MITRE ATT&CK® Coverage shows the extent to which MITRE ATT&CK tactics, techniques, and sub-techniques are covered by the detection content from Threat Detection Marketplace that you have explored, downloaded via API, and deployed.
Important! For comprehensive visualization within your organization’s Dashboard, Log Source Coverage, and MITRE ATT&CK Coverage, while downloading and installing content manually in Threat Detection Marketplace which is part of the SOC Prime Platform, please mind marking the content as deployed. To enable automation for adopting content, integrations, and analytics we highly recommend you to set up: |
Tactics — the list of tactics that may be covered by the detection content. The number of techniques belonging to each tactic is also shown. Click a tactic name to explore the MITRE ATT&CK coverage per tactic.
Search Profile — when a search profile is applied, the statistics are filtered by the following fields of the applied Search Profile: Platform, Log Source Product, Tool, Actor, Technique, Data Component, Event ID, and CVE ID. This ensures that the statistics are relevant to your organization. If the profile has been marked as Default on Coverages on the Search Profiles page, when opening the MITRE ATT&CK Coverage page, this profile will be automatically applied with its configured parameters. You can update this setting on the Search Profile page.
Note: When drilling down from the MITRE ATT&CK Coverage page to Advanced Search, the selected Search Profile is not applied directly as a Search Profile filter. Instead, it is converted into separate filters that can be removed independently in Advanced Search.
Search bar — search for a certain tactic or technique to explore the details of its coverage.
Overview Mode
Content per tactic — the view of detection content covering specific MITRE ATT&CK tactics.
All Content — stats on all Threat Detection Marketplace content explored or deployed by your organization.
Legend:
Explored — content tracked by the Platform as explored by your organization. Normally, the number of Explored content is bigger than the Deployed as you deploy only what is relevant.
Deployed — content marked as deployed manually, or automatically marked as deployed via the Automation module.
Downloaded via API — content downloaded via API
Unexplored — content available on the Platform as per your settings which is still unexplored by your organization.
To export your MITRE ATT&CK coverage statistics, click the Export button and choose the file format:
CSV
JSON
The format of the JSON files is consistent with the ATT&CK® Navigator tool for annotating and exploring ATT&CK matrices. JSON files support the same color-coding for the deployed, downloaded via API, explored and unexplored content that is used in the MITRE ATT&CK Coverage visualization.
To use the export feature, a Search Profile should be applied.
MITRE ATT&CK Coverage per Tactic
Explore the coverage for a particular tactic all the way down to Event ID.
Explored — content mapped to the selected technique or sub-technique that is tracked by the Platform as explored by your organization. Normally, the number of Explored content is bigger than the Deployed as you deploy only what is relevant.
Deployed — content mapped to the selected technique or sub-technique that is marked as deployed manually, or automatically marked as deployed via the Automation module.
Downloaded via API — content downloaded via API
Unexplored — content mapped to the selected technique or sub-technique that is available on the Platform but is still unexplored by your organization.
Click on the number of explored, downloaded via API, deployed, or unexplored content items to go to Search and see all detections of the corresponding type.
With the Trend pane, you can view your organization's progress over time.
To get back to the Overview screen, click the MITRE ATT&CK Coverage title in the upper left corner.