U
UTMStack
Detection Gap Analysis Overview

This page provides an executive summary of the Sigma rules gap analysis, comparing the current UTMStack correlation engine against the upstream SigmaHQ repository. It outlines approximately 154 high-value detection gaps across four primary technology stacks and establishes a prioritized roadmap for rule implementation.

Analysis Scope
This analysis compares 692 existing UTMStack Correlation Rules against the SigmaHQ/sigma repository. The focus is strictly on real threat detections—informational, operational, and high false-positive (FP) rules were excluded from this delta report.

Executive Summary

The gap analysis identified ~154 high-value detection gaps where Sigma provides robust coverage that is currently missing from the correlation engine. These gaps span across Windows, Linux/macOS, Cloud/SaaS, and Network/Web environments.

Summary Statistics

The following table breaks down the identified gaps by technology category and priority level.

Critical Coverage Gaps
The analysis revealed zero coverage for fundamental attack techniques in certain domains, including zero LOLBIN detection on Windows, zero reverse shell detection on Linux, and missing Golden SAML detection in Cloud environments.

Technology Area Breakdown

The Windows domain has 25 critical missing detections, primarily focusing on post-exploitation and lateral movement:

  • Execution & Evasion: Zero LOLBIN (Living off the Land Binaries) detection.

  • Credential Access: Zero Kerberos attack detection (e.g., Kerberoasting).

  • Persistence: Zero persistence mechanism detection across scheduled tasks, services, registry run keys, WMI, and COM objects.

  • Lateral Movement: No detection for Impacket or other framework-specific lateral movement techniques.

Linux and macOS represent the largest volume of gaps, indicating a need for stronger baseline monitoring:

  • Execution: Zero reverse shell detection and no Linux hack tool execution signatures (over 50+ tools missing).

  • Persistence: No webshell activity detection and limited persistence coverage.

  • Credential Access: Limited coverage for credential dumping and access techniques specific to *nix environments.

Cloud infrastructure gaps expose the environment to modern identity and tenant-level attacks:

  • Identity & Access: No Golden SAML detection (SolarWinds-class attacks) and missing Azure AD-specific attack signatures.

  • Defense Evasion: Missing rules for alert suppression and finding evasion tactics.

  • Integrations: Lack of integration with Azure Identity Protection signals.

Network and proxy-level detections are missing critical Command and Control (C2) and exfiltration signatures:

  • Command & Control: Zero proxy-level C2 or malware user agent detection. No IOC-based DNS interaction rules.

  • Exploitation: Missing SSTI (Server-Side Template Injection) and JNDI (e.g., Log4Shell) exploitation signatures.

  • Exfiltration: No detection for rclone or similar data exfiltration tools.

Prioritized Implementation Targets

Based on real-world attack frequency and detection confidence, the following 20 rules have been identified as the highest priority for immediate implementation.

Phase 1: The Top 3 Critical Implementations

  1. W1 - Kerberoasting: Essential for detecting Active Directory compromise.

  2. W3 - Scheduled Task Persistence: A fundamental persistence mechanism used in nearly all Windows intrusions.

  3. L1 - Comprehensive Reverse Shell Detection: Plugs a massive fundamental gap in Linux/macOS monitoring.

Remaining Top 20 Targets

Windows & Active Directory

  • W5 - Impacket Lateral Movement (Most-used framework)

  • W4 - Suspicious Service Installation (Persistence/Privilege Escalation)

  • W6 - Certutil LOLBIN Abuse (Top download tool)

  • W7 - Registry Run Key Persistence (Fundamental persistence)

  • W8 - LSASS Dumping variants (Beyond standard Mimikatz)

Linux & Application Servers

  • L6 - Webshell Detection (Active exploitation monitoring)

  • L7 - Linux HackTool Execution (Covers 50+ known tools)

  • L8 - Java Child Processes (Catches Log4Shell/Confluence exploits)

Cloud & Identity

  • C1 - AWS Golden SAML (SolarWinds-class attack)

  • C3 - Azure Subscription Permission Elevation (Full tenant access)

  • C7 - AWS S3 Versioning Disabled (Ransomware preparation)

  • C2 - Azure Federation Modified (Domain takeover)

Network, Proxy & DNS

  • N5 - Malware User Agent Strings (Covers 50+ malware families)

  • N6 - APT User Agent Strings (Nation-state IOCs)

  • N1 - Cobalt Strike DNS Beacon (Specific C2 signature)

  • N2 - DNS OOB Interaction Domains (RCE indicator)

  • N7 - Rclone Exfiltration (Ransomware data theft)

Example: Network & Web Gap Analysis

To illustrate the depth of the missing rules, here is a subset of the analyzed gaps in the Network/Web category, specifically focusing on Proxy and Web Server logs:

Sigma Rule Translation
When implementing these gaps, ensure your SIEM pipeline supports translating standard Sigma YAML into your native query language. Pay special attention to field mappings (e.g., mapping Sigma's c-useragent to your schema's http.user_agent).

Implementation Roadmap

Follow this process to systematically close the identified detection gaps.

Ensure the underlying log sources required for the Top 20 rules are actively ingesting. For example, Windows rules require Sysmon (Event ID 1, 11, 13) or Security Event logs (4688, 4698).

Convert the Top 20 Sigma rules into the native correlation engine format. Deploy them in a "Shadow" or "Testing" mode to evaluate false positive rates.

Analyze the alerts generated over a 7-day period. Add exceptions for known vulnerability scanners, authorized administrative tools, and expected application behaviors.

Move tuned rules to production, enabling automated alerting and incident response playbooks for these high-confidence detections.

UTMStack
UTMStack © 2026 All rights reserved