Proactive threat detection in enterprise systems using Wazuh: A MITRE ATT&CK Evaluation

The proactive detection of advanced adversarial behaviors remains a critical challenge for Security Information and Event Management (SIEM) platforms, particularly as attackers adopt stealthy, multi-phase campaigns. This paper presents a cross-platform, MITRE ATT&CK aligned evaluation framework for systematically measuring the SIEM detection coverage, responsiveness, and accuracy. The framework was demonstrated through the Wazuh SIEM platform and atomic red team testing, targeting four high-impact tactics: Collection, Command-and-Control (C2), Exfiltration, and Impact. The results show a high detection rate for C2 and Impact techniques, and partial detection for Collection and Ex-filtration tactics owing to gaps in correlation and telemetry depth. The overall detection rate was approximately 85%, with platform-specific differences driven by the endpoint logging capabilities. Quantitative performance analysis yielded a precision of 91.4%, recall of 85.2%, and false positive rate of 4.8%, confirming both detection effectiveness and operational feasibility. The main contributions of this study are as follows: (i) a reproducible, ATT&CK aligned framework adaptable to both open source and commercial SIEMs, (ii) actionable detection rule enhancements to improve Security Operations Centerwork (SOC) operations, and (iii) scalability considerations for deployment in enterprise environments. By integrating structured adversary modeling with operational SOCs flows, the proposed framework advances proactive cyber defence in complex enterprise environments.