Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

MITRE Heat Map Calculations

The colors in the MITRE heat maps are calculated based on the number of rule mappings to a tactic or technique plus the level of mapping confidence (low, medium, or high).

The more rules that map to the technique, the darker the hue of color. Only enabled rules are included in the calculation; disabled rules do not contribute to the colors in the heat map. For each technique, all mappings to its sub-techniques are counted as if they are mappings to that technique.

After QRadar Use Case Manager calculates the numbers for all the techniques and tactics, the maximum number that is associated with a technique and the maximum number that is associated with a tactic are determined:

  • All techniques or tactics whose number is ≥ 66% of the maximum technique number are mapped to the darkest color.

  • All techniques or tactics whose number is ≥ 33% and < 66% of the maximum technique number are mapped to the mid-range color.

  • All techniques or tactics whose number is > 0 and < 33% of the maximum technique number are mapped to the lightest color.

Each cell in the heat map has a number that indicates the number of rules that are mapped to the technique or the sub-technique. Each number has a tooltip that explains how the calculation was determined. For example, four enabled rules are mapped to the selected technique. Based on the number of mappings and the confidence level, the technique score is 16, and it is assigned a medium color hue. The biggest technique score in the environment is 40.

In the red heat map (Detected in timeframe report), the mappings that are counted in the calculation are enabled mappings to enabled rules that are related to offenses in the report.

Building blocks do not directly contribute to the colors either; they contribute to the coloring only through the rules that reference them. For example, if the report lists building blocks only and the Coverage based on rules in report option is selected in the coverage heat map, the map doesn't show any coloring because there are no rules in the report.