Visualizing MITRE tactic and technique coverage in your environment

Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide in IBM® Detection and Response Center.

Before you begin

See the system requirements in Accessing Detection and Response Center.

Procedure

  1. Click ATT&CK Actions > Coverage map and report in the upper right of the report visualization.
    Heat map that shows MITRE tactics and techniques coverage, including sub-techniques
  2. Scroll through the heat map visualization to see the different techniques that are covered by the Detection and Response Center.
    Hover over a cell in the report, and then click the number in the cell to see the heat map calculation for the technique or sub-technique. For more information, see MITRE heat map calculations.
  3. Click the arrow in the cell to expand the columns to display the sub-techniques for the technique. For more information, see MITRE heat map calculations.
  4. To change the labeling in the chart, click the Show option in the report menu bar and select from names, technique IDs, or technique names and IDs. By default, the technique names are displayed.
    Show names menu option in heat map.
  5. To see only the coverage for rules that are currently in the report, select the Coverage based on rules in report option in the report menu bar. Click any section in the heat map, and then click Apply Filters to update the filtered list in the table.
  6. To see which MITRE techniques are being used by adversary groups and software, select the appropriate filters from the Highlight groups and Highlight software lists. Relevant groups are highlighted in the heat map by pink sidebars, and relevant software is highlighted by purple sidebars.
  7. To see only the techniques that are selected in the filter, hold the control key (on Windows) or the command key (on Mac) of your keyboard and select the relevant techniques on the heat map. Then select the Show techniques in filter option in the report menu bar. All other filters are hidden in the heat map.
    Show techniques menu in heat map.
    Tip: If you don't see any technique filters in the heat map, add techniques in the MITRE ATT&CK section of the filter panel or select techniques in the map.
  8. To export the current chart as a PNG image, click the download icon (Down arrow export icon). Then, you can share the image with colleagues or executives who don't have access to Detection and Response Center.
  9. To expand the sub-techniques for each tactic and technique, click the stack icon ( Show or hide sub-techniques) in the report menu bar.
  10. To expand the heat map to the width of your screen, click the maximize icon (Maximize icon to expand pane to full view) on the heat map's menu bar. Zoom in or out to see the heat map at the size you want. Any filtering that you apply in the expanded window is kept when you return to the main page.
    Important: The zoom capability is not supported on Mozilla Firefox. Use the browser control to zoom in and out.
  11. Close the report visualization to return to the dashboard.