MITRE ATT&CK Coverage

Hey Gerry,

Greetings from Greece 🙂

Good question, well if you head to Sentinel > Threat management > MITRE ATT&CK you can see the whole MITRE ATT&CK framework. Now if you adjust the options in "Active" and "Simulated" you will be able to see which queries are part of rules and are scheduled to run and which are available as queries (templates) but haven't been assigned to scheduled rules.

Choose all options available under "Active" and then in "Simulated" choose "Hunting queries", then choose a TTP from the framework below and on your right you will see a new window"
- Active coverage: has queries actively hunting and basically covering the TTP you chose.
- Simulated coverage: has queries in templates which can be enabled in order to actively threat hunt and thus cover the TTP.

Now, if you want to have the whole picture of the framework, if you see each TTP box, on the upper left you have all queries active and simulated and on the upper right you have only the simulated. So if there is a difference, then you know that you have active queries running and covering this TTP.

There is another option, you may use the MITRE ATT&CK Workbook (Workbooks > Templates) and head to the last tab at Heatmaps where you can see what is you current coverage.

I hope I helped!

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like