Back to research

MITRE ATT&CK Coverage Asymmetry

Reproduction and extension of a USENIX Security 2024 paper — adding Microsoft Sentinel analysis to reveal telemetry-driven coverage gaps.

Researcher · 2026

The Problem

The MITRE ATT&CK framework is widely used to evaluate security tool coverage, but Virkud et al. (USENIX Security 2024) showed that detection rules cluster around the same techniques — leaving blind spots. Their analysis covered Splunk, Elastic, and Sigma, but omitted major cloud-native SIEMs.

What I Built

Reproduced the original paper's methodology on a modern environment (Windows 11, Python 3.11), then extended it by adding Microsoft Sentinel as a fifth ruleset (~349 Analytics rules). The analysis revealed a third failure mode: ATT&CK coverage is partly an artefact of telemetry architecture, not just detection effort.

Architecture diagram placeholder

Replace with real architecture diagram

Key Engineering Decisions

  • Pre-registered hypothesis before running analysis — Sentinel would show systematically different coverage due to cloud-native telemetry
  • Documented 27 reproduction events including five version-drift workarounds (NumPy 2.0, pandas 3.0, NLTK 3.9)
  • Matched original paper values to three decimal places before extending
  • Quantified the asymmetry: Sentinel covers cloud/identity techniques 2–6× more, but host techniques 5–26× less than EDR products

Note: Identified as potentially publishable by course coordinator Dr. Md Mokammel Haque. Full 36-page report available.

Stack

Security ResearchMITRE ATT&CKMicrosoft SentinelPythonSIEM