2022 Report on the State of SIEM Detection Risk — CardinalOps-2

On average, enterprise SIEMs only cover 5 of the top 14 MITRE ATT&CK techniques used by adversaries in the wild.

Only 5 of the top 14 – think about that. That means they miss two-thirds of common adversary techniques.

Why? Insufficient breadth of rules, log source configuration errors, broken log collectors, and noisy rules all contribute to poor ATT&CK coverage in the average SIEM.

Learn more by reading this data-driven report based on configuration data collected from a range of production SIEM instances (Splunk, Microsoft Sentinel, IBM QRadar, etc.) encompassing more than 14,000 log sources, thousands of detection rules, and hundreds of log source types.

Trusted by Global SOCs

Top 10 CPG Manufacturer
Top 10 Private Equity Firm
Top 10 Cable Operator
Top 10 Casino Company
Top 10 Money Transfer Firm
Top 10 US Law Firm
Top 15 MDR Provider
$3B Freight Logistics Firm
Top 20 Cosmetics Company

Addressing operational challenges in maintaining effective detections



Constantly increasing number of log sources, attack vectors, and correlation rules


Constant change

Your infrastructure, business priorities, and attack surface are constantly changing


No "one-size-fits-all"

Every enterprise is unique, making it impractical to copy-and-paste generic detection content


Manual processes

Manual and error-prone use case development make it difficult to effectively scale

“Buying security technologies seems to be much easier than operationalizing them for many organizations. In fact, there is a lot more guidance on 'Which tool to buy?' than on how to fully utilize a tool in a particular environment.”
- Anton Chuvakin, Google Chronicle / Former Gartner Research VP and Distinguished Analyst

Increasing the effectiveness of your tools and your team

Threat coverage gap analysis
  • Automatically identify:
    • Actual coverage vs. MITRE ATT&CK®
    • Missing, broken & noisy rules
    • Missing & incomplete log sources
  • Independent metric helps answer the question "How effective are we?" and drive continuous improvement
Organization specific recommendations
  • Crown jewel assets
  • Industry-specific threats
  • Log-source priorities
  • New vulnerabilities
  • New initiatives (e.g., multi-cloud)
Safe automated deployment
  • Simple 30-minute API integration
  • 1-click deployment of new & remediated rules
  • Visualize impact of changes before & after deployment
  • Inspired by DevOps & agile methodologies