Coverage Gap Advisor
Identify MITRE ATT&CK coverage gaps and get actionable detection recommendations
Techniques Covered
5
Coverage %
50%
Critical Gaps
5
Recommended Detections
10
Gap Analysis
| Technique | Name | Tactic | Coverage | Priority | Recommendation | Action |
|---|---|---|---|---|---|---|
| T1059 | Command and Scripting Interpreter | Execution | Covered | low | Existing PowerShell & Bash rules active | |
| T1059.001 | PowerShell | Execution | Covered | low | ScriptBlock logging rule deployed | |
| T1071 | Application Layer Protocol | Command & Control | Partial | medium | Add DNS-over-HTTPS detection rule | |
| T1053 | Scheduled Task/Job | Persistence | Gap | high | Deploy schtasks / cron anomaly detection | |
| T1078 | Valid Accounts | Initial Access | Partial | high | Correlate impossible-travel with auth logs | |
| T1021 | Remote Services | Lateral Movement | Gap | high | Monitor RDP/SSH lateral pivots | |
| T1486 | Data Encrypted for Impact | Impact | Covered | low | Ransomware canary files active | |
| T1027 | Obfuscated Files or Information | Defense Evasion | Gap | high | Add entropy-based payload analysis | |
| T1562 | Impair Defenses | Defense Evasion | Partial | medium | Detect tamper of EDR services | |
| T1110 | Brute Force | Credential Access | Covered | low | Rate-limit rules deployed across tenants | |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration | Gap | high | Monitor DNS/ICMP tunneling patterns | |
| T1087 | Account Discovery | Discovery | Partial | medium | Alert on bulk LDAP enumeration | |
| T1547 | Boot or Logon Autostart Execution | Persistence | Gap | medium | Registry run-key change monitoring | |
| T1569 | System Services | Execution | Covered | low | Service creation audit rule active | |
| T1190 | Exploit Public-Facing Application | Initial Access | Partial | high | WAF log correlation with CVE feeds |