Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

F5 and AWAF Mitre Att&ck mapping

Hi All,

I've started my Christmas down time musing a couple of things I want to hit in the new year.

One of these being looking at AWAF in more detail and looking at the mitre att&ck framework in more detail.

Ive found lots of info on f5 sites talking about mitre and the things it does like Att&ck and d3fend.  But what I can't find is any reference to any of the waf alarms being cross reference able to the framework so I could like at putting them into a siem/soar solution.

Does this info exist anywhere?

And I could also extend this to afm, if anyone has info on that aswell?

Thanks all


Hi @PSFletchTheTek ,

MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors to close gaps in visibility based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity.

MITRE is a framework , you can use it to customize your network threat modelling.



Based on the threat modelling you will identify the different domains base don your network which could be different for different customers as they may have different set of netowrk devices, hence one threat model applies to one client may not necessary be identical to the other client network threat model.


Once you know the type of Network resources that can be under threat using MITRE frameowrk, you can pick and elimate the unused environment attack signature based on your network threat model report.

You can watch the following F5 demo at youtube

BIG-IP AWAF Demo 22 - Use and Enforce Attack Signatures with F5 BIG-IP Adv WAF (formerly ASM)

This will answer a lot of your queries.

You may find many resemblances between MITRE and OWASP top 10 and CWE/SANS.


ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It’s free for use by any organization and has gained a lot of traction over the last few years. Due to this popularity, a growing number of industry research reports present findings based on ATT&CK.

here you can get more depth nowledge about this framework as it is a very vast hence you can start it from here:

Its open source and can be used for free by any organization to develo its own threat model and subsequenty the mitigation techniquet and which attack signatures to be included in your security policy.