Coverage Framework
Detection Coverage Map
Structured visibility across 8 detection layers with MITRE mapping and maturity tracking.
Coverage by Layer
| Detection | Layer | Data Source | Platform | MITRE | Coverage Type | Maturity | AI |
|---|---|---|---|---|---|---|---|
Process Creation Anomaly Process Execution | Host OS | Windows Event Log 4688 / Sysmon | Windows | T1059 | hybrid | production | - |
Scheduled Task Creation Persistence | Host OS | Windows Event Log 4698 | Windows | T1053.005 | rule-based | production | - |
Registry Run Key Modification Persistence | Host OS | Sysmon Event 13 | Windows | T1547.001 | rule-based | stable | - |
LSASS Memory Access Credential Access | Host OS | Sysmon Event 10 | Windows | T1003.001 | rule-based | production | - |
Browser Data Access Credential Theft | Host Application | Sysmon File Access | Windows / macOS | T1555.003 | rule-based | stable | - |
Office Macro Execution Initial Access | Host Application | Windows Event Log / EDR | Windows | T1566.001 | hybrid | production | - |
DNS Tunneling Detection C2 Communication | Host Network | DNS Query Logs | Windows / Linux | T1071.004 | ml-based | experimental | - |
Unusual Outbound Connections Exfiltration | Host Network | Sysmon Event 3 / EDR Network | Windows / Linux | T1041 | hybrid | stable | - |
East-West Lateral Movement Lateral Movement | Middle Network | VPC Flow Logs / Firewall | Cloud / On-prem | T1021 | ml-based | stable | - |
Network Scanning Detection Discovery | Middle Network | IDS / Firewall Logs | On-prem / Cloud | T1046 | rule-based | production | - |
Salesforce Bulk Data Export Data Exfiltration | Large Application | Salesforce Event Monitoring | Salesforce | T1530 | rule-based | stable | - |
M365 Mass Email Forwarding Exfiltration | Large Application | M365 Audit Logs | Microsoft 365 | T1114.003 | rule-based | production | - |
Impossible Travel Login Account Compromise | Identity | Authentication Logs / IdP | All | T1078 | rule-based | production | - |
MFA Fatigue Attack Account Compromise | Identity | IdP / MFA Provider Logs | All | T1621 | rule-based | production | - |
Privileged Account Behavior Anomaly Privilege Abuse | Identity | PAM / AD Logs | Windows / Cloud | T1078.002 | ml-based | experimental | - |
WAF Bypass Attempt Initial Access | Perimeter | WAF / CDN Logs | Web Applications | T1190 | rule-based | production | - |
VPN Brute Force Initial Access | Perimeter | VPN Appliance Logs | All | T1110 | rule-based | production | - |
LLM Prompt Injection Input Manipulation | AI Security Extension | API Gateway / LLM Platform Logs | AI/ML Platform | T1190 | hybrid | experimental | |
AI Agent Tool Misuse Tool Abuse | AI Security Extension | Agent Execution Logs | AI/ML Platform | T1059 | rule-based | experimental | |
Model Data Exfiltration Data Exfiltration | AI Security Extension | API Gateway / Network Logs | AI/ML Platform | T1530 | planned | planned |
Coverage Gaps
macOS Endpoint Coverage
Limited detection coverage for macOS-specific threats. Priority area for expansion.
Container / Kubernetes Layer
No dedicated container runtime or Kubernetes audit log detections in current framework.
LLM Output Monitoring
DLP integration for monitoring LLM response content not yet implemented.
Detection layer taxonomy informed by Behind the Scenes: Logonomics — Oracle Cloud Infrastructure Blog.