BIPI
BIPI

MITRE ATT&CK Coverage Mapping: From Spreadsheet to Live Dashboard

Cybersecurity

Static coverage spreadsheets are obsolete the moment they are saved. A live dashboard driven from rule metadata, telemetry availability, and atomic test results reflects what the SOC can actually detect today, not what it could detect last quarter.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 8, 2023 · 10 min read

#mitre-att&ck#coverage#detection-engineering#soc#att&ck-navigator

The quarterly MITRE ATT&CK coverage spreadsheet is a familiar artifact. A detection engineer spends two days color coding cells, presents the heatmap to leadership, then closes the file. Three weeks later, three rules are tuned, two are deleted, and the spreadsheet no longer reflects reality. A live dashboard solves this by sourcing coverage from the same place the rules live: the detection repository.

What Coverage Actually Means

Coverage is not a binary yes or no per technique. A serious coverage assessment answers three questions per technique. Do we have the telemetry source required to detect it. Do we have a deployed rule that targets it. Has that rule been validated against a recent atomic test. Anything less is a self report, not coverage.

  • Telemetry coverage: do we ingest the log type the technique requires, such as process command line for T1059 or LSASS access events for T1003.001
  • Rule coverage: is there an active rule mapped to this technique ID in production
  • Validation coverage: did the rule fire when we last ran the atomic test for this technique
  • All three must be green for a technique to count as covered

Wire the Three Sources Together

Telemetry coverage comes from a list of onboarded log sources mapped to ATT&CK data sources, which MITRE publishes as part of the data sources matrix. Rule coverage comes from frontmatter in each Sigma or YARA-L file in your Git repo. Validation coverage comes from the Atomic Red Team or Caldera test results captured in CI. A nightly job reads all three and emits an ATT&CK Navigator layer JSON file.

The Navigator Layer as Output

MITRE provides ATT&CK Navigator as a free hosted tool that accepts a JSON layer file and renders a heatmap. Each technique gets a score from 0 to 100. A simple scheme: 33 points for telemetry, 33 for rule presence, 34 for recent validation. Techniques scoring 100 are fully covered. Techniques at 66 have a rule but no recent test. Techniques at 33 have telemetry but no rule. The color gradient makes the gap visible without anyone reading a spreadsheet.

Sector Specific Prioritization

MITRE publishes ATT&CK groups with technique mappings per threat actor. For a financial services org, the prioritization list is dominated by FIN7, FIN11, TA505, and Lazarus techniques. For healthcare, it is Conti, Lockbit, and BlackCat ransomware affiliates. Build a weighted overlay where techniques used by groups that target your sector get a multiplier. The heatmap now shows coverage weighted by threat relevance, not raw technique count.

Closing Gaps Systematically

  1. Sort uncovered techniques by sector relevance score
  2. For the top 10 gaps, check telemetry first: is the log source onboarded and parsed
  3. If telemetry exists, write a Sigma rule and a matching atomic test fixture
  4. If telemetry does not exist, open a log onboarding ticket before writing the rule
  5. Validate via atomic test in CI before merging

Common Anti Patterns

  • Counting a technique as covered because a generic anomaly rule could theoretically catch it
  • Mapping the same rule to fifteen techniques to inflate the count
  • Reporting coverage without validation results, treating rule presence as equivalent to detection capability
  • Excluding sub techniques from the count when the parent technique is mapped
A heatmap that lies in green is worse than a heatmap that admits its gaps. Validate every claim of coverage with a real test event, or stop calling it coverage.

Reporting Up the Stack

Leadership wants a single number. Give them one but qualify it. Report coverage as a weighted percentage of techniques used by sector relevant threat groups, with validation as a required gate. Last month 47 percent of FIN7 techniques were validated, this month 53 percent, the delta is two new rules covering T1078.004 cloud account abuse and T1567 exfiltration to web service. That is a story leadership can act on.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.