MITRE ATT&CK Classification Guide

Overview

MITRE ATT&CK classification enables mapping of detected anomalies to known adversarial tactics and techniques. This guide walks you through the setup and execution of MITRE classification on Snowflake.

Prerequisites

Before running the classification, ensure the Tempo app has the necessary permissions to access your data.

1. Granting Data Access

To allow Tempo to classify known anomalies, follow these steps to grant access:

Reference Navigation

Navigate to the Data Products tab in the Snowflake sidebar.
Click on the Apps dropdown to view installed applications.
Locate and select Tempo from the list.
On the Tempo App Overview page, go to the Privileges section.
Find the section labeled Known Anomalous Logs and click the Add button.
Select the appropriate Database, Schema, and Table or View for classification.
Click Save, then use the Back button on the top left to return.
Navigate to a Worksheet of your choice to proceed with classification.

Note: If no reference is specified, the application will default to its demo data.

2. Running MITRE Classification

To classify detected anomalies using MITRE ATT&CK mappings, execute the following SQL command in your worksheet:

CALL INSPECT.mitre_classification();

Purpose

This procedure analyzes known anomalous logs and maps them to relevant MITRE ATT&CK tactics and techniques for deeper security insights.

Notes

Ensure proper reference assigning for table access.
Classification results will be available in your output table for further investigation.

Overview​

Prerequisites​

1. Granting Data Access​

2. Running MITRE Classification​

Purpose​