schwachstellen-Scanners hoch, ordnen die Spalten zu und legen alle Funde in einem Schritt als Schwachstellen-Instanzen an.