MITRE ATT&CK Coverage

The MITRE ATT&CK Coverage page shows the MITRE ATT&CK adversary tactics, techniques, and procedures (TTP) from the Enterprise Matrix that are covered by rules in your system. Not only can you filter on specific techniques to see how well you are covered for each, but you can filter on vendors and products that provide your data sources so you can see the coverage they give you. Adding or removing products from the list allows you to evaluate the effectiveness of your data sources.

To determine your coverage, MITRE ATT&CK Coverage collects data from rules that have fired in the last 180 days.

note

To view the MITRE ATT&CK Coverage page, you must be assigned the View Rules role capability.

Watch this micro lesson to learn about MITRE ATT&CK Coverage.

MITRE ATT&CK Coverage page

To open the MITRE ATT&CK Coverage page, select Content > MITRE ATT&CK Coverage.

1. Recent Activity. Shows coverage for your organization based on Signals received over the last 180 days.
2. All Community Activity. Shows coverage for all customers that use Cloud SIEM based on Signals received over the last 180 days. (Customer data is anonymized.) Comparing this coverage to Recent Activity can help you determine what coverage you're missing compared to other customers using Cloud SIEM.
3. Theoretical Coverage. Shows coverage for your organization if all data ingest worked perfectly and all enabled rules generated at least one Signal. This view can help you determine what custom rules would be most valuable to implement. If this is selected, the Vendor/Product filter is disabled.
4. Export. Export the filtered coverage to a JSON file. The file is in the format used by MITRE, and can be used with other exported files of MITRE data to aggregate and analyze MITRE ATT&CK coverage data. The file includes a score from 0 to 3 for each technique. The higher the score, the better coverage you have: 0=None (10 or fewer rules), 1=Low (11-13 rules), 2=Medium (14-16 rules), 3=High (17 or more rules).
5. MITRE TTP. Click to filter on MITRE tactics, techniques, and sub-techniques.
6. Vendor/Product. Click to filter on vendors and products that provide data sources. Select particular vendors to help you evaluate their coverage.
7. Coverage. Click to filter on coverage provided:
   • High (17 or more rules)
   • Medium (14-16 rules)
   • Low (11-13 rules)
   • None (10 or fewer rules)
   • Not detectable (no rules found)
8. Filter text in the tiles:
   • Show Rule Count. Shows the number of rules covering the technique.
   • Show Technique ID. Shows the technique ID.
   • Show Technique Name. Shows the name of the technique.
   • Show Filtered. Shows only techniques that are filtered.
9. Technique Coverage. The number of techniques covered. Note that it is impossible to get 100% coverage, because some techniques are undetectable by their very nature.
10. Sub-Technique Coverage. The number of sub-techniques covered.
11. Coverage Type. Key to the colors indicating coverage:
    • High (17 or more rules)
    • Medium (14-16 rules)
    • Low (11-13 rules)
    • None (10 or fewer rules)
    • Not detectable (no rules found)
    • Filter not applied
12. Matrix. The techniques from the MITRE Enterprise matrix. When you click a square, a panel appears with details showing your coverage for that technique.

Technique details

When you click a square in the matrix, details about coverage for that MITRE technique display in a panel. The description displayed is pulled directly from the MITRE Enterprise matrix. The panel includes an assessment of your coverage (None, Low, Medium, and High). A coverage of None does not mean you have no coverage; it only means you might not have enough rules to adequately cover the technique.

Click View Generated Signals to see the current Signals in Cloud SIEM that have been tagged with that MITRE technique.

Click Sub-Techniques to see the sub-techniques for that technique.

Click Rules at the bottom of the panel to see a list of all the rules that contribute to coverage for the technique. Click a rule in the list to open the rule.

MITRE TTP filter

Use the MITRE TTP filter to search for specific MITRE tactics, techniques, and sub-techniques. Used in combination with the Product/Vendor filter, you can see exactly which data sources provide coverage for specific TTPs.

Vendor/Product filter

Use the Vendor/Product filter to search for data sources in your environment to see how well they provide coverage. Filtering on specific products and vendors helps you determine which provide the best coverage. Add or remove items from the list to see how different combinations provide coverage for the specific techniques you are most concerned about.

This filter is only enabled if you first select Recent Activity or All Community Activity.

Benefits

• Use Theoretical Coverage to understand the content that Cloud SIEM includes out-of-the-box, and compare this with other SIEM solutions.
• Track Theoretical Coverage over time to see the coverage levels increase as Sumo Logic deploys new content and you write new rules.
• Use Theoretical Coverage to prioritize which custom rules to write, and use Recent Activity to support this as well as your rule tuning efforts.
• Compare Recent Activity to Theoretical Coverage view to see if rules that provide coverage are actually creating Signals in your environment. If they are not creating Signals, you'll need to investigate why not.
• Use the data in Recent Activity to help justify the value of Cloud SIEM. Anywhere a cell is lit up, Cloud SIEM has detected potential malicious activity that matches that technique. In addition, by deselecting and selecting Vendor/Product log sources, you can see the contribution (and therefore the value) of any particular log source to that coverage.
• Use the data in Community Activity to better understand the contribution (and therefore the value) of any particular log source, even those they are not currently ingesting into Cloud SIEM. This could help justify additional data ingest into Cloud SIEM, or justify a better balance of data sources to get optimal coverage.
• Export the data in these views in the standard MITRE JSON format, and combine it with the data exported by other security tools in your environment, to get the total coverage of all of the tools in your environment.