Document toolboxDocument toolbox

Log source coverage

Owned by Borja Moro Moreno
Apr 12, 2024
3 min read
[ 1 Overview ] [ 2 Working with the matrix ] [ 3 View available logs ]

Overview

About the matrix

In the Log source coverage tab you can assess your coverage against the MITRE ATT&CK matrix based on the log sources you are currently ingesting, which are mapped based on alert definitions in the system. For example, if an alert has a “Persistence”  tactic and an “Account Manipulation” technique, the corresponding log sources/Devo tables used by the alert are mapped to that tactic and technique in the Log source coverage section of the application.

About coverage

Coverage in the Log source coverage page is done by measuring the total number of log sources currently ingesting data compared with the total number of log sources for the current tactic or technique, and varies according to the different filters you apply to visualize the matrix.

You can export a PDF of your alert coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.

10_Log coverage.png

  • N/A

  • Low: 0% - 24.99%

  • Medium-low: 25% - 75%

  • Medium High: 75.01% - 99.99%

  • High: 100%

Working with the matrix

Show full matrix

As not all techniques are valid for logs or SIEM technology, the default matrix view shows only those that are possible. Showing the entire matrix helps you to understand the full breadth of attack techniques that threat actors can use for further investigation (unavailable techniques will be shown in gray).

MITRE ATT&CK Techniques outline a particular way to achieve the goal of a tactic and might also include sub-techniques, particular ways to carry out the activities outlined in the technique. The option to show all subtechniques helps you understand more about the sub-techniques behind techniques and identify areas where your organization might need additional protection. You can also click the expandable in each tile to hide or show the subtechniques manually.

20_Log coverage.png

Filter the matrix

Just as in the MITRE ATT&CK matrix, you can use the Enterprise matrix filter to narrow down to a specific platform (windows, macOS, etc). You can also focus on specific technologies or products using the Log source filter.

It is also possible to filter by threat coverage and threat group, the latter lets you select multiple threat groups that the MITRE organization is tracking. By selecting one or more threat groups the matrix is filtered to only the tactic and techniques the selected threat group uses. From there you can assess their MITRE ATT&CK coverage for the specific set of threat groups.

View available logs

The table at the bottom of the Log Source Coverage screen displays all the available log sources and whether they are ingesting or not. This table also shows the number of tactics and techniques a given log covers, as well as current or new tactics and techniques that would be covered if they were to add these specific log sources (hover over the info icon the see which ones).

You can use the different options to filter the table and find the desired logs.

 

Related articles: