Coverage Framework
Detection Coverage Map
Structured visibility across 8 detection layers with MITRE mapping and maturity tracking.
Coverage by Layer
| Detection | Layer | Data Source | Platform | MITRE | Coverage Type | Maturity | AI |
|---|---|---|---|---|---|---|---|
Process Creation Anomaly Process Execution | Host OS | Windows Event Log 4688 / Sysmon | Windows | T1059 | hybrid | production | — |
Scheduled Task Creation Persistence | Host OS | Windows Event Log 4698 | Windows | T1053.005 | rule-based | production | — |
Registry Run Key Modification Persistence | Host OS | Sysmon Event 13 | Windows | T1547.001 | rule-based | stable | — |
LSASS Memory Access Credential Access | Host OS | Sysmon Event 10 | Windows | T1003.001 | rule-based | production | — |
Browser Data Access Credential Theft | Host Application | Sysmon File Access | Windows / macOS | T1555.003 | rule-based | stable | — |
Office Macro Execution Initial Access | Host Application | Windows Event Log / EDR | Windows | T1566.001 | hybrid | production | — |
DNS Tunneling Detection C2 Communication | Host Network | DNS Query Logs | Windows / Linux | T1071.004 | ml-based | experimental | — |
Unusual Outbound Connections Exfiltration | Host Network | Sysmon Event 3 / EDR Network | Windows / Linux | T1041 | hybrid | stable | — |
East-West Lateral Movement Lateral Movement | Middle Network | VPC Flow Logs / Firewall | Cloud / On-prem | T1021 | ml-based | stable | — |
Network Scanning Detection Discovery | Middle Network | IDS / Firewall Logs | On-prem / Cloud | T1046 | rule-based | production | — |
Salesforce Bulk Data Export Data Exfiltration | Large Application | Salesforce Event Monitoring | Salesforce | T1530 | rule-based | stable | — |
M365 Mass Email Forwarding Exfiltration | Large Application | M365 Audit Logs | Microsoft 365 | T1114.003 | rule-based | production | — |
Impossible Travel Login Account Compromise | Identity | Authentication Logs / IdP | All | T1078 | rule-based | production | — |
MFA Fatigue Attack Account Compromise | Identity | IdP / MFA Provider Logs | All | T1621 | rule-based | production | — |
Privileged Account Behavior Anomaly Privilege Abuse | Identity | PAM / AD Logs | Windows / Cloud | T1078.002 | ml-based | experimental | — |
WAF Bypass Attempt Initial Access | Perimeter | WAF / CDN Logs | Web Applications | T1190 | rule-based | production | — |
VPN Brute Force Initial Access | Perimeter | VPN Appliance Logs | All | T1110 | rule-based | production | — |
LLM Prompt Injection Input Manipulation | AI Security Extension | API Gateway / LLM Platform Logs | AI/ML Platform | T1190 | hybrid | experimental | |
AI Agent Tool Misuse Tool Abuse | AI Security Extension | Agent Execution Logs | AI/ML Platform | T1059 | rule-based | experimental | |
Model Data Exfiltration Data Exfiltration | AI Security Extension | API Gateway / Network Logs | AI/ML Platform | T1530 | planned | planned |
Coverage Gaps
macOS Endpoint Coverage
Limited detection coverage for macOS-specific threats. Priority area for expansion.
Container / Kubernetes Layer
No dedicated container runtime or Kubernetes audit log detections in current framework.
LLM Output Monitoring
DLP integration for monitoring LLM response content not yet implemented.