The MITRE summary and trend reports provide an overview of the different tactics that are
covered by QRadar® Use Case
Manager. You can
analyze the summary data in table, bar, and radar charts. Only the number of enabled mappings to
enabled rules are counted in the charts because disabled mappings don't contribute to your security
posture.
Procedure
- Click in the upper
right of the visualization pane.
- Edit the MITRE Coverage Summary table to change the planned number
and percentage to see where you're lacking in coverage.
For example, the current
number of rules for the Privilege Escalation tactic is 7 and represents 4% coverage, but you want
35% coverage. When you edit the planned percentage, you see that you need 59 rules to provide the
level of coverage you want.
Tip: The total number of mapped rules is not the sum of the rules that are mapped to
each tactic. For example, if a rule covers the Discovery and Impact tactics, the rule is counted in
each tactic it covers, but is counted only once in the calculated total number.
- After you add the rule mappings you need to improve your coverage, check the coverage
report again to see whether your coverage improved.
- To view metrics only for enabled rules, set the switch to
On.
Metrics for disabled rules are filtered out of the chart
if the switch is On.
- Change the date for the chart coverage by clicking the calendar icon for On
date. You can change the date as far back as three months before the current date, which
is the default.
- Expand the bar chart to full screen.
- Export the bar chart to CSV, PNG, or JPG formats.
- View the bar chart data in tabular format. Then, export the data
in CSV format to view offline or share with colleagues.
- In the MITRE Coverage Trend chart, click a tactic in the legend to
fine-tune the view or view the total coverage trend over time. The default time range is three
months. Hover over the vertical line of each day to see the total coverage for each tactic.
- Expand the chart to full screen.
- Export the chart to CSV, PNG, or JPG formats.
- View the chart data in tabular format. Then, export the data in
CSV format to view offline or share with colleagues.
- To update the charts with live data from QRadar, click the refresh icon.
Data is automatically refreshed every 24 hours at night.
- To export the summary or trend report, or the entire page, as a PNG
image, click the export icon in each relevant section of the page. Then, you can share the images
with colleagues or executives who don't have access to QRadar Use Case
Manager.
- Close the report visualization to return to the dashboard.