sai-teja-girimaji/soc-blind-spot-auditor

# SOC Blind Spot Auditor **Find dangerous MITRE ATT&CK technique blind spots caused by missing or incomplete SIEM log source ingestion.** ## Why This Tool Exists Most SOCs suffer from a silent but critical problem: **log source onboarding gaps**. You may have invested heavily in EDR, network detection, and SIEM rules, yet entire categories of attacker behavior remain invisible because the required telemetry was never onboarded or is only partially flowing. SOC Blind Spot Auditor solves this by: 1. Taking your authoritative asset inventory 2. Taking your current SIEM source inventory + ingestion health 3. Mapping both against the full MITRE ATT&CK Enterprise technique list (live or offline) 4. Producing a **prioritized risk-ranked report** of every technique that has zero or partial detection coverage It turns the abstract question "are we blind?" into an actionable, executive-ready list. ## Installation ### From source (recommended for now) git clone https://github.com/sai-teja-girimaji/soc-blind-spot-auditor.git cd soc-blind-spot-auditor # Create virtual environment (Python 3.10+ required) python3.12 -m venv .venv source .venv/bin/activate # or .venv\Scripts\activate on Windows pip install -r requirements.txt pip install -e . ### Verify soc-auditor version ## Quick Start with Sample Data # 1. Generate realistic demo files soc-auditor sample # 2. Run the audit (live MITRE data) soc-auditor scan --assets assets.csv --sources siem_sources.csv # 3. Offline mode (no network, great for air-gapped or demos) soc-auditor scan --assets assets.csv --sources siem_sources.csv --offline # 4. Generate beautiful interactive HTML report soc-auditor scan --assets assets.csv --sources siem_sources.csv --output html --offline # Then open soc-audit-*/blind_spot_report.html in your browser ## Input File Format Reference ### assets.csv (required) | Column | Description | Example | |--------------|------------------------------------------|--------------------------| | asset_id | Unique identifier | A001 | | hostname | Asset name | dc01.corp.local | | asset_type | server, endpoint, network, cloud, iot, saas | server | | criticality | critical, high, medium, low | critical | | os | Operating system / platform | Windows Server 2022 | | location | Physical or cloud region | HQ / AWS-AP-SOUTH | ### siem_sources.csv (required) | Column | Description | Example | |-------------------------|--------------------------------------------------|--------------------------| | source_id | Unique source identifier | S001 | | source_name | Human friendly name | Windows Security Events | | log_type | Category used for mapping (flexible aliases) | endpoint, identity_provider, edr, email_gateway... | | ingestion_status | ingested, partial, not_ingested | ingested | | event_volume_baseline | Expected daily events (optional) | 45000 | | last_seen | ISO date of last successful ingest (optional) | 2026-05-27 | ## CLI Reference # Full scan with filters soc-auditor scan \ --assets inventory.csv \ --sources siem_inventory.csv \ --min-risk 65 \ --tactic "Initial Access" \ --status blind_spot \ --output html \ --output-dir ./reports # Other commands soc-auditor sample --force # regenerate sample files soc-auditor version ## Example Terminal Output (Rich) ╭─────────────────────────────────────────────────────────────────────────────╮ │ SOC Blind Spot Audit Report │ │ Total techniques analysed: 27 │ │ Blind spots: 18 (critical: 3, high: 7) │ │ Partial coverage: 4 │ │ Fully covered: 5 │ │ Overall coverage score: 19% │ ╰─────────────────────────────────────────────────────────────────────────────╯ ┏━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┓ ┃ TECHNIQUE ┃ TECHNIQUE NAME ┃ TACTIC ┃ SEVERITY ┃ STATUS ┃ MISSING SOURCES ┃ RISK ┃ ┡━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━┩ │ T1003 │ OS Credential Dumping │ Credential Access │ CRITICAL │ BLIND SPOT │ endpoint, server, edr │ 92 │ │ T1190 │ Exploit Public-Facing Application │ Initial Access │ CRITICAL │ BLIND SPOT │ network, waf, cloud │ 88 │ │ T1486 │ Data Encrypted for Impact │ Impact │ CRITICAL │ BLIND SPOT │ endpoint, server, backup │ 84 │ │ T1078 │ Valid Accounts │ Persistence │ HIGH │ BLIND SPOT │ server, endpoint, ... │ 76 │ │ T1566 │ Phishing │ Initial Access │ HIGH │ BLIND SPOT │ email_gateway, endpoint │ 72 │ │ ... │ ... │ ... │ ... │ ... │ ... │ ... │ └────────────┴──────────────────────────────────────┴───────────────────┴──────────┴──────────────┴────────────────────────────┴──────┘ Color legend: **red** = blind_spot, **yellow** = partial, **green** = covered. ## HTML Report Features - Fully self-contained single file (Tailwind + vanilla JS) - Instant client-side filtering by tactic, severity, status, and free-text search - Risk-colored bars and status pills - Professional dark theme suitable for leadership and audit presentations ## Limitations and Roadmap **Current limitations** - Relies on accurate `log_type` categorization in your SIEM inventory (alias matching helps) - Severity for live-fetched techniques uses heuristics + known criticals - Does not yet model specific detection rules or analytics content — only presence of log source - Affected asset counting is heuristic (improves with good asset_type hygiene) **Planned enhancements** ## Author & License **Sai Teja Girimaji** Capability Lead – Network Security, NTT DATA - GitHub: https://github.com/sai-teja-girimaji/soc-blind-spot-auditor - Companion deep-dive article on X: *(link placeholder – to be published)* MIT License © 2026 Sai Teja Girimaji