---
name: detection-coverage-analysis  
description: Analyzes detection coverage using Sigma, Splunk, and Elastic rules. Use when checking coverage for techniques, tactics, threat actors, or generating Navigator layers from detections.
---

# Detection Coverage Analysis

## Efficient Tools (Use These!)

### Get Coverage Stats
```
analyze_coverage(source_type: "elastic")
```
Returns coverage % by tactic, top techniques, weak spots.

### Find Gaps by Threat Profile
```
identify_gaps(threat_profile: "ransomware")
identify_gaps(threat_profile: "apt")
identify_gaps(threat_profile: "persistence")
```
Returns prioritized P0/P1/P2 gaps with recommendations.

### Get Detection Suggestions
```
suggest_detections(technique_id: "T1059.001")
```
Returns existing detections, data sources needed, detection ideas.

### Generate Navigator Layer
```
generate_navigator_layer(
  name: "Elastic Initial Access",
  source_type: "elastic",
  tactic: "initial-access"
)
```
Returns ready-to-import Navigator JSON.

### Get Just Technique IDs
```
get_technique_ids(source_type: "elastic", tactic: "persistence")
```
Returns ~200 bytes instead of ~50KB.

## Threat Profiles Available

| Profile | Key Techniques |
|---------|----------------|
| ransomware | T1486, T1490, T1027, T1547 |
| apt | T1003, T1021, T1053, T1071 |
| initial-access | T1566, T1190, T1078 |
| persistence | T1547, T1543, T1053 |
| credential-access | T1003.*, T1555, T1552 |
| defense-evasion | T1027, T1070, T1055 |

## DON'T (burns tokens)
```
# BAD - returns 200+ full detection objects
list_by_mitre_tactic(tactic: "execution")
```

## DO (efficient)
```
# GOOD - returns stats only
analyze_coverage(source_type: "elastic")
```

## Token Comparison

| Old Approach | New Approach |
|--------------|--------------|
| list_by_mitre_tactic → ~50KB | analyze_coverage → ~2KB |
| Parse in context | Done server-side |
| 25x more tokens | Efficient |