Detection Opportunities

The Detection Opportunities view turns coverage gaps into a prioritized list of recommended actions. It complements the MITRE ATT&CK view by moving from what is missing to what to work on next.

What is a Detection Opportunity?

A detection opportunity is a MITRE Analytic that your workspace does not yet implement. Each row points to one such Analytic and ranks how realistic it would be to build today.

The MITRE ATT&CK catalog defines, for every adversary technique, a set of Analytics that describe how to detect it. Each Analytic depends on one or more Data Components, the kinds of telemetry it needs to fire (for example Process Creation or Firewall: Network Traffic).

LogCraft bundles this catalog and compares it to your workspace. Any Analytic without a Security Asset mapped to it appears as an opportunity, and drops off the list as soon as one is.

The Feasibility column scores each row by how many of the Data Components the Analytic requires are already declared by Security Assets in your workspace, so the quickest wins surface at the top.

TIP

A single Analytic can appear on several rows: one per Detection Strategy (DET) and Technique (T) combination it belongs to.

Example

Suppose the MITRE catalog contains an Analytic that detects suspicious PowerShell execution and requires two Data Components: Process Creation and Command Execution.

• If a Security Asset in your workspace already references Process Creation, the row appears with Feasibility 1 / 2 (Partial) as half of the required telemetry is in place.
• If a second Security Asset references Command Execution as well, the same row moves to 2 / 2 (Full).
• As soon as you build a Security Asset that maps to that exact Analytic, the row drops off the list as nothing is left to recommend.

Posture Impact

Detection coverage grows in two distinct shapes, and every opportunity in the list belongs to one of them. The Posture Impact column makes the shape explicit, so you can decide whether you want to add breadth or add depth before you commit engineering effort to a Security Asset.

• Expansion (horizontal growth): the technique already has at least one Security Asset. Building another adds a complementary angle of detection on the same technique, leaving an attacker fewer ways to slip past undetected.
• Reinforcement (vertical growth): the technique still has no Security Asset in the workspace. Building one establishes the first line of detection on a technique the workspace was previously blind to.

Healthy posture management

Neither shape is inherently better; healthy posture management alternates between the two. Use Expansion when the coverage map has obvious gaps, and Reinforcement when high-value techniques deserve a second line of detection.

To act on an opportunity, build a Security Asset on the relevant instance and link it to the technique shown on the row. The opportunity drops off the list as soon as the new Security Asset is mapped to the analytic. Optionally, group related Security Assets under a Use Case to track them together.