Understanding Detection Workbook Coverage on the MITRE ATTACK Framework

This is a comprehensive guide to navigating and interpreting the Detection Workbook coverage on the MITRE page. The MITRE page displays the detection workbook coverage mapped across the MITRE ATT&CK framework. This page provides a visual representation of the detection workbooks and their alignment with the MITRE framework, making it easier to analyze and track the coverage of various techniques and tactics.

Steps to Access the MITRE Page in the DNIF Console

Log in to the DNIF console using your credentials.
Locate and click the MITRE ATT&CK® icon in the left navigation panel.
The MITRE page will load and display the detection workbook coverage across the MITRE ATT&CK framework.

Toggle Button for displaying Detection Coverage

This feature allows users to easily switch between viewing all and active tactics and techniques of blocks using a simple toggle button. The two options available are:

Show All: When this option is selected, the system displays all techniques with details of detection workbooks where applicable (both active and inactive). This view provides comprehensive coverage, showing the complete list of workbooks regardless of their current status.
Show Coverage: When this option is selected, only the techniques with detection workbooks are displayed. This view helps users focus on the available detection coverage, streamlining their workflow.

How it works:

The toggle button can be found at the top of the workbook section.
Simply click the button to switch between Show All and Show Coverage views.

Visualization Overview

MITRE Tactics as Columns: The MITRE tactics are shown as vertical columns on the page.

MITRE Techniques as Tiled Blocks: Techniques are represented as individual blocks within these columns, showing their association with the corresponding tactics.

Technique Block

Each technique block provides detailed information about the associated detection workbooks and their coverage status. Here’s how to interpret a technique block:

Technique Name: The block displays the name of the MITRE technique.
Workbook Count (Active and Total):
- The block includes a count of active workbooks and total workbooks. These details are shown through tool tips that appear when hovering over the block.
- The interface provides two viewing options: "Active Workbooks," which shows the currently in-use workbooks, and "Total Workbooks" which displays all accessible workbooks. This setup streamlines navigation by allowing users to focus on the active workbook or manage the complete set of available workbooks.

Active Detection Coverage Status: The status of detection coverage for a technique is depicted by a bar, which can be in one of the following states:

Bar color	Description
Green Bar	Indicates that workbooks corresponding to this technique are enabled/disabled, and their associated dataset streams have data.
Light Gray Bar	Indicates that workbooks corresponding to this technique are enabled/disabled, and their associated dataset streams have data.
Dark Gray Bar	Indicates no workbooks or log data are available for the technique.

Workbook Count Click Functionality: By clicking on the workbook count within the technique block, a list of the associated workbooks will be displayed.
The "Enabled Workbook" is visually indicated by a brighter white color and a green highlight, signifying that its corresponding dataset stream has data.

A “Disabled Workbook” is visually represented in a faded grey color

This colouring distinguishes disabled workbooks from enabled active workbooks, providing clarity on the coverage status.

Searching Workbooks or Techniques

To quickly locate a specific workbook or technique:

Search Bar: Enter the name of the desired workbook or technique in the search field.
Search Results: The page will then display the corresponding MITRE tactics and techniques, allowing you to view coverage specific to the query.

Stream-wise Filtering

The page offers functionality to filter techniques by specific dataset streams, allowing for more granular analysis of detection coverage.

Stream Selection: When a specific dataset stream is selected, the techniques that correspond to that stream are highlighted on the page (and filtered).
Workbook Count Update: The counts for active workbooks and total workbooks will dynamically update based on the selected stream.
Bar Color Update: The color of the coverage bar will change based on the selected stream, visually indicating the status of detection coverage for that stream.

Note -: If the stream has no active workbooks, indicating no current data, the color bar of the technique will update accordingly. For example, if a technique usually has a green color bar when active, it may turn gray when there are no active workbooks corresponding to the selected stream.
Unique Tactics, Techniques, and Workbooks

Unique Tactics:
1. The MITRE page displays the total number of unique tactics represented in the framework. Each tactic corresponds to a high-level objective that an adversary aims to achieve during an attack (e.g., Initial Access, Execution, Persistence).
2. Understanding the unique tactics helps organizations identify potential areas of vulnerability and strengthens their overall security strategy by focusing on specific adversary objectives.

Unique Techniques:

1. Each tactic is associated with one or more unique techniques, which describe the specific methods adversaries use to achieve their goals. The MITRE page lists these techniques, providing insight into the variety of ways attacks can be executed.
2. By examining unique techniques, security teams can better assess their detection capabilities, allowing them to implement more targeted defences and responses based on known adversarial behaviours.

Unique Workbooks:

1. The system also displays the total number of unique workbooks associated with the tactics and techniques. Workbooks contain the detection rules, alerts, and processes for identifying specific behaviours or incidents within the network.