Visualizing MITRE coverage summary and trends

The MITRE summary and trend reports provide an overview of the different tactics that are covered by QRadar® Use Case Manager. You can analyze the summary data in table, bar, and radar charts. Only the number of enabled mappings to enabled rules are counted in the charts because disabled mappings don't contribute to your security posture.

Before you begin

If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. For more information, see Editing MITRE mappings in a rule or building block.

Procedure

  1. Click ATT&CK Actions > Coverage summary and trend in the upper right of the visualization pane.
  2. Edit the MITRE Coverage Summary table to change the planned number and percentage to see where you're lacking in coverage.
    For example, the current number of rules for the Privilege Escalation tactic is 8 and represents 4% coverage, but you want 35% coverage. When you edit the planned percentage, you see that you need 77 rules to provide the level of coverage you want.
    Tip: The total number of mapped rules is not the sum of the rules that are mapped to each tactic. For example, if a rule covers the Discovery and Impact tactics, the rule is counted in each tactic it covers, but is counted only once in the calculated total number.
    1. After you add the rule mappings you need to improve your coverage, check the coverage report again to see whether your coverage improved.
    2. Change the date for the chart coverage by clicking the calendar icon for On date. You can change the date as far back as three months before the current date, which is the default.
    3. Expand the bar chart to full screen.
    4. Export the bar chart to CSV, PNG, or JPG formats.
    5. View the bar chart data in tabular format. Then, export the data in CSV format to view offline or share with colleagues.
  3. In the MITRE Coverage Trend chart, click a tactic in the legend to fine-tune the view or view the total coverage trend over time. The default time range is three months. Hover over the vertical line of each day to see the total coverage for each tactic.
    Chart that shows MITRE coverage over time
    1. Expand the chart to full screen.
    2. Export the chart to CSV, PNG, or JPG formats.
    3. View the chart data in tabular format. Then, export the data in CSV format to view offline or share with colleagues.
  4. To update the charts with live data from QRadar, click the refresh icon. Data is automatically refreshed every 24 hours at night.
  5. To export the summary or trend report, or the entire page, as a PNG image, click the export icon in each relevant section of the page. Then, you can share the images with colleagues or executives who don't have access to QRadar Use Case Manager.
  6. Close the report visualization to return to the dashboard.

What to do next

Visualizing MITRE tactic and technique coverage in your environment or Visualizing MITRE tactics and techniques that are detected in a specific timeframe