Visibility and Data Sources🔗
Detection coverage answers "which techniques do my rules detect." Visibility answers a question that comes first: "which telemetry do I actually receive, and do my rules depend on data I am not collecting." A rule for a data source you do not ingest never fires, no matter how good it is. rsigma rule visibility turns the field-observability signal rsigma already produces into the two artifacts blue teams use to track data-source maturity: a DeTT&CT administration pair and a visibility ATT&CK Navigator layer.
The workflow🔗
The signal comes from --observe-fields: as the engine evaluates events it records every field key it sees, then joins that against the fields your rules reference. The result partitions into observed-but-unreferenced fields (a gap signal) and referenced-but-unobserved fields (a broken-coverage signal). rule visibility consumes that partition and rolls it up to ATT&CK data sources.
# 1. Capture the observed field signal from a representative event stream.
rsigma engine eval -r rules/ --observe-fields --observe-fields-report fields.json < events.ndjson
# 2. Score visibility and emit the DeTT&CT files and a Navigator layer.
rsigma rule visibility -r rules/ --observed fields.json \
--dettect-data-sources data-sources.yaml \
--dettect-techniques techniques.yaml \
--navigator visibility.json
The observed report and the live daemon's GET /api/v1/fields endpoint share one JSON shape, so a long-running daemon works the same way:
With no --observed or --addr, the command still runs and reports the rule-expected baseline with every source unobserved, a useful "what would full visibility look like" picture before any telemetry is wired up.
How scoring works🔗
Each rule logsource resolves through the mapping table to the ATT&CK data sources it expects (for example process_creation to Process, registry_set to Windows Registry). Each rule field attributes to a data component, so the global field signal scores per data source. A data source's score is the fraction of its mapped rule fields that were observed, mapped onto DeTT&CT's 0-to-4 scale:
| Observed fraction | Score | Level |
|---|---|---|
| none observed | 0 | none |
| up to 25% | 1 | minimal |
| up to 50% | 2 | medium |
| up to 100% | 3 | good |
| all observed | 4 | excellent |
A data source whose mapped fields are all unobserved is a blind spot: your rules reference it but the telemetry never arrived. A data source you observe but no rule consumes is untapped: data you pay to collect with no detection written against it. The two are inverses, and surfacing both is the point.
The scores are deliberately conservative seeds. DeTT&CT files are meant to be analyst-tuned, so the emitted YAML marks every score as a seed for review and the data_quality dimensions carry the seed value rather than fabricated precision.
The mapping table🔗
The bundled table covers common process, network, file, registry, module, script, and authentication logsources and their fields, with a representative set of data_component -> technique edges. Override it with --mapping <path-or-url> to extend coverage or point at a site-specific table; a bare --mapping fetches the curated default over HTTP (cached for 7 days). Rule logsources the table does not recognize are surfaced as a hygiene list so you know what to add.
Visibility versus detection coverage🔗
rule visibility and rule coverage emit Navigator layers in the same format (4.5) but score different things: coverage scores a technique by the number of rules that detect it, visibility scores it by how well you can see the underlying activity (0-4). Load both layers in the Navigator and the gaps line up:
- A technique with detection but no visibility is a rule that cannot fire.
- A technique with visibility but no detection is telemetry you collect but do not act on.
- A technique with both is genuine coverage.
This is the maturity-matrix Technology/Visibility cell that detection-coverage reporting alone cannot fill.
CI usage🔗
Gate a pipeline on blind spots so a rule that depends on data you do not collect fails the build:
--fail-on-blind-spots exits 1 when any rule-expected data source has no observed telemetry, the actionable "you wrote rules for data you do not receive" signal.
See also🔗
rule visibilityreference for the full flag table and report shape.- Observability for the
--observe-fieldssignal. - ATT&CK Coverage for the detection axis.
- CI/CD for wiring detection-as-code checks into a pipeline.