I created this Python tool to help companies ensure complete defensive visibility by mapping Wazuh detection rules to the MITRE ATT&CK framework.
It helps organizations verify that safeguards exist for every known adversary technique, exposing detection gaps before attackers can exploit them.
Modern SOC teams manage hundreds of detection rules, yet few know which attack techniques are truly covered.
The Wazuh Rule Coverage Analyzer automates that process by parsing Wazuh rulesets, mapping them to MITRE ATT&CK tactics, and generating an interactive report that highlights coverage completeness across all stages of an attack.
- 📂 Rule Parsing — Extracts rule IDs, descriptions, and groups from Wazuh XML or JSON files.
- 🎯 MITRE ATT&CK Mapping — Correlates rules with ATT&CK tactics and techniques to verify detection scope.
- 🧠 Gap Identification — Highlights uncovered or weakly mapped techniques for immediate improvement.
- 📊 Visual Reports — Generates color-coded HTML and CSV outputs that visualize detection coverage.
- 🔄 Continuous Validation — Can integrate into CI pipelines to monitor detection completeness over time.
Every defensive control should map back to a known adversary behavior.
This tool gives security teams measurable confidence that their environment is protected across the entire MITRE ATT&CK matrix — ensuring no critical technique is left unmonitored.
| Tool | Purpose |
|---|---|
| 🐍 Python | Core scripting and data analysis |
| 🧱 Wazuh | Detection rule parsing and rule metadata |
| 🕸️ MITRE ATT&CK | Framework for mapping adversary techniques |
| 🧾 Pandas | Data transformation and tabular reporting |
| 🧩 lxml | XML rule parsing |
- Interactive HTML report with color-coded rule coverage by MITRE tactic
- CSV export of rule-to-technique mappings for data visualization or dashboard integration
🔗 MITRE ATT&CK Framework
🔗 Wazuh Documentation
🔗 Python Docs