Review MITRE ATT&CK framework coverage - You can see a breakdown of the protection modules and detection rules in place for each MITRE tactic and technique on the MITRE ATT&CK Framework Coverage dashboard. Review the elements that affect your coverage, and identify coverage gaps in your framework. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-10
Category
Administrator Guide
Abstract

You can see a breakdown of the protection modules and detection rules in place for each MITRE tactic and technique on the MITRE ATT&CK Framework Coverage dashboard. Review the elements that affect your coverage, and identify coverage gaps in your framework.

You can see a comprehensive overview of the Cortex Cloud content and capabilities in context with the MITRE ATT&CK framework on the MITRE ATT&CK Framework Coverage dashboard. Access the dashboard from the drop-down menu in the dashboard header.

On this dashboard you can see a breakdown of the protection modules and detection rules in place for each MITRE tactic and technique. You can use the dashboard to review the elements that affect your coverage, and identify coverage gaps in your framework.

You can see the following information:

  • Number of detection rules per tactic: Review the detection rules that are available for each MITRE tactic.

  • MITRE ATT&CK framework coverage: Review the MITRE matrix detailing the available coverage for each tactic and technique. By default, covered methods are displayed. Click on a tactic or technique for details about the available prevention and detection methods. Note that the Protection numbers represent modules, which are a grouping of several protections.

  • Contributing data source types: Review the connectivity status of the data sources that are contributing to a specific data source type on your system.

    Note

    When a contributing data source type is active, it does not imply that all the rules and detectors associated with the data source type are active. Rule applicability is dependent on the data source's context and configuration. To enable an active status, data source types require the following setup:

    • Endpoint: Installed Cortex XDR agent.

    • Network: A contributing network device that is configured to ingest logs as Cortex Cloud network connection stories.

    • Cloud: A data source that is contributing the required cloud related information.

    • Identity: An identity application that is supported in IA (Identity Analytics) and the ITM (Identity Threat Module).

In addition, if you are working with reports, you can use the MITRE Coverage Report widget, which summarizes coverage for each tactic.