MITRE ATT&CK Coverage Asymmetry
Reproduction and extension of a USENIX Security 2024 paper — adding Microsoft Sentinel analysis to reveal telemetry-driven coverage gaps.
The Problem
The MITRE ATT&CK framework is widely used to evaluate security tool coverage, but Virkud et al. (USENIX Security 2024) showed that detection rules cluster around the same techniques — leaving blind spots. Their analysis covered Splunk, Elastic, and Sigma, but omitted major cloud-native SIEMs.
What I Built
Reproduced the original paper's methodology on a modern environment (Windows 11, Python 3.11), then extended it by adding Microsoft Sentinel as a fifth ruleset (~349 Analytics rules). The analysis revealed a third failure mode: ATT&CK coverage is partly an artefact of telemetry architecture, not just detection effort.
Architecture diagram placeholder
Replace with real architecture diagram
Key Engineering Decisions
- Pre-registered hypothesis before running analysis — Sentinel would show systematically different coverage due to cloud-native telemetry
- Documented 27 reproduction events including five version-drift workarounds (NumPy 2.0, pandas 3.0, NLTK 3.9)
- Matched original paper values to three decimal places before extending
- Quantified the asymmetry: Sentinel covers cloud/identity techniques 2–6× more, but host techniques 5–26× less than EDR products
Note: Identified as potentially publishable by course coordinator Dr. Md Mokammel Haque. Full 36-page report available.