Enterprise SIEMs Miss 79% of MITRE ATT&CK Techniques

A significant portion of existing detection rules – 13% on average – are non-functional and will never trigger due to issues like misconfigured data sources and missing log fields.

Marina M Headshot
Nino Lavrenkova Adobe Stock 653191103
Nino Lavrenkova AdobeStock_653191103

CardinalOps’ State of SIEM Detection Risk report highlights major detection coverage gaps and systemic detection engineering challenges that impact the effectiveness of enterprise security information and event management (SIEMs) in detection and responding to adversary activity.

“Five years’ worth of data tells a stark story: organizations are sitting on a mountain of data but still lack the visibility needed to detect the threats that matter most,” says Michael Mumcuoglu, CEO and co-founder at CardinalOps. “What’s clear is that the traditional approach to detection engineering is broken. Without being able to leverage AI, automation, and continuous assessment of detection health, enterprises will remain dangerously exposed, even with modern SIEM platforms and sophisticated telemetry.”

Key takeaways:

 

•    Drawing from a dataset of 2.5 million total log sources, over 23,000 distinct log sources, more than 13,000 unique detection rules, and hundreds of production SIEM environments, including Splunk, Microsoft Sentinel, IBM QRadar, CrowdStrike Logscale, and Google SecOps, the report uses the MITRE ATT&CK framework as a benchmark.

•    Organizations are generally improving year-over-year in understanding SIEM detection coverage and quality, but plenty of room for improvement remains.

•    Despite a 2% increase in coverage from 2024, on average, enterprise SIEMs have detection coverage for just 21% of adversary techniques defined in the MITRE ATT&CK framework, leaving 79% of techniques uncovered and organizations vulnerable to attack.

•    A significant portion of existing detection rules – 13% on average – are non-functional and will never trigger due to issues like misconfigured data sources and missing log fields. While the data represents a 5% decrease from 2024, the persistence of broken rules in SIEM environments poses a huge risk where active threats can go unnoticed.

•    SIEMs now process an average of 259 log types and nearly 24,000 unique log sources, providing more than enough telemetry to detect over 90% of MITRE ATT&CK techniques (an increase of 3% from 2024), but manual, error-prone detection engineering practices continue to limit actual coverage.

•    Despite the scale of available data and detection infrastructure, organizations still struggle to keep pace with evolving threats due to resource constraints and a lack of automation in rule development and validation.

Page 1 of 71
Next Page