Notifications Related to Changes in the MITRE Framework

Cytomic Orion downloads the MITRE tactic, technique, and sub-technique knowledge base twice a day. If a change is detected in the knowledge base that involves deleting tactics or techniques, Cytomic Orion checks all the hunting rules created so far to make sure that all associated tactics and techniques are valid.

Every Monday, Cytomic Orion users receive an email notification with the hunting rules they need to update if these conditions are met:

• The user account has at least one of these permissions assigned:

  • Manage hunting rules.

  • Create hunting rules and notification rules for all clients.

  • Create indicator notification rules.

• At least one MITRE tactic, technique, or sub-technique associated with a hunting rule is deprecated.

For more information about the permissions associated with a user account, see Manage Roles and Permissions.

Additionally, when Cytomic Orion downloads an updated MITRE knowledge base and detects a deprecated tactic or technique associated with a hunting rule, it shows a notification with the name of the affected hunting rule at the top of the console for 12 hours.