4th Annual Report on SIEM Detection Risk 2024

This document is the 4th Annual Report on the State of SIEM Detection Risk for 2024. It quantifies the gaps in MITRE ATT&CK coverage that lead to undetected attacks in production Security Information and Event Management (SIEM) systems. The report reveals that while enterprise SIEMs ingest sufficient data to cover 87% of MITRE ATT&CK techniques, only 19% of these techniques are effectively detected. Additionally, it highlights that 18% of SIEM rules are broken and will never trigger alerts due to issues like misconfigured data sources. The report aims to provide visibility into the current state of use case development and threat detection coverage in enterprise Security Operations Centers (SOCs). It emphasizes the need for organizations to improve their detection engineering processes rather than simply collecting more data. The methodology involves analyzing real-world production SIEM instances to gain insights into detection coverage, making this report a significant contribution to the security community.