implementing-mitre-attack-coverage-mapping

# Implementing MITRE ATT&CK Coverage Mapping ## Overview MITRE ATT&CK coverage mapping gives SOC teams a structured, adversary-centric lens to evaluate detection capabilities. Enterprise SIEMs on average have detection coverage for only 21% of ATT&CK techniques (2025 CardinalOps report), with 13% of existing rules being non-functional due to misconfigured data sources. Systematic coverage mapping identifies gaps, prioritizes rule development, and tracks detection maturity over time. ATT&CK v18.1 (December 2025) is the latest version. ## When to Use - When deploying or configuring implementing mitre attack coverage mapping capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Access to MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) - Inventory of all active SIEM detection rules - MITRE ATT&CK technique mapping for each detection rule - Data source inventory (which log sources are ingested) - Understanding of adversary threat profiles relevant to your industry ## Coverage Mapping Process ### Step 1: Export Current Detection Rules ```spl # Splunk ES - Export all active correlation searches with MITRE mappings | rest /services/saved/searches | search disabled=0 action.correlationsearch.enabled=1 | table title, search, action.notable.para...