[Security Solution] Implement Protections/Detections Coverage Overview dashboard grid #158243
Closed
5 of 7 tasks
Assignees
Labels
8.10 candidate
Feature:Rule Management
Security Solution Detection Rule Management area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
This was referenced May 23, 2023
Open
Closed
5 tasks
4 tasks
|
Still to address: selecting colors that work with contrast accessibility and dark mode |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Epic: https://github.com/elastic/security-team/issues/2905 (internal)
Depends on: #158240, #158202
Summary
Implement Protections/Detections Coverage Overview dashboard with tiles displaying the rules broken down by MITRE ATT&CK tactics, techniques and sub-techniques.
Details
The popular way to represent coverage is using MITRE ATT&CK(TM) framework. It is a knowledge base of adversary tactics and techniques based on real-world observations. Currently it consists of 14 Tactics, 191 Techniques and 385 Sub-techniques. It is used by different teams and tools as a common reference.
Tactics represent an adversary tactical goal (eg Credential access), and in general can be viewed as an attack progression stages. Techniques represent how the attacker is achieving their goal.
We map our pre-built protections to ATT&CK tactics/techniques/sub-techniques where applicable. When creating custom rules, users can also map them to ATT&CK.
By coverage we usually understand the availability and number of detections for a given tactic/technique.
Protections/Detections Coverage Overview dashboard should help users to view the detection rules coverage based on MITRE ATT&CK framework.
Make sure the following items are covered by the implementation
The dashboard implemented according to the design
It's based on the designed API contract but uses the mock data so it won't be blocked by [Security Solution] Implement an internal API endpoint to serve Protections/Detections Coverage Overview dashboard’s data #158238
It displays a popover upon hovering on a tactic card ("Install all available" button shouldn't be included at this stage)
It includes the legend
It displays unmapped rules as the first element
It renders correctly on all screen sizes
It takes into account the dark theme
The text was updated successfully, but these errors were encountered: