HOME Resources White Papers & Videos 2024 Report on State of SIEM Detection Risk


2024 Report on State of SIEM Detection Risk

In our fourth annual report, CardinalOps set out to gain visibility into the current state of use case development and threat detection coverage in enterprise SOCs. We analyzed, aggregated and anonymized data from production SIEM instances to understand SOC preparedness to detect the latest adversary techniques in MITRE ATT&CK.

The report analyzes real-world data from production SIEMs – including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic – covering thousands of detection rules, over 1.2 million log sources, and hundreds of unique log source types.

Key findings include:

  • Actual MITRE ATT&CK detection coverage remains far below what most organizations expect.
  • SIEMs don’t need more data, they are already ingesting enough data to cover a substantial percentage of MITRE ATT&CK techniques. 
  • Broken rules are also common, resulting in increased risk of breach due to undetected attacks.
  • Multi-SIEM environments are on the rise.
  • Demand for operationalizing TTP-level threat intelligence has increased.

To help organizations address their detection challenges, the 2024 CardinalOps report also includes a series of best practices to help SOC teams measure and continuously improve the robustness of their detection posture over time.

Download the report to benchmark your SIEM against real-world data from production SIEM deployments.

Download Now

This field is for validation purposes and should be left unchanged.