Guide · Detection engineering

Prioritising ATT&CK gaps in cloud environments

Last reviewed:

An ATT&CK heatmap is only useful when the gaps are ranked by likely attacker behaviour, cloud exposure and the cost of fixing the telemetry.

Heatmaps are starting points

A blank cell in an ATT&CK heatmap is not automatically a crisis. Some techniques may sit outside your cloud architecture. Others may be blocked by controls before they become useful detection work. The heatmap starts the conversation; it should not make the decision for you.

The first pass is scoping. Keep cloud-relevant techniques, then separate direct detection gaps from gaps that depend on endpoint, network or SaaS telemetry you do not collect in the same programme.

Rank by adversary path

Prioritise gaps that sit on realistic attack paths. In cloud estates, that usually means identity abuse, control-plane changes, exposed public services, logging changes and data access. A gap near the start of the path may deserve attention before a noisier technique later in the chain.

Use recent incident reviews, threat reports and your own exposure data. If internet-facing workloads and federated identity are the risky areas, T1190 and T1078.004 should not be buried under a generic tactic average.

  • Ask which technique the attacker would use to enter the cloud estate.
  • Ask which technique would let them keep access after the first alert.
  • Ask which technique would let them reach data or disable logging.

Rank by telemetry cost

Some gaps need a rule. Others need a log source, a parser or a licensing change before a rule can work. That cost should change the order of work. A high-risk gap with no available telemetry may become a logging project; a medium-risk gap with clear audit events can ship this week.

For GCP, Data Access logs are the obvious example. For Azure, the question may be whether Entra ID and Activity Log data reach Sentinel. For AWS, it may be whether CloudTrail management events are complete across accounts and regions.

Make the queue reviewable

A useful gap queue names the technique, the missing evidence, the proposed fix and the owner. It should be boring enough to review every month and specific enough that a detection engineer can pick up the next item without decoding a spreadsheet legend.

CloudSigma fits after that prioritisation step. Once the gap is real, scoped and backed by telemetry, a Sigma rule can be written and converted into the SIEM dialect the team actually runs.

Gap queue fields text 
technique_id: T1078.004
missing_evidence: Entra service-principal credential additions
fix_type: Sentinel rule over Entra audit logs
owner: detection-engineering
review_date: next monthly coverage review
← Back to Guides
Sources
  • MITRE ATT&CK Enterprise matrix, https://attack.mitre.org/matrices/enterprise/
  • MITRE Center for Threat-Informed Defense, Security Stack Mappings.
  • CISA Known Exploited Vulnerabilities catalog, https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • Google Cloud Audit Logs overview, https://cloud.google.com/logging/docs/audit
Last verified: 2026-05-20