Understand threat coverage

  • Updated on Mar 7, 2025
  • Published on Jun 1, 2023

image

Overview

The Threat Coverage map on the Hunters platform allows you to see an overview of your organization on the MITRE ATT&CK framework and is currently updated to MITRE ATT&CK framework V14.

📘About MITRE ATT&CK framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework that provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is maintained by the MITRE Corporation, a nonprofit organization that operates federally funded research and development centers.

MITRE ATT&CK categorizes various techniques used by threat actors across the different stages of a cyber attack. The framework includes information about the tactics adversaries employ, such as initial access, execution, persistence, privilege escalation, defense evasion, lateral movement, and exfiltration. Each tactic is further divided into specific techniques that adversaries may use.



Tactics are listed across the top as columns, and techniques as cells below them. Each technique is highlighted based on the coverage in your organization.

  • Green: The technique in your organization is covered by at least one detector (the number of detectors is listed in the bottom right corner)
  • White: The technique is covered by Hunters. However, it is currently not being covered in your organization because no relevant data sources have been connected. Clicking on the technique will reveal which data sources are applicable to cover it.
  • Gray: The technique is currently not covered. This can be either due to Hunters not yet having relevant detectors to cover it, or due to this technique not being feasible to cover with any telemetry.
  • Blue: The technique is currently being highlighted as relevant to the data type you are filtering by with the sidebar.

Work with the Threat Coverage map

To view your threat coverage map:

  1. From the Hunters menu, navigate to Knowledge Center > Threat Coverage.
    image
  2. Use the left sidebar to show only techniques relevant to a specific data type. For instance, if we select "SaaS", then "Office 365" and then "o365-audit-logs", relevant techniques are highlighted in blue for investigation.
    image
  3. Click on each technique to bring up specific details about it, as well as a list of the detectors that currently cover it.
    image

Frequently Asked Questions

What does the number in the bottom right corner of each technique mean?

This is the number of detectors that are currently covering this technique in your organization.

What does the Hunters logo next to some of the techniques mean?

As part of Hunters' research, we added some techniques which are not originally included in the MITRE ATT&CK framework, yet we deemed them to be noteworthy as part of today's evolving threat landscape.

Does Hunters support sub-techniques?

Yes! Some techniques contain a vertical bar that reveals the sub-techniques when clicked on.