Threat Coverage Widget

The threat coverage widget provides a visual indicator of threat coverage in relation to the number of MITRE tactics and techniques enabled through Sigma rules in your environment as defined by the MITRE ATT&CK Matrix, which is a framework used to classify a variety of security threats an organization can face.

This matrix is organized firstly into tactics, and within these tactics are techniques (and sub-techniques) used to further categorize the specific parameters of a threat. Graylog Illuminate offers content packs available to Security users that contain Sigma rules mapped to techniques and sub-techniques as defined in the MITRE ATT&CK Matrix.

Within the widget, the Posture view displays a spider chart to help you visualize your coverage percentage for each tactic depending on which Sigma rules you have enabled. The Coverage Details view provides a more nuanced look at tactics, showing a break down of the techniques and sub-techniques contained within the selected item.

Enable Sigma Rules via the Threat Coverage Widget

In the Coverage Details view you have the opportunity to increase your threat coverage by enabling specific sigma rules related to techniques and sub-techniques within a tactic.

To enable these Sigma rules: 

  1. Select the blue icon next to the coverage percentage for the desired technique.

  2. In the next window, you are prompted to review the steps to improve your threat coverage, including:

    • Enabling specific Illuminate packs.

    • Enabling Sigma rules.

    If any of these steps have not been completed, you can select the configure button next to the requisite step as shown.

    Follow steps in the dialog box to Improve Threat Coverage for all tactics.

    In this example, the latest Illuminate packs have not been enabled. When you select configure, you see a screen that lists the Illuminate packs for the specific technique and you can enable them here.

  3. To enable additional Sigma rules, select configure next to this step. Here, you are presented with a list of Sigma rules that specifically map to the technique you initially selected. Sigma rules that are already enabled are displayed with a blue toggle.

  4. To enable any additional Sigma rules that are not currently active, select the toggle button. (You can also enable all available rules as a bulk action.)

Now, you can see that your coverage for the selected technique has improved, improving your overall coverage for the corresponding MITRE tactic.

If you wish to view all the available Sigma rules that can be enabled across the entire MITRE ATT&CK threat field, select the improve coverage button at the top right of the threat coverage widget. Here you can view a comprehensive list of related Sigma rules and enable any additional rules according to your preference.

Review Coverage Percentages

The coverage percentage at tactic level is calculated based on the number of fully covered techniques within the tactic, whereas coverage percentage at technique level is calculated based on the number of Sigma rules enabled per technique.

Hint: The Sigma rules related to MITRE ATT&CK content available in the Illuminate packs do not cover all the tactics, techniques, or sub-techniques from the Enterprise Matrix. Coverage of 100% on a specific tactic or technique means you are fully covered by all available Sigma rules.

For example, in the image below Command and Control and Resource Development tactics show a coverage percentage of 100%, indicating that all available Sigma rules mapped to these tactics are enabled. However, there are a number of Sigma rules that are not currently enabled for additional tactics, like Impact, which has only 3 out of the available 5 enabled and, thus, a coverage percentage of 60%.

This coverage can also be seen in the Posture view, where the spider chart represents your coverage percentage across all available tactics, demonstrating your total threat coverage posture.