About Tactics, Techniques and Procedures

Tactics, techniques and procedures (TTPs) describe the behaviors and methods commonly used by specific threat actors or groups.

This topic provides a general overview of TTPs usage in TheHive.

Definitions

Tactics describe the goals of threat actors—what they're trying to achieve.

Techniques show how they achieve those goals.

Procedures detail how they implement the techniques in practice.

MITRE ATT&CK framework

By default, TheHive includes the MITRE Enterprise Matrix. It's installed during setup, and a catalog named Enterprise Attack is created with all the techniques.

You can update this catalog or add others.

Actions

In TheHive, you can add or remove TTPs from both alerts and cases.

Permissions

Required permissions

Only users with an admin-type profile that has the managePattern permission can manage TTPs in TheHive.

Required permissions

Only users with the manageProcedure permission can add and remove TTPs in cases and alerts in TheHive.

Next steps

• Add a Catalog
• Update a Catalog
• Remove a Catalog
• View Techniques in a Catalog
• Add TTPs
• Remove TTPs
• Export TTPs