Analyzes detection coverage using Sigma, Splunk, and Elastic rules. Use when checking coverage for techniques, tactics, threat actors, or generating Navigator layers from detections.
analyze_coverage(source_type: "elastic")
Returns coverage % by tactic, top techniques, weak spots.
identify_gaps(threat_profile: "ransomware")
identify_gaps(threat_profile: "apt")
identify_gaps(threat_profile: "persistence")
Returns prioritized P0/P1/P2 gaps with recommendations.
suggest_detections(technique_id: "T1059.001")
Returns existing detections, data sources needed, detection ideas.
generate_navigator_layer(
name: "Elastic Initial Access",
source_type: "elastic",
tactic: "initial-access"
)
Returns ready-to-import Navigator JSON.
get_technique_ids(source_type: "elastic", tactic: "persistence")
Returns ~200 bytes instead of ~50KB.
| Profile | Key Techniques |
|---|---|
| ransomware | T1486, T1490, T1027, T1547 |
| apt | T1003, T1021, T1053, T1071 |
| initial-access | T1566, T1190, T1078 |
| persistence | T1547, T1543, T1053 |
| credential-access | T1003.*, T1555, T1552 |
| defense-evasion | T1027, T1070, T1055 |
# BAD - returns 200+ full detection objects
list_by_mitre_tactic(tactic: "execution")
# GOOD - returns stats only
analyze_coverage(source_type: "elastic")
| Old Approach | New Approach |
|---|---|
| list_by_mitre_tactic → ~50KB | analyze_coverage → ~2KB |
| Parse in context | Done server-side |
| 25x more tokens | Efficient |