Apex MSSP·May 1–31, 2026·Coverage Report

MITRE ATT&CK Coverage — Closed Cases

1,043 behavior-summary clusters (riskScore ≥ 3,000) closed during May 2026 across 13 active Apex MSSP tenants, mapped to ATT&CK tactics and techniques. Formal mapping rows come from Fluency's fingerprint catalog. Inferred mapping rows are derived from rule names where the catalog is still empty. The signature catalog itself reports mapped: 0 / 81 — formal coverage exists only at the fingerprint level so far.

Coverage at a glance

Closed cases

1,043

across 13 tenants · 30 days

Techniques observed

~17

10 formal · 7 inferred

Tactics touched

10 / 14

kill-chain breadth

Top fingerprints mapped

12 / 25

formal: 342 cases · signature catalog still 0/81

Kill chain — observed tactics in ATT&CK order

TA0043

Reconnaissance

— not obs.

TA0042

Resource Dev.

— not obs.

TA0001

Initial Access

511 cases

TA0002

Execution

337 cases

TA0003

Persistence

109 cases

TA0004

Privilege Esc.

— not obs.

TA0005

Defense Evasion

995 cases

TA0006

Credential Access

73 cases

TA0007

Discovery

73 cases

TA0008

Lateral Movement

35 cases

TA0009

Collection

40 cases

TA0011

Command & Control

105 cases

TA0010

Exfiltration

— not obs.

TA0040

Impact

99 cases

Partial formal coverage detected

12 of the top 25 fingerprints now carry formal ATT&CK mappings — covering 342 of 1,043 cases (33%). Notably, Fortigate_Webfilter_Malicious_Websites is now mapped to T1189 Drive-by Compromise (251 cases). Account-manipulation and email-collection fingerprints also have formal T1098 / T1136 / T1114 mappings. The remaining 13 high-volume fingerprints still need mapping work; this report uses inferred mappings for those rows, clearly badged.

Signature-catalog mapping gap

At the signature level the catalog still reports mapped: 0 / 81. Formal mappings exist at the fingerprint level only — driven by Fluency's internal fingerprint analysis. To make signature-level coverage non-zero, run propose_signature_mitre_mapping_candidates (a draft-only step) and then approve_signature_mitre_mapping per signature. That work persists into the catalog and removes the inference label on the next run.

Tactic volume — signature-case hits

Defense Evasion TA0005

995 40.6%

Initial Access TA0001

511 20.9%

Execution TA0002

337 13.8%

Persistence TA0003

109 4.5%

Command & Control TA0011

105 4.3%

Impact TA0040

99 4.0%

Credential Access TA0006

73 3.0%

Discovery TA0007

73 3.0%

Collection TA0009

40 1.6%

Lateral Movement TA0008

35 1.4%

Signature-case hits: each rule firing counts toward its mapped tactic. Multi-rule cases contribute to multiple tactics — totals exceed the 1,043 distinct-case denominator.

Per-tactic detail — top techniques observed

Defense Evasion Mostly inferred

TA0005

Indicator Removal
353
T1070 — AD_Scheduled_Task_Deleted (144), win_scheduled_task_deletion (144), posh_ps_remove_item_path (65) [inferred]
Impair Defenses
289
T1562 — FortiGate config changes (236), AD_Scheduled_Task_Disabled (53) [inferred]
Disable Event Logging
192
T1562.002 — AD_EventLogServiceStarted (96), Stopped (96) — 11 cases formally mapped
Subvert Trust Controls
101
T1553 — win_susp_codeintegrity_check_failure — 18 cases formally mapped
Disable or Modify Tools
60
T1562.001 — posh_ps_set_policies_to_unsecure_level — 7 cases formal

Initial Access Partly formal

TA0001

Drive-by Compromise Formal
252
T1189 — Fortigate_Webfilter_Malicious_Websites (formal fingerprint mapping)
Cloud Accounts (Valid)
200
T1078.004 — O365_AzureAD_UserLoggedIn [inferred]
Valid Accounts (Azure)
35
T1078 — Key_Vault_NewIP, SQL_Authentication_*_NewIP [inferred]
Exploit Public-Facing App (blocked)
24
T1190 — Fortigate_Inbound_Denied_IDS [inferred]

Execution Partly formal

TA0002

Scheduled Task Formal
196
T1053.005 — AD_Scheduled_Task_Created/Enabled — 24 cases formally mapped, remainder inferred
Windows Mgmt Instrumentation Formal
141
T1047 — posh_ps_suspicious_gwmi — 19 cases formally mapped

Persistence Mostly formal

TA0003

Account Manipulation Formal
58
T1098 — O365 user updates, AzureAD auth method added (23 formal + 35 O365_User_Updated inferred)
Create Account Formal
26
T1136 — O365_User_Added clusters (formal fingerprint mappings)
Add to Group/Role
25
T1098.003 — O365_AzureAD_Add_Member_To_Group [inferred]

Command & Control Partly formal

TA0011

Ingress Tool Transfer Formal
98
T1105 — posh_ps_web_request (61), posh_ps_suspicious_download (37) — 12 cases formally mapped
Web Protocols (blocked)
7
T1071 — Meraki_Security_Event_Detection_Blocked [inferred]

Impact Inferred

TA0040

System Shutdown / Reboot
99
T1529 — AD_SystemShutdown [inferred]

Credential Access Inferred

TA0006

Brute Force
73
T1110 — win_susp_failed_logon_reason [inferred]

Discovery Inferred

TA0007

File & Directory Discovery
73
T1083 — posh_ps_file_and_directory_discovery [inferred]

Collection Partly formal

TA0009

Email Collection Formal
11
T1114 — O365 Exchange mailbox-permission + SendAs cluster
Archive Collected Data
29
T1560 — posh_ps_suspicious_extracting [inferred]

Lateral Movement Partly formal

TA0008

Remote Desktop Protocol Formal
35
T1021.001 — win_admin_rdp_login — 7 cases formally mapped

Top techniques — ranked by signature-case volume

#	Tactic	Technique	Name	Driving signature	Cases	Basis
01	Initial Access	T1189	Drive-by Compromise	Fortigate_Webfilter_Malicious_Websites	252	Formal
02	Initial Access	T1078.004	Cloud Accounts (Valid)	O365_AzureAD_UserLoggedIn	200	Inferred
03	Execution	T1053.005	Scheduled Task — Created	AD_Scheduled_Task_Created	144	Formal
04	Defense Evasion	T1070	Indicator Removal — Task Deleted	AD_Scheduled_Task_Deleted	144	Inferred
05	Defense Evasion	T1070	Indicator Removal — win task del	win_scheduled_task_deletion	144	Inferred
06	Execution	T1047	Windows Mgmt Instrumentation	posh_ps_suspicious_gwmi	141	Formal
07	Defense Evasion	T1562	Impair Defenses — admin config	FortiGate_Config_Changed_By_Admin	118	Inferred
08	Defense Evasion	T1562	Impair Defenses — description	FortiGate_Config_Changed_Description	118	Inferred
09	Defense Evasion	T1553	Subvert Trust Controls	win_susp_codeintegrity_check_failure	101	Formal*
10	Impact	T1529	System Shutdown / Reboot	AD_SystemShutdown	99	Inferred
11	Defense Evasion	T1562.002	Disable Windows Event Logging	AD_EventLogServiceStarted	96	Formal*
12	Defense Evasion	T1562.002	Disable Windows Event Logging	AD_EventLogServiceStopped	96	Formal*
13	Credential Access	T1110	Brute Force	win_susp_failed_logon_reason	73	Inferred
14	Discovery	T1083	File and Directory Discovery	posh_ps_file_and_directory_discovery	73	Inferred
15	Defense Evasion	T1070.004	File Deletion	posh_ps_remove_item_path	65	Inferred
16	C2	T1105	Ingress Tool Transfer — web req	posh_ps_web_request	61	Formal*
17	Defense Evasion	T1562.001	Disable or Modify Tools	posh_ps_set_policies_to_unsecure_level	60	Formal*
18	Defense Evasion	T1562	Impair Defenses — task disabled	AD_Scheduled_Task_Disabled	53	Inferred
19	Execution	T1053.005	Scheduled Task — Enabled	AD_Scheduled_Task_Enabled	52	Inferred
20	C2	T1105	Ingress Tool Transfer — download	posh_ps_suspicious_download	37	Inferred
21	Lateral Movement	T1021.001	Remote Desktop Protocol	win_admin_rdp_login	35	Formal*
22	Persistence	T1098	Account Manipulation	O365_User_Updated	35	Formal
23	Collection	T1560	Archive Collected Data	posh_ps_suspicious_extracting	29	Inferred
24	Persistence	T1098.003	Add to Privileged Group	O365_AzureAD_Add_Member_To_Group	25	Inferred
25	Initial Access	T1190	Exploit Public-Facing App (blocked)	Fortigate_Inbound_Denied_IDS	24	Inferred

Formal* = the technique is formally mapped at the fingerprint level for a subset of cases (e.g. when the signature appears in a multi-rule fingerprint that carries a formal mapping). The row count is the full signature-case total; only a fraction is formally attributed.

Methodology & caveats

Source. Fluency MSSP MCP — connector 00000000-0000-0000-0000-000000000000 (Apex MSSP). Figures derived from summarize_case_metrics, summarize_case_fingerprints (top 25, with fingerprint-level mitre_attack arrays), summarize_signature_attack_coverage, and list_signature_mitre_gaps at connector scope.

Scope. 1,043 cases with status="closed" and riskScore ≥ 3,000 across 13 tenants (customer-04, customer-12, customer-06, customer-02, customer-03, customer-13, customer-07, customer-11, customer-09, customer-05, customer-01, customer-10, customer-08). Window: 2026-05-01T00:00Z → 2026-05-31 (to current time). Four Apex MSSP tenants (customer-14, customer-15, customer-16, customer-17) had no qualifying cases.

Mapping basis — mixed. 12 of the top 25 fingerprints carry formal ATT&CK mappings from Fluency's fingerprint catalog, covering ~342 cases (33% of monthly volume). Notable formal mappings: T1189 Drive-by Compromise (Fortigate webfilter), T1136 Create Account / T1098 Account Manipulation (O365 user changes), T1114 Email Collection (mailbox permission grants), T1021.001 RDP (admin RDP logins), T1047 WMI + T1053.005 Scheduled Task (posh_ps_suspicious_gwmi + AD task clusters), T1553 Subvert Trust + T1562.002 Disable Event Logging (multi-rule asset clusters). The remaining 13 fingerprints and all single-signature high-volume rules use inferred mappings from rule names. At the signature level, the catalog still reports 0 / 81 mapped — formal coverage exists at the fingerprint level only.

Counting. Tactic and technique counts are signature-case hits: a case firing multiple rules contributes once per rule's mapped tactic. Tactic-volume totals therefore exceed the 1,043 distinct-case denominator.

Recommended next step. Run propose_signature_mitre_mapping_candidates (dry-run first) to draft formal proposals for the 13 unmapped high-volume fingerprints. After analyst review, approve via approve_signature_mitre_mapping to persist into the catalog — the next monthly run will then show signature-level coverage greater than zero and remove most of the Inferred badges from this report.

Known issues. The sync_signature_catalog eventwatch error (Cowork issue [issue-id]) is now resolved; current run shows activity_lookup_errors: {}.

Generated 2026-05-31T07:17Z · Read-only · No Fluency mutations performed.