The Essential Guide to

MITRE ATT&CK Round 4

Enterprise Evaluation

This e-book provides a comparative look at how vendors performed

across various measures, with guidance on how to explore the results
further. We include key descriptions of MITRE’s testing methodology,
the tools MITRE Engenuity provides to help visualize and compare
results, and considerations for analysis to help you assess for yourself
which vendor best fits your organization’s endpoint security needs.
Introduction
Since 2018, the MITRE Engenuity ATT&CK® Eval-
uations have provided a controlled environment
for security vendors to essentially “test their
wares” against attack methodologies inspired by
real-world threats.
Focused on the technical ability to address known
adversary behaviors, the evaluations provide
the opportunity to analyze endpoint detection
and response (EDR) and extended detection and
response (XDR) products against real-world
attack sequences.
For the fourth year running, Palo Alto Networks
has emerged as one of the top-performing ven-
dors in the MITRE Engenuity ATT&CK Evalua-
tions, blocking 100% of the tests in the protec-
tion evaluation and detecting 100% of the steps
in the detection evaluation.
At a high level, Cortex XDR® achieved the
following against the tactics, techniques and
procedures (TTPs) used by Wizard Spider and
Sandworm:
• 100% block rate/prevention in the protection
evaluation
Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4
• 100% detection across all 19 steps in the
detection evaluation
• 98.2% technique level detection (107/109
substeps)
• 98.2% analytics detections
• 98.2% Visibility (107/109 substeps)
Evaluations Overview
In the last evaluation round, MITRE Engenuity
featured attack scenarios that leveraged common
malware such as Carbanak. However, this year,
MITRE Engenuity investigates how Sandworm
Team and Wizard Spider abuse data encrypt-
ed for impact. As the final tactic of the MITRE
ATT&CK framework, an impact tactic specifies
how an attacker could cause damage, including
destroying or tampering with data, launching
denial-of-service (DoS) attacks, and other tech-
niques.
In the past, Sandworm has leveraged encryption
for destroying data, perhaps most notably with
their NotPetya malware that disguised itself as
ransomware. In Wizard Spider’s case, they have
leveraged data encryption for ransomware, in-
cluding the widely known Ryuk malware.
What was the motivation behind the
ATT&CK evaluations?
• Vendors are using ATT&CK to articulate
their capabilities, but there is no neutral
authority to evaluate their claims.
What are the ATT&CK evaluations?
• Open, transparent, and objective.
Methodology and results are published
openly and clearly.
• Evaluates both protection and detection
efficacy. (Protection evaluation was
included starting in Round 3.)
• A compilation of the detections MITRE
Engenuity observes in response to
an emulated adversary’s tactics and
techniques.
What aren’t the ATT&CK
evaluations?
• Not designed to address noise or false
positives.
• Not meant to be a competitive analysis
that produces a score.
• Not a ranking or rating of a vendor’s
technology.
2
The MITRE ATT&CK
Framework
• The MITRE ATT&CK
framework has become
the standard for how
the security world
communicates about
adversaries and their
techniques.
• ATT&CK stands for
Adversarial Tactics,
Techniques & Common
Knowledge.
• Provides detailed
information about all the
adversarial techniques.
• Details of threat groups
that have used these
techniques.
• Useful information
about how to detect and
mitigate these tactics and
techniques.

Figure 1: Understanding the MITRE ATT&CK Framework

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 3
For Round 4 of the MITRE Engenuity ATT&CK
Evaluations, they tested an even larger field of
vendors (30) compared to the previous years,
providing further evidence of the importance
of third-party evaluations in the marketplace
for objective guidance around choosing security
solutions.
These evaluations assess participating vendors
to identify areas for improvement, including up-
dating prevention, detection, and response rules
that inform security policies. While this exercise
does not provide overall comparison scores or
ranking, it provides a vendor-agnostic summary
of the various methodologies employed by secu-
rity practitioners for identifying and preventing
sophisticated attack campaigns.
Testing 30 vendor participants, covering 19
separate test steps with 109 substeps on both
Windows® and Linux operating systems, the
evaluations pitted each vendor against the TTPs
leveraged by the Wizard Spider and Sandworm
Team threat groups.
Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4
What’s Different This Year?
This year’s evaluations are quite similar to last
year’s, with one significant change to how the
evaluations are “scored.” This year, each of
the 109 substeps in the detection evaluation is
awarded only one detection type. In previous
years, it was possible to receive both a teleme-
try detection and a general tactic or technique
detection type.
All of the detections were tallied up, and a total
number of detections was identified on the
results page for each vendor. This led to several
vendors claiming they had the most effective
product because they had the most combined
detections. In the real world, security analysts
prefer high-quality detections without being
accompanied by many less-clear detections. To
address this concern, the test designers decided
that this year there would be only one detection
per substep, and the total detections number
would no longer be reported. This is a change we
should all applaud MITRE Engenuity for making
as it rewards security solutions for providing
high-quality detections and not generating un-
needed noise.
MITRE Engenuity’s Approach
Focused on articulating how detections occur
rather than assigning scores to vendor capabili-
ties, MITRE Engenuity categorizes each detection
based on quality and precision. (See Detection
Categories below for more details.) While MITRE
Engenuity makes every effort to capture different
detections, vendor capabilities may be able to
MITRE Round 4 Technique Detections
Technique detections are the gold standard, providing the
full what, why, and how of an attack.
Palo Alto Networks 97%
SentinelOne 93%
Microsoft 77%
CrowdStrike 71%
(Detections resulting from Configuration Changes excluded)
Figure 2: Technique detection among
leading EDR solutions
4
detect procedures in ways that MITRE Engenuity
did not capture. For a detection to be included for
a given technique, it must apply to that technique
specifically. For example, just because a detection
applies to one technique in a step or substep does
not mean it applies to all techniques of that step.
For proof of detection in each category, MITRE
Engenuity requires that the proof be provided
to them, but they may not include all detection
details in public results, particularly when those
details are sensitive.
To determine the appropriate category for a
detection, MITRE Engenuity reviews the screen-
shot(s) provided, the notes taken during the
evaluation, the results of follow-up questions to
the vendor, and vendor feedback on draft results.
They also independently test procedures in a
separate lab environment as well as review open
source tool detections and forensic artifacts. This
testing informs what is considered to be a detec-
tion for each technique.
Using MITRE Engenuity to Help
Evaluate EDR and XDR Solutions
For organizations reviewing EDR and XDR solu-
tions and vendors, the MITRE Engenuity results
Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4
compare the various levels of security efficacy
by participating vendors, all aligned around a
common lexicon to ensure parity and continuity
across the evaluation.
“To provide transparency around
the ability of defensive solutions to
address the behaviors described in
ATT&CK and propel the enterprise se-
curity market forward, the Enterprise
Evaluations methodology was specif-
ically designed to be data-driven and
focus on this very specific topic.”
–Frank Duff, Ex-Director of
ATT&CK Evaluations
So, how can the MITRE Engenuity ATT&CK
evaluations help inform a defensive strategy for
solution providers like us? At Palo Alto Networks,
participating in these evaluations allows us to be
tested by a neutral, unbiased third party, le-
veraging current, real-life sophisticated attack
sequences that yield constructive insights into
how we can build more effective detection and
prevention solutions.
In using the modern attack TTPs from groups
such as Wizard Spider and Sandworm (See
figure 1.) and emulating the attack scenarios in
a controlled environment—the MITRE Engenu-
ity-provided cyber range—solution providers
can assess their performance and determine
areas for improvement. The resulting perfor-
mance data can provide insights into solution
or product modifications and guide fine-tuning
any steps that may have underperformed.
Linked to Russia through TrickBot leaks, Wizard
Spider is a Russia-based cybercriminal group tied
to the operation of the TrickBot botnet, which
was initially used for targeting banking sites in
North America, Australia, and throughout Eu-
rope. Due to the persistent nature of a botnet ar-
chitecture and continued malware development,
TrickBot has infected over one million comput-
ing devices since its release in 2016. Starting in
August 2018, Wizard Spider—considered the
world’s first cyber-cartel—began conducting
“big-game hunting” campaigns using Ryuk ran-
somware which targeted larger organizations for
heavier ransoms, culminating in US$61 million
extorted between 2019 and 2020.
5
Sandworm is attributed to Unit 74455 of the
Russian Main Intelligence Directorate (GRU) by
the U.S. Department of Justice. Sandworm’s most
notorious attacks include those against Ukrainian
electrical companies in 2015 and 2016 and in 2017
with the NotPetya attacks. NotPetya took down
systems worldwide, including FedEx and ship-
ping giant Maersk who claimed US$1.3 billion
in losses from computer repair and interrupted NotPetya took down systems
operations. In addition to orchestrating disrup- worldwide, including FedEx
tive attacks on critical infrastructure, they’ve and shipping giant Maersk
targeted government organizations and elections who claimed US$1.3 billion in
and public events such as the PyeongChang Win- losses from computer repair and
ter Olympics in 2018. interrupted operations.

About the Adversaries

Wizard Spider
Russia-based—Financially motivated
Also known as:
• MITRE ATT&CK Group ID:
G0008
• Grim Spider, UNC1878,
TEMP.MixMaster
Known for:
• Conti ransomware
• TrickBot
• Ryuk ransomware
• CISA Alert: Ransomware
campaign against US hospitals
Sandworm Team
Russia-based—Destructive threat group
Also known as:
• ATT&CK Group ID: G0034
• Russia’s General Staff Main Intelligence Directorate (GRU) Main
Center for Special Technologies (GTsST) military unit 74455
• ELECTRUM, Telebots, IRON VIKING, BlackEnergy, Quedagh,
VOODOO BEAR
Known for:
• 2015–2016 Attacks against Ukrainian electrical infrastructure
• 2017 NotPetya attacks
• 2018 Olympic Destroyer South Korea
• 2022 Linked to HermeticWiper

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 6
 MITRE’s Wizard Spider/Sandworm
emulation at a glance:
• Detection evaluation had 19 attack
steps with 109 substeps
• Protection evaluation had 9 attack
Wizard Spider steps with 98 substeps
Sandworm • To view the in-scope techniques for the
Common Wizard Spider/Sandworm evaluation
in the ATT&CK Navigator, MITRE
provides the layer file available here.

Figure 3: The MITRE ATT&CK framework: Wizard Spider & Sandworm

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 7
MITRE Engenuity Round 4 Methodology
The Environment Wizard Spider/Sandworm Evaluation Environment
The evaluations were performed in the Microsoft Azure® cloud. There
were two organizations with separate networks and domains, with
Windows Defender disabled for certain portions of the evaluations.
The networks will contain domain-joined machines running Windows
Server 2019, Windows 10 Pro, and CentOS 7.9. The versions are as
follows:
• Windows Server 2019
» Publisher: MicrosoftWindowsServer
» Version: 1809
» SKU: 2019-Datacenter
• Windows 10 Pro
» Publisher: MicrosoftWindowsDesktop
» Version: 20h2
» SKU: 20h2-pro Figure 4: ATT&CK range–Azure network

• CentOS 7.9
Target Hosts:
» Publisher: Open Logic
» Windows Server 2019
» SKU: 7_9
» Windows 10
» Kernel: 3.10.0-1160.15.2.el7.x86_6
» CentOS 7.7

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 8
The evaluation focuses on articulating how detections occur rather
than assigning scores to vendor capabilities.
MITRE Engenuity organizes detections according to each substep (i.e.,
implementation of a technique). For a detection to be included for a
given substep, it must apply to the specific technique-under-test (i.e.,
the detection must apply to the one technique associated with that
substep, not other or all techniques of that step). For each detection,
they require that proof/evidence be provided, but MITRE Engenuity
may not include all detection details in public results, particularly when
those details are sensitive. While MITRE Engenuity makes every effort
to capture all relevant detections, vendor capabilities may be able to
detect procedures in ways that MITRE Engenuity did not capture.
Starting with the Wizard Spider and Sandworm evaluations, each
substep has a single detection category that represents the highest
level of context provided to the analyst across all detections for
that substep. For reference, the context provided by each detection
category increases from left to right, with technique being the highest
context within the detection category diagram. An image gallery
will display evidence of the detection that generated that detection
category for that substep as well as other relevant images from other
detections associated with that substep. Data sources will be tied to
each screenshot within the gallery.

Malicious
Malicious activity detected
activity detected with context
Malicious identifying the
with context
activity how
identifying the
detected
Activity why
reason
detected, no unknown
context
Missed
detection Technique
Tactic
General
Telemetry
None

Analytic coverage

Minimally processed data Enriched detection

Figure 5: Wizard Spider/Sandworm detection categories Figure 6: MITRE Engenuity detection categories

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 9
Detections captured that require detection category modifiers (e.g.,
configuration change or delayed) will be separated within a substep’s
results to clearly identify the different types of detections and allow
users to more easily filter the results based on whether to include or
exclude these types of detections. To determine the appropriate cate-
gory for a detection, MITRE Engenuity reviews the evidence provided,
notes taken during the evaluation, results of follow-up questions to
the vendor, and vendor feedback on draft results. MITRE Engenuity
also independently tests procedures in a separate lab environment and
reviews open source tool detections and forensic artifacts. This testing
informs what is considered to be a detection for each technique.
After performing detection categorizations, MITRE Engenuity calibrates
the categories across all vendors to look for discrepancies and ensure
categories are applied consistently. The decision of what category to
apply is ultimately based on human analysis and is therefore subject to
discretion and biases inherent in all human analysis, although MITRE
Engenuity does make efforts to hedge against these biases by structur-
ing analysis as described above.
Detection Categories
• Not Applicable: Vendor did not have visibility on the system under
test. The vendor must state before the evaluation what systems they
did not deploy a sensor on to enable Not Applicable to be in scope
for relevant steps.
Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4
• None: No data was made available within the capability related to
the behavior under test that satisfies the assigned detection criteria.
There are no modifiers, notes, or screenshots included with a None.
• Telemetry: Minimally processed data collected by the capability
showing that event(s) occurred specific to the behavior under test
that satisfies the assigned detection criteria. Evidence must show
definitively that behavior occurred and be related to the execution
mechanism (did happen vs. may have happened). This data must be
visible natively within the tool and can include data retrieved from
the endpoint.
• General: Processed data specifying that malicious/abnormal event(s)
occurred, with relation to the behavior under test. No or limited
details are provided as to why the action was performed (tactic), or
details for how the action was performed (technique).
• Tactic: Processed data specifying ATT&CK Tactic or equivalent level
of enrichment to the data collected by the capability. Gives the ana-
lyst information on the potential intent of the activity or helps answer
the question “why this would be done.” To qualify as a detection,
there must be more than a label on the event identifying the ATT&CK
Tactic, and it must clearly connect a tactic-level description with the
technique under-test.
• Technique: Processed data specifying ATT&CK Technique,
Sub-Technique, or equivalent level of enrichment to the data collect-
ed by the capability. Gives the analyst information on how the action
was performed or helps answer the question “what was done”
10
 (i.e., Accessibility Features or Credential Dumping). To qualify as a
detection, there must be more than a label on the event identifying
the ATT&CK Technique ID (TID), and it must clearly connect a tech-
nique-level description with the technique under-test.
Protection Categories
Protection categories were used to identify whether a protection was
encountered in the adversary emulation, and whether a user prompt
was required to confirm the blocking activity. Categories are subject to
change, based on lessons learned from the evaluation.
• Not Applicable: Vendor did not deploy protection capabilities on the
system under test. The vendor must state before the evaluation what
systems they did not deploy a sensor on to enable Not Applicable to
be in scope for relevant steps.
• None: The technique under test was not blocked and/or the tech-
nique was unsuccessful and there is no evidence provided to the
user that the capability blocked the activity.
• Blocked: The technique under test was blocked and the user was
explicitly informed that the capability blocked the activity.
Modifier Detection Types
MITRE Engenuity differentiates between types of detection to provide
more context around the capabilities a vendor offers in a way that
allows end users to weigh, score, or rank the types of detection against
Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4
their needs. This approach allows end users of the results to determine
what they value most in a detection (e.g., some organizations may
want telemetry, while others would want Technique detection).
• Configuration Change: The configuration of the capability was
changed since the start of the evaluation. This may be done to show
additional data can be collected and/or processed. The Configuration
Change modifier may be applied with additional modifiers describing
the nature of the change, to include:
» Data Sources—Changes made to collect new information by the
sensor.
» Detection Logic—Changes made to data processing logic.
» UX—Changes related to the display of data that was already col-
lected but not visible to the user.
• Delayed: The detection is not immediately available to the analyst
due to additional processing unavailable due to some factor that
slows or defers its presentation to the user, for example subsequent
or additional processing produces a detection for the activity. The
Delayed category is not applied for normal automated data inges-
tion and routine processing taking minimal time for data to appear
to the user, nor is it applied due to range or connectivity issues
that are unrelated to the capability itself. The Delayed modifier will
always be applied with modifiers describing more detail about the
nature of the delay.
11
Cortex XDR vs. Wizard Spider and Sandworm: Our Results
Focused on analyzing how detections occur rath-
er than assigning scores to vendor capabilities,
MITRE Engenuity categorizes each detection and
capture and then organizes detections according
to each attack technique. Techniques may have
more than one detection if a security solution
detects a technique in different ways. Notably,
this year, they have decided to record only the
highest-quality detection for each attack substep.
Each vendor participating was given a “visibili-
ty” score, which represents the number of attack
substeps (out of 109) where the corresponding
solution was able to show any evidence of the
attack substep. This includes telemetry detec-
tions (those that provided minimal processing of
the data collected) and higher-quality detections
that leveraged analytics to process the collected
data and provide insight into the purpose and
method of the attack.
The Cortex XDR Difference–the Data
Doesn’t Lie
As the industry’s first XDR platform, Cortex
XDR® integrates endpoint, network, cloud, and
Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4
third-party data to stop sophisticated attacks.
As evidenced by our leading results in the MITRE Cortex XDR achieved high
Engenuity ATT&CK Evaluations for four years performance in protection,
running, Cortex XDR achieved high performance detection, and visibility—the
in protection, detection, and visibility—the pillars for a holistic and best-in-
pillars for a holistic and best-in-class endpoint class endpoint security solution.
security solution.
Cortex XDR provides increased detection fidelity
with behavioral analytics and machine learning.
It collects and stitches together a broad set of
data, including logs from Cortex XDR endpoints,
Next-Generation Firewalls, Prisma® Access,
identity providers, and much more. Cortex XDR
builds a profile of expected user behavior to
pinpoint unusual behavior indicative of an attack.
Behavioral analytics applies machine learning
and statistical analysis to rich data to uncover
attacker tactics and techniques with fewer false
positives than traditional detection rules.
Because Cortex XDR combines protection, ana-
lytics detection, and visibility, anomalous behav-
ior is precisely identified, expediting the triage
process and reducing dwell time and subsequent
lateral movement within a network.
12
Accurate Detection Is Needed for
Complete Remediation

In the early days of the MITRE Engenuity Enterprise 4 Evaluation: Technique Detections
Evaluations, vendors focused on visibility or
coverage as a measure of success. With the
attention these evaluations have provided
and the increased capabilities the cyberthreat
landscape has mandated, visibility has largely
become table stakes for these evaluations, and
the focus should now be on providing high-
quality detections. As noted above, technique
detections provide complete insight into not
only why an adversary is performing an action
but how they are performing it. This level of
detail is necessary for defenders to understand
the full scope of an attack and completely
remediate the threat.

All of Cortex XDR’s detections were

Technique detections, the highest
quality possible. Figure 7: Palo Alto Networks stands alone, providing the most technique detections in the
evaluation. Note: detections resulting from config changes excluded.

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 13
Protection Is the First Line of Defense
Accurate prevention is critical in an EDR solu-
tion, as it prevents the adversary from gaining a Enterprise 4 Evaluation: Protection Efficacy
foothold and significantly reduces the burden on
defenders to remediate attacks. This frees up time
for analysts to engage in threat hunting. Detailed
detection provides complete visibility into the
attack sequence, delivering the right context to
pinpoint anomalous activity that warrants fur-
ther investigation. Visibility is the foundation of
prevention and detection, but visibility alone often
amounts to just noise. Each step in the protection
evaluation had multiple substeps that the adversary
took to achieve their goal. In total, there were 109
substeps spanning the 9 attack tests. Of these 109
substeps, 98 of these consisted of actions that were
deemed as “Blockable” under the MITRE Preven-
tion evaluation; the remaining substeps consisted
of actions which would not be considered blockable
under the evaluation, and for which blocking would
adversely affect evaluation results. Each of the 98
blockable substeps consisted of a specific malicious
action that furthered the attackers’ objectives and
represents negative impact to the organization. Figure 8: Cortex XDR blocked 100% of the protection steps and 99% of all 98
Therefore, it is advantageous to accurately block AS substeps.
MANY of these substeps as possible.

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 14
Figure 10: Combined protections and detections graph with all protection substeps included, and detections resulting from configuration
changes excluded

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 15
 Enterprise 4 Evaluation: Analytic Coverage (configuration changes not counted)

Figure 11: Several vendors claim to have the best results in this year’s evaluation based on analytic coverage. When
detections resulting from configuration changes are excluded, Cortex XDR is unbeaten in analytic coverage.

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 16
 Enterprise 4 Evaluation: Visibility (configuration changes not counted)

Figure 12: Visibility is the foundation for preventions and detections. Cortex XDR was unbeaten in attack visibility
when detections resulting from configuration changes were excluded.

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 17
About Configuration Changes
MITRE Engenuity allows for solution providers
to have a “do-over” if a step in the evaluations
did not produce the desired detection. These
do-overs are called “configuration changes.”
This allows security vendors to improve their
detection against a technique they did not detect
with their initial configuration. Therefore, a
configuration change is simply a detection that
was made possible because a change was made to
garner a better result. MITRE Engenuity provides
this opportunity for vendors to have the chance
to validate how changes to the solution may im-
prove security efficacy.
While we understand and appreciate the intent
for configuration changes in these evaluations,
we feel it is more realistic to exclude detections
directly resulting from a configuration change
when comparing results. Unfortunately, many
vendors are touting industry-leading results
Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4
while including detections achieved in the do-
over resulting from a configuration change. It is In the real world, an attacker
important to note there is no limit to what can be doesn’t give you a second chance
changed when making a configuration change, at preventing a breach by allowing
and there is also no commitment from the vendor a configuration change.
to include these changes in their production code.
Examples of configuration changes include:
• A new rule is created, a pre-existing rule en-
abled, or sensitivities (e.g., block lists) changed
to successfully trigger during a retest. These
would be labeled with the modifier “Configu-
ration Change-Detection Logic.”
• Data showing account creation is collected on
the backend but not displayed to the end user
by default. The vendor changes a backend set-
ting to allow telemetry on account creation to
be displayed in the user interface, so a detec-
tion of telemetry and “Configuration Change-
UX” would be given for the Create Account
technique.
18
Enterprise 4 Evaluation: Vendor Config Changes

Figure 13: Number of configuration changes per vendor in the Round 4 evaluations

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 19
The Numbers Don’t Tell the Whole Story These ATT&CK Evaluation results reveal our dedication to preventing
every possible threat and providing accurate and detailed detections of all
When examining the MITRE Engenuity results, it’s important to look at
adversarial activity to ensure our customers are kept safe from the most
the product screenshots to get a better sense of the story being told to
determined adversaries.
the security analyst.

Day 1 (Wizard Spider): Cortex XDR groups all malicious activity into a Day 2 (Sandworm): Cortex XDR provides detailed technique-level
single incident, clearly correlating all malicious activity, abnormal behav- detections which identify what the adversary was trying to accomplish
ior, and malware detections. Additionally, this incident grouping pro- and precisely how they were going about it.
vides the analyst with a unified record of all actions recorded during the
incident, allowing the analyst to focus on the investigation rather than
organizing data and details from separate, ungrouped events.

Cortex by Palo Alto Networks | The Essential Guide to MITRE ATT&CK Round 4 20
More About MITRE About the MITRE options to improve their network defense. MITRE

ATT&CK and
Cortex XDR
If you’re interested in learning more about the
attack scenarios emulated in this evaluation and
how Cortex XDR performed, we have a variety of
resources available on demand:
• All about our results in under three minutes.
Watch the video.
• View our on-demand webinar. Dissecting the
2022 MITRE Engenuity ATT&CK Evaluations.
• Visit our webpage and read our 2022 MITRE
Engenuity ATT&CK Evaluations Results blog
for more information.
Engenuity ATT&CK
Evaluations
MITRE Engenuity ATT&CK Evaluations are paid
for by vendors and are intended to help vendors
and end users better understand a product’s ca-
pabilities in relation to MITRE’s publicly accessi-
ble ATT&CK® framework. MITRE developed and
maintains the ATT&CK knowledge base, which
is based on real-world reporting of adversary
tactics and techniques. ATT&CK is freely available
and is widely used by defenders in industry and
government to find gaps in visibility, defensive
tools, and processes as they evaluate and select
Engenuity makes the methodology and resulting
data publicly available so other organizations
may benefit and conduct their own analysis and
interpretation. The evaluations do not provide
rankings or endorsements.
For further information on the ATT&CK frame-
work, visit MITRE.org. Check out the ATT&CK
Navigator tool to help you navigate, annotate,
and visualize ATT&CK techniques.

3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered t­ rademark of Palo Alto Networks. A
list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html.
All other marks mentioned herein may be trademarks of their respective companies.
cortex_ebook_mitre-att&ck-evaluation-round4_050422

www.paloaltonetworks.com