MITRE ATT&CK · Enterprise

28/35 technique coverage — with evidence.

The MITRE ATT&CK Enterprise techniques ShamashAi detects, in one matrix. Green = native (parser + risk + correlation chain). Yellow = raw log captured + alert rule preset shipped. Blue = roadmap. Blank = out of scope.

New: every ATT&CK technique chip is clickable inside the product — events list, event detail and the alert-rule form show the relevant technique chips for the selected match_event_type and link out to attack.mitre.org.

Native
17
Partial
11
Roadmap
4
Tactics
14
TA0043
Reconnaissance
1/2 native
T1595Native
Active Scanning
PORT_SCAN_DETECT · firewall syslog
T1592Partial
Gather Victim Host Info
DNS lookup probes
TA0042
Resource Development
0/1 native
T1583
Acquire Infrastructure
TA0001
Initial Access
4/5 native
T1110Native
Brute Force
BRUTE_FORCE_DETECTED + correlation engine
T1190Native
Exploit Public-Facing App
IPS_DETECT (Fortinet) + WAF logs
T1133Native
External Remote Services
VPN_LOGIN_FAILED · M365_SIGNIN_FAILURE
T1078Native
Valid Accounts
BEHAVIORAL_ANOMALY · baseline drift
T1566Partial
Phishing
M365 Defender · Mail.Read alerts
TA0002
Execution
0/2 native
T1059Partial
Command & Scripting Interpreter
Win 4688 process audit (WinRM pull)
T1569Roadmap
System Services
TA0003
Persistence
2/3 native
T1136Native
Create Account
AD 4720 · user_created
T1098Native
Account Manipulation
AD 4728/4732 · group add
T1547Roadmap
Boot/Logon Autostart
TA0004
Privilege Escalation
1/2 native
T1078Native
Valid Accounts (Privileged)
admin_user × 1.5 risk multiplier
T1068Partial
Exploitation for Priv Esc
IPS + raw syslog match
TA0005
Defense Evasion
2/3 native
T1562Native
Impair Defenses
audit_log + visibility-gaps · no_logs_24h
T1070Native
Indicator Removal
event_clear · Win 1102 detected
T1027
Obfuscated Files
TA0006
Credential Access
2/4 native
T1110.001Native
Password Guessing
BRUTE_FORCE_DETECTED
T1110.003Native
Password Spraying
distinct_users ≥ 3 in window
T1003Partial
OS Credential Dumping
Win 4624 type-9 anomaly
T1555
Credentials from Password Stores
TA0007
Discovery
1/2 native
T1018Native
Remote System Discovery
PORT_SCAN_DETECT · NETWORK_PROBE
T1087Partial
Account Discovery
AD 4798/4799
TA0008
Lateral Movement
1/2 native
T1021Native
Remote Services (RDP/SMB)
AUTH_FAIL_RDP · BRUTE_FORCE_DETECTED
T1570Roadmap
Lateral Tool Transfer
TA0009
Collection
0/2 native
T1213Partial
Data from Information Repos
SQL audit, M365 audit
T1530Roadmap
Cloud Storage Object
TA0011
Command & Control
2/2 native
T1071Native
Application Layer Protocol
KNOWN_BAD_IP · threat-intel match
T1090Native
Proxy
Tor exit node detect
TA0010
Exfiltration
0/2 native
T1041Partial
Exfil over C2
Fortigate flow stats + DENY policies
T1567Partial
Exfil over Web Service
WAF + DNS lookups
TA0040
Impact
1/3 native
T1486Partial
Data Encrypted for Impact
BACKUP_FAILED + EDR syslog match
T1485Partial
Data Destruction
T1498Native
Network Denial of Service
Fortigate DoS sensor logs

Native

The full chain — parser → canonical event → risk multiplier → correlation — is in place. Detection is deterministic; the "Why this score" list is auditable.

Partial

Raw syslog is captured and a matching alert-rule preset is shipped. The customer enables it to trigger detection; silent by default.

Roadmap

On the v1.5 / v2.0 roadmap. Customers who specifically need it can get early-access under the pilot SOW.

For a tailored ATT&CK coverage report

Under the pilot SOW we produce a customer-specific ATT&CK mapping — which technique is satisfied by which event_type / alert rule / runbook, with the evidence embedded in the evidence pack.