Skip to main content

MITRE ATT&CK Coverage

CHAD maps your detection rules to the MITRE ATT&CK framework, helping you visualize coverage gaps and prioritize rule development.

What is MITRE ATT&CK?

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It’s the standard framework for describing attacker behavior.

Structure

Tactics (Why)
└── Techniques (How)
    └── Sub-techniques (Specific methods)
Example:
  • Tactic: Credential Access
  • Technique: T1110 - Brute Force
  • Sub-technique: T1110.001 - Password Guessing

Viewing Coverage

Navigate to ATT&CK Matrix in the sidebar.

Matrix View

The matrix shows:
  • Columns: Tactics (Initial Access → Impact)
  • Rows: Techniques within each tactic
  • Colors: Coverage level by deployed rules

Coverage Colors

ColorMeaning
🟢 GreenGood coverage (3+ rules)
🟡 YellowPartial coverage (1-2 rules)
⚪ GrayNo coverage

Drill Down

Click any technique to see:
  • Rules covering this technique
  • Detection quality assessment
  • Gaps in sub-technique coverage

Tagging Rules

Rules are mapped via Sigma tags: 
title: Failed Login Attempt
tags:
  - attack.credential_access
  - attack.t1110
  - attack.t1110.001

Tag Format

  • attack.{tactic} - Maps to tactic
  • attack.t{number} - Maps to technique
  • attack.t{number}.{sub} - Maps to sub-technique

Common Tactic Tags

TagTactic
attack.initial_accessInitial Access
attack.executionExecution
attack.persistencePersistence
attack.privilege_escalationPrivilege Escalation
attack.defense_evasionDefense Evasion
attack.credential_accessCredential Access
attack.discoveryDiscovery
attack.lateral_movementLateral Movement
attack.collectionCollection
attack.exfiltrationExfiltration
attack.impactImpact

Coverage Analysis

Gap Identification

Use the matrix to identify:
  • Uncovered tactics - No rules at all
  • Uncovered techniques - Specific gaps
  • Thin coverage - Only 1 rule (single point of failure)

Prioritization

Focus on:
  1. High-impact tactics - Execution, Persistence, Credential Access
  2. Common techniques - T1059 (Scripting), T1078 (Valid Accounts)
  3. Your threat model - Techniques relevant to your environment

Importing Coverage

From SigmaHQ

SigmaHQ rules include ATT&CK tags:
  1. Go to SigmaHQ
  2. Filter by technique
  3. Import rules for gap coverage

Bulk Tagging

Add tags to existing rules:
  1. Open the rule
  2. Add tags to the YAML
  3. Save and redeploy

Coverage Reports

Export

Export coverage data:
  1. Click Export on the ATT&CK page
  2. Choose format (CSV, JSON)
  3. Download for reporting

Metrics

Track coverage over time:
  • Percentage of techniques covered
  • Rules per technique
  • Coverage by tactic

ATT&CK Navigator Integration

Export to ATT&CK Navigator for advanced visualization:
  1. Click Export to Navigator
  2. Download Navigator JSON
  3. Import at mitre-attack.github.io/attack-navigator
Navigator provides:
  • Custom coloring
  • Multi-layer comparison
  • Annotations

Best Practices

Every detection rule should have ATT&CK tags.
Sub-technique tags (T1110.001) are more useful than technique tags (T1110).
Check coverage monthly; ATT&CK is updated regularly.
One good rule beats five poorly-tuned rules.
Not all techniques are relevant to your environment.

Sync Updates

CHAD syncs the ATT&CK framework:
  1. Go to Settings > ATT&CK
  2. Click Sync Framework
  3. Latest techniques are downloaded
CHAD uses the Enterprise ATT&CK matrix by default.

Troubleshooting

Rules not appearing in matrix

  1. Check rule has ATT&CK tags
  2. Verify tag format is correct
  3. Rule must be deployed
  4. Sync ATT&CK framework

Coverage seems low

  1. Review rule tags for accuracy
  2. Import SigmaHQ rules for gaps
  3. Consider technique relevance to your environment

Outdated techniques

  1. Sync latest ATT&CK framework
  2. Update deprecated technique tags
  3. Review MITRE changelog for changes

Next Steps

SigmaHQ Import

Import rules for gap coverage

Rule Management

Add ATT&CK tags to rules