Threat Coverage Widget

The threat coverage widget provides a visual indicator of threat coverage in relation to the number of MITRE tactics and techniques enabled through Sigma rules in your environment as defined by the MITRE ATT&CK Matrix, which is a framework used to classify a variety of security threats an organization can face.

This matrix is organized firstly into tactics, and within these tactics are techniques (and sub-techniques) used to further categorize the specific parameters of a threat. Graylog Illuminate offers content packs available to Security users that contain Sigma rules mapped to techniques and sub-techniques as defined in the MITRE ATT&CK Matrix.

Within the widget, the Posture view displays a spider chart to help you visualize your coverage percentage for each tactic depending on which Sigma rules you have enabled. The Coverage Details view provides a more nuanced look at tactics, showing a break down of the techniques and sub-techniques contained within the selected item.

Enable Sigma Rules via the Threat Coverage Widget

In the Coverage Details view you have the opportunity to increase your threat coverage by enabling specific sigma rules related to techniques and sub-techniques within a tactic.

To enable these Sigma rules: 

  1. Select the blue icon next to the coverage percentage for the desired technique.

  2. In the next window, you will be prompted to review all the steps required to improve your threat coverage, including:

    • Installing the latest Illuminate bundle.

    • Enabling the latest Illuminate bundle.

    • Enabling specific Illuminate content packs.

    • Enabling Sigma rules.

    From this menu, if any of these steps have not been completed, you can complete the step by selecting the configure button next to the requisite step as shown.

    In this example, the latest Illuminate bundle has not been enabled, and selecting configure allows you to enable this bundle from the Illuminate content hub.

  3. To enable additional Sigma rules, select configure next to this step. Here, you will be presented with a list of Sigma rules that specifically map to the technique you initially selected. Sigma rules that are already enabled are displayed with a blue toggle.

  4. To enable any additional Sigma rules that are not currently active, select the toggle button. (You may also opt to enable all available rules as a bulk action.) 

Now, you can see that your coverage for the selected technique has improved, improving your overall coverage for the corresponding MITRE tactic.

If you wish to view all the available Sigma rules that can be enabled across the entire MITRE ATT&CK threat field, select the improve coverage button at the top right of the threat coverage widget. Here you can view a comprehensive list of related Sigma rules and enable any additional rules according to your preference.

Review Coverage Percentages

The coverage percentage at tactic level is calculated based on the number of fully covered techniques within the tactic, whereas coverage percentage at technique level is calculated based on the number of Sigma rules enabled per technique.

Hint: The Sigma rules related to MITRE ATT&CK content available in the Illuminate packs do not cover all the tactics, techniques, or sub-techniques from the Enterprise Matrix. Coverage of 100% on a specific tactic or technique means you are fully covered by all available Sigma rules.

For example, in the image below Command and Control and Resource Development tactics show a coverage percentage of 100%, indicating that all available Sigma rules mapped to these tactics are enabled. However, there are a number of Sigma rules that are not currently enabled for additional tactics, like Impact, which has only 3 out of the available 5 enabled and, thus, a coverage percentage of 60%.

This coverage can also be seen in the Posture view, where the spider chart represents your coverage percentage across all available tactics, demonstrating your total threat coverage posture.