Plaidnox InfoSec
PLX-2025-022 . Confidential
Security EnablementSplunk Enterprise41% Log Coverage

SIEM Gap Analysis
[REDACTED]

SIEM log source coverage analysis, detection rule audit, and gap remediation roadmap for [REDACTED] running Splunk Enterprise. Covering 127 required log source types, OT integration, and 204 active detection rules. Engagement ref. ENG-2025-0562.

Report IDPLX-2025-022
Client[REDACTED]
Log Coverage52 / 127 sources
AssessedQ1 2025
01 . Overview

SIEM Gap Analysis Summary

Plaidnox conducted a comprehensive SIEM gap analysis for [REDACTED]'s Splunk Enterprise deployment. Of 127 required log source types identified for the energy sector threat model, only 52 (41%) are currently ingesting into Splunk. Zero OT/ICS log sources are connected, leaving the control network entirely outside SIEM visibility despite 14 NIS2-adjacent requirements for OT security monitoring.

Of 204 active detection rules, 47 are stale (last triggered over 90 days ago and likely misaligned with current log schema), and 38 critical MITRE ATT&CK techniques relevant to energy sector adversaries have no detection coverage.

02 . Log Source Coverage

Ingestion inventory

127
Required Sources
52
Currently Ingesting
75
Missing Sources
0
OT Sources Active
CategoryRequiredActiveCoverageRisk
Windows Event Logs181689%Good
Network / Firewall141179%Medium
Cloud (Azure)22836%High
Email / Collaboration8450%Medium
OT / ICS / SCADA3100%Critical
Endpoint (EDR)12975%Medium
IAM / PAM22418%High
03 . Detection Rules

Rule health and MITRE coverage

IDFindingPriority
SIEM-G010 OT/ICS log sources . entire control network blind to SIEM; NIS2 Article 21 compliance riskCritical
SIEM-G0247 stale detection rules . last fired 90+ days ago with no rule review processHigh
SIEM-G0338 energy-sector ATT&CK techniques uncovered (T0800, T0881, T0843, T0846 etc.)High
SIEM-G04Azure activity logs only 36% coverage . cloud pivot attacks undetectableHigh
SIEM-G05No Splunk SOAR integration . all triage and response is manual, inflating MTTRMedium
04 . Improvement Roadmap

SIEM optimisation plan

ActionTimelineOwner
Deploy Splunk OT Security add-on and connect 6 OSIsoft PI / Ignition log sourcesWk 1-6Plaidnox / OT Team
Audit and retire 47 stale detection rules; replace with Splunk ES Content UpdateWk 1-4Plaidnox
Map and deploy 38 missing MITRE ATT&CK detection use cases (energy sector)Wk 4-12Plaidnox
Extend Azure connector to cover Entra ID, Defender for Cloud, Key Vault audit logsWk 2-5Plaidnox / IT
Implement Splunk SOAR for automated triage of high-volume low-fidelity alertsWk 6-14Plaidnox
Conclusion
Zero OT coverage is a NIS2 compliance and operational risk that must be resolved first
With zero OT/ICS log sources connected to Splunk, [REDACTED] has no SIEM visibility into the environment responsible for physical energy infrastructure. OT integration is the highest-priority remediation and is required for NIS2 Article 21 compliance. The MITRE ATT&CK gap analysis identifies 38 uncovered techniques specifically used by energy sector threat actors including Sandworm and Volt Typhoon.
Plaidnox InfoSec . siem
Confidential . Authorised Distribution Only