Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
T1003 on the official MITRE ATT&CK siteT1021 on the official MITRE ATT&CK siteT1027 on the official MITRE ATT&CK siteT1036 on the official MITRE ATT&CK siteT1048 on the official MITRE ATT&CK siteT1053 on the official MITRE ATT&CK siteT1055 on the official MITRE ATT&CK siteT1059 on the official MITRE ATT&CK siteT1071 on the official MITRE ATT&CK siteT1078 on the official MITRE ATT&CK siteT1105 on the official MITRE ATT&CK siteT1218 on the official MITRE ATT&CK siteT1547 on the official MITRE ATT&CK siteT1566 on the official MITRE ATT&CK siteT1685.002 on the official MITRE ATT&CK siteT1685.005 on the official MITRE ATT&CK site
NIST CSF 2.0
MITRE ATLAS
MITRE D3FEND
Overview
MITRE ATT&CK coverage mapping gives SOC teams a structured, adversary-centric lens to evaluate detection capabilities. Enterprise SIEMs on average have detection coverage for only 21% of ATT&CK techniques (2025 CardinalOps report), with 13% of existing rules being non-functional due to misconfigured data sources. Systematic coverage mapping identifies gaps, prioritizes rule development, and tracks detection maturity over time. ATT&CK v18.1 (December 2025) is the latest version.
When to Use
- When deploying or configuring implementing mitre attack coverage mapping capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Access to MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/)
- Inventory of all active SIEM detection rules
- MITRE ATT&CK technique mapping for each detection rule
- Data source inventory (which log sources are ingested)
- Understanding of adversary threat profiles relevant to your industry
Coverage Mapping Process
Step 1: Export Current Detection Rules
# Splunk ES - Export all active correlation searches with MITRE mappings
| rest /services/saved/searches
| search disabled=0 action.correlationsearch.enabled=1
| table title, search, action.notable.param.security_domain,
action.notable.param.severity, action.correlationsearch.annotations
| eval mitre_techniques=mvfilter(match('action.correlationsearch.annotations', "mitre_attack"))// Microsoft Sentinel - Export analytics rules with MITRE mapping
SecurityAlert
| summarize count() by AlertName, ProductName
| join kind=inner (
resources
| where type == "microsoft.securityinsights/alertrules"
| extend tactics = properties.tactics
) on $left.AlertName == $right.nameStep 2: Build the Coverage Matrix
ATT&CK Navigator Layer Format
{
"name": "SOC Detection Coverage - 2025",
"versions": {
"attack": "16",
"navigator": "5.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "Current detection coverage mapping",
"techniques": [
{
"techniqueID": "T1110",
"tactic": "credential-access",
"color": "#00ff00",
"comment": "2 active rules - Brute Force detection via EventCode 4625",
"score": 75,
"metadata": [
{"name": "rule_count", "value": "2"},
{"name": "data_sources", "value": "Windows Security Log, Linux Auth"},
{"name": "last_validated", "value": "2025-01-15"}
]
},
{
"techniqueID": "T1059.001",
"tactic": "execution",
"color": "#00ff00",
"comment": "3 rules - PowerShell Script Block Logging",
"score": 85
},
{
"techniqueID": "T1055",
"tactic": "defense-evasion",
"color": "#ff0000",
"comment": "NO DETECTION - Requires Sysmon EventCode 8/10",
"score": 0
}
],
"gradient": {
"colors": ["#ff0000", "#ffff00", "#00ff00"],
"minValue": 0,
"maxValue": 100
}
}Step 3: Score Each Technique
| Score | Color | Meaning | Criteria |
|---|---|---|---|
| 0 | Red | No Detection | No rules, missing data sources |
| 25 | Orange | Minimal | Rule exists but not validated/tested |
| 50 | Yellow | Partial | Rule works but limited coverage |
| 75 | Light Green | Good | Validated rule with good data sources |
| 100 | Green | Excellent | Multiple validated rules, tested with emulation |
Scoring Criteria Detail
Score = Data_Source_Score (0-25) + Rule_Quality_Score (0-25) +
Validation_Score (0-25) + Enrichment_Score (0-25)
Data_Source_Score:
25: All required data sources ingested and parsed
15: Primary data source available
5: Partial data source coverage
0: Required data sources not available
Rule_Quality_Score:
25: Rule uses CIM-compliant queries with proper thresholds
15: Rule works but may generate false positives
5: Basic rule with no tuning
0: No detection rule
Validation_Score:
25: Validated with adversary emulation (Atomic Red Team)
15: Tested with synthetic data
5: Logic reviewed but not tested
0: Not validated
Enrichment_Score:
25: Context-rich with asset, identity, and TI enrichment
15: Basic enrichment (asset lookup)
5: No enrichment
0: N/A (no rule)Step 4: Identify Priority Gaps
Gap Prioritization Framework
Priority = Technique_Prevalence x Impact x Feasibility
Technique_Prevalence (0-10):
- Based on MITRE Top Techniques report
- Frequency in your industry's threat landscape
- Observed in recent incidents/breaches
Impact (0-10):
- Damage potential if technique succeeds
- Difficulty of recovery
- Data sensitivity at risk
Feasibility (0-10):
- Data source availability
- Rule complexity
- Engineering effort requiredTop Priority Techniques to Cover (2025)
| Technique | ID | Prevalence | Typical Gap Reason |
|---|---|---|---|
| Command and Scripting Interpreter | T1059 | Very High | Requires script block logging |
| Phishing | T1566 | Very High | Email gateway integration |
| Valid Accounts | T1078 | High | Baseline behavior needed |
| Process Injection | T1055 | High | Requires Sysmon or EDR |
| Lateral Movement (RDP/SMB) | T1021 | High | Network segmentation visibility |
| Scheduled Task/Job | T1053 | High | Event log collection |
| Data Encrypted for Impact | T1486 | High | File system monitoring |
| Ingress Tool Transfer | T1105 | Medium | Network traffic analysis |
Step 5: Build Detection Roadmap
Quarter 1: Close Critical Gaps (Score 0, High Prevalence)
Week 1-2: Enable missing data sources
Week 3-4: Build and test rules for top 5 gap techniques
Week 5-8: Validate with adversary emulation
Week 9-12: Tune and operationalize
Quarter 2: Improve Partial Coverage (Score 25-50)
- Upgrade existing rules with enrichment
- Add secondary detection methods
- Validate with purple team exercises
Quarter 3: Mature Good Coverage (Score 50-75)
- Add behavioral analytics
- Implement detection-as-code pipeline
- Cross-technique correlation rules
Quarter 4: Excellence (Score 75-100)
- Continuous testing with BAS tools
- Automated coverage regression testing
- Red team validationAutomated Coverage Assessment
Data Source to Technique Mapping
# Map available data sources to detectable techniques
DATA_SOURCE_TECHNIQUE_MAP = {
"Windows Security Event Log": [
"T1110", "T1078", "T1053.005", "T1098", "T1136",
"T1070.001", "T1021.001", "T1543.003"
],
"Sysmon": [
"T1055", "T1059", "T1003", "T1547.001", "T1036",
"T1218", "T1105", "T1071"
],
"Network Traffic (Firewall/IDS)": [
"T1071", "T1048", "T1105", "T1572", "T1090",
"T1571", "T1573"
],
"DNS Logs": [
"T1071.004", "T1568", "T1583.001", "T1048.003"
],
"Email Gateway": [
"T1566.001", "T1566.002", "T1534"
],
"Cloud Audit Logs": [
"T1078.004", "T1537", "T1530", "T1580",
"T1087.004", "T1098.001"
],
}Reporting Dashboard Queries
Coverage Summary by Tactic
| inputlookup mitre_coverage_lookup
| stats avg(score) as avg_score count(eval(score=0)) as no_coverage
count(eval(score>0 AND score<50)) as partial
count(eval(score>=50 AND score<75)) as good
count(eval(score>=75)) as excellent
count as total
by tactic
| eval coverage_pct=round((total - no_coverage) / total * 100, 1)
| sort -coverage_pctReferences
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.4 KB
API Reference: Implementing MITRE ATT&CK Coverage Mapping
ATT&CK Enterprise STIX Data
# Download latest ATT&CK STIX bundle
curl -sL "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" -o attack.jsonATT&CK Navigator Layer Format
{
"name": "Detection Coverage",
"domain": "enterprise-attack",
"versions": {"attack": "14", "navigator": "4.9.1"},
"techniques": [
{"techniqueID": "T1566", "score": 3, "color": "#80b1d3"}
]
}ATT&CK Tactics (Enterprise)
| ID | Tactic | Example Technique |
|---|---|---|
| TA0001 | Initial Access | T1566 Phishing |
| TA0002 | Execution | T1059 Command Interpreter |
| TA0003 | Persistence | T1053 Scheduled Task |
| TA0004 | Privilege Escalation | T1078 Valid Accounts |
| TA0005 | Defense Evasion | T1027 Obfuscation |
| TA0006 | Credential Access | T1003 OS Credential Dumping |
| TA0008 | Lateral Movement | T1021 Remote Services |
| TA0011 | Command and Control | T1071 Application Layer Protocol |
Coverage Score
| Score | Meaning | Color |
|---|---|---|
| 0 | No detection | White |
| 1 | Single rule | Yellow |
| 2 | Multiple rules | Green |
| 3 | Good coverage | Blue |
| 4+ | Excellent | Red |
References
- MITRE ATT&CK: https://attack.mitre.org/
- ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/
- ATT&CK STIX Data: https://github.com/mitre/cti
standards.md1.1 KB
Standards - MITRE ATT&CK Coverage Mapping
MITRE ATT&CK Framework
- Current version: v18.1 (December 2025)
- 14 Tactics, 200+ Techniques, 400+ Sub-Techniques
- Domains: Enterprise, Mobile, ICS
Tactics (Kill Chain Order)
- Reconnaissance (TA0043)
- Resource Development (TA0042)
- Initial Access (TA0001)
- Execution (TA0002)
- Persistence (TA0003)
- Privilege Escalation (TA0004)
- Defense Evasion (TA0005)
- Credential Access (TA0006)
- Discovery (TA0007)
- Lateral Movement (TA0008)
- Collection (TA0009)
- Command and Control (TA0011)
- Exfiltration (TA0010)
- Impact (TA0040)
Detection Maturity Model
| Level | Description |
|---|---|
| L0 | No detection capability for the technique |
| L1 | Basic log collection for relevant data sources |
| L2 | Detection rule deployed but not validated |
| L3 | Validated detection with known false positive rate |
| L4 | Automated testing and continuous validation |
| L5 | Behavioral detection with ML-based anomaly detection |
Related Frameworks
- MITRE D3FEND (Defensive techniques)
- MITRE ATT&CK Data Sources
- NIST CSF Detection function
- SANS Detection Maturity Level model
workflows.md1.0 KB
Workflows - MITRE ATT&CK Coverage Mapping
Quarterly Coverage Assessment Workflow
1. Export all active SIEM detection rules
|
v
2. Map each rule to MITRE ATT&CK technique(s)
|
v
3. Score each technique (0-100)
|
v
4. Generate ATT&CK Navigator heatmap
|
v
5. Identify top 10 gap techniques
|
v
6. Prioritize based on threat landscape
|
v
7. Create detection engineering backlog
|
v
8. Build and deploy new rules
|
v
9. Validate with adversary emulation
|
v
10. Update coverage mapContinuous Improvement Cycle
Assess Coverage --> Identify Gaps --> Prioritize -->
Build Rules --> Test Rules --> Deploy --> Validate -->
Measure --> Report --> RepeatGap Closure Tracking
| Week | New Rules | Techniques Covered | Coverage Delta |
|---|---|---|---|
| 1 | 3 | T1059, T1055, T1003 | +1.5% |
| 2 | 2 | T1053, T1547 | +1.0% |
| 3 | 3 | T1071, T1105, T1048 | +1.5% |
| 4 | 2 | T1218, T1036 | +1.0% |
Scripts 2
agent.py6.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""MITRE ATT&CK Coverage Mapping Agent - maps detection rules to ATT&CK techniques and identifies gaps."""
import json
import argparse
import logging
from collections import defaultdict
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
ENTERPRISE_TACTICS = [
"TA0001", "TA0002", "TA0003", "TA0004", "TA0005",
"TA0006", "TA0007", "TA0008", "TA0009", "TA0010",
"TA0011", "TA0040", "TA0042", "TA0043",
]
TACTIC_NAMES = {
"TA0001": "Initial Access", "TA0002": "Execution", "TA0003": "Persistence",
"TA0004": "Privilege Escalation", "TA0005": "Defense Evasion",
"TA0006": "Credential Access", "TA0007": "Discovery", "TA0008": "Lateral Movement",
"TA0009": "Collection", "TA0010": "Exfiltration", "TA0011": "Command and Control",
"TA0040": "Impact", "TA0042": "Resource Development", "TA0043": "Reconnaissance",
}
def load_detection_rules(filepath):
"""Load detection rules with ATT&CK mappings."""
with open(filepath) as f:
return json.load(f)
def load_attack_matrix(filepath):
"""Load ATT&CK enterprise matrix (techniques per tactic)."""
with open(filepath) as f:
return json.load(f)
def map_rules_to_techniques(rules):
"""Map detection rules to ATT&CK technique IDs."""
technique_rules = defaultdict(list)
unmapped = []
for rule in rules:
techniques = rule.get("mitre_attack", [])
if not techniques:
unmapped.append(rule.get("name", "unknown"))
continue
for tech in techniques:
technique_rules[tech].append({
"rule_name": rule.get("name", ""),
"severity": rule.get("severity", "medium"),
"data_source": rule.get("data_source", ""),
"enabled": rule.get("enabled", True),
})
return dict(technique_rules), unmapped
def calculate_coverage(technique_rules, attack_matrix):
"""Calculate coverage percentage per tactic."""
tactic_coverage = {}
for tactic_id, tactic_name in TACTIC_NAMES.items():
techniques_in_tactic = attack_matrix.get(tactic_id, [])
total = len(techniques_in_tactic)
covered = sum(1 for t in techniques_in_tactic if t in technique_rules)
tactic_coverage[tactic_id] = {
"tactic_name": tactic_name,
"total_techniques": total,
"covered": covered,
"coverage_percent": round(covered / max(total, 1) * 100, 1),
"gaps": [t for t in techniques_in_tactic if t not in technique_rules],
}
return tactic_coverage
def identify_priority_gaps(tactic_coverage, priority_techniques=None):
"""Identify high-priority coverage gaps."""
gaps = []
for tactic_id, data in tactic_coverage.items():
for tech in data["gaps"]:
priority = "high" if (priority_techniques and tech in priority_techniques) else "medium"
gaps.append({
"technique": tech,
"tactic": data["tactic_name"],
"tactic_id": tactic_id,
"priority": priority,
})
return sorted(gaps, key=lambda x: (0 if x["priority"] == "high" else 1, x["tactic"]))
def calculate_detection_depth(technique_rules):
"""Assess detection depth per technique (number of rules covering it)."""
depth = {}
for tech, rules in technique_rules.items():
enabled_rules = [r for r in rules if r["enabled"]]
data_sources = list(set(r["data_source"] for r in enabled_rules if r["data_source"]))
depth[tech] = {
"total_rules": len(rules),
"enabled_rules": len(enabled_rules),
"data_sources": data_sources,
"depth": "deep" if len(enabled_rules) >= 3 else "moderate" if len(enabled_rules) >= 2 else "shallow",
}
return depth
def generate_navigator_layer(technique_rules, tactic_coverage):
"""Generate ATT&CK Navigator layer JSON."""
techniques = []
for tech_id, rules in technique_rules.items():
score = min(len(rules), 4)
techniques.append({
"techniqueID": tech_id,
"score": score,
"comment": f"{len(rules)} detection rules",
"enabled": True,
})
layer = {
"name": "Detection Coverage",
"versions": {"attack": "14", "navigator": "4.9.1", "layer": "4.5"},
"domain": "enterprise-attack",
"techniques": techniques,
"gradient": {"colors": ["#ffffff", "#66b1ff", "#0044cc"], "minValue": 0, "maxValue": 4},
}
return layer
def generate_report(rules, technique_rules, unmapped, tactic_coverage, depth):
total_techniques_covered = len(technique_rules)
total_rules = len(rules)
report = {
"timestamp": datetime.utcnow().isoformat(),
"total_detection_rules": total_rules,
"mapped_rules": total_rules - len(unmapped),
"unmapped_rules": len(unmapped),
"techniques_covered": total_techniques_covered,
"tactic_coverage": tactic_coverage,
"detection_depth_summary": {
"deep": sum(1 for d in depth.values() if d["depth"] == "deep"),
"moderate": sum(1 for d in depth.values() if d["depth"] == "moderate"),
"shallow": sum(1 for d in depth.values() if d["depth"] == "shallow"),
},
"priority_gaps": identify_priority_gaps(tactic_coverage)[:20],
}
return report
def main():
parser = argparse.ArgumentParser(description="MITRE ATT&CK Coverage Mapping Agent")
parser.add_argument("--rules", required=True, help="JSON file with detection rules and ATT&CK mappings")
parser.add_argument("--matrix", help="ATT&CK matrix JSON (techniques per tactic)")
parser.add_argument("--navigator-output", help="Output ATT&CK Navigator layer JSON")
parser.add_argument("--output", default="attack_coverage_report.json")
args = parser.parse_args()
rules = load_detection_rules(args.rules)
attack_matrix = load_attack_matrix(args.matrix) if args.matrix else {t: [] for t in ENTERPRISE_TACTICS}
technique_rules, unmapped = map_rules_to_techniques(rules)
tactic_coverage = calculate_coverage(technique_rules, attack_matrix)
depth = calculate_detection_depth(technique_rules)
report = generate_report(rules, technique_rules, unmapped, tactic_coverage, depth)
if args.navigator_output:
layer = generate_navigator_layer(technique_rules, tactic_coverage)
with open(args.navigator_output, "w") as f:
json.dump(layer, f, indent=2)
logger.info("Navigator layer saved to %s", args.navigator_output)
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
logger.info("Coverage: %d techniques covered by %d rules", len(technique_rules), len(rules))
print(json.dumps(report, indent=2, default=str))
if __name__ == "__main__":
main()
process.py8.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
MITRE ATT&CK Coverage Mapping Tool
Builds and analyzes detection coverage maps against the
MITRE ATT&CK framework for SOC detection gap analysis.
"""
import json
from datetime import datetime
ATTACK_TACTICS = {
"TA0043": "Reconnaissance",
"TA0042": "Resource Development",
"TA0001": "Initial Access",
"TA0002": "Execution",
"TA0003": "Persistence",
"TA0004": "Privilege Escalation",
"TA0005": "Defense Evasion",
"TA0006": "Credential Access",
"TA0007": "Discovery",
"TA0008": "Lateral Movement",
"TA0009": "Collection",
"TA0011": "Command and Control",
"TA0010": "Exfiltration",
"TA0040": "Impact",
}
ENTERPRISE_TECHNIQUES = {
"T1110": {"name": "Brute Force", "tactic": "TA0006", "subtechniques": 4},
"T1059": {"name": "Command and Scripting Interpreter", "tactic": "TA0002", "subtechniques": 9},
"T1078": {"name": "Valid Accounts", "tactic": "TA0005", "subtechniques": 4},
"T1055": {"name": "Process Injection", "tactic": "TA0005", "subtechniques": 15},
"T1021": {"name": "Remote Services", "tactic": "TA0008", "subtechniques": 7},
"T1053": {"name": "Scheduled Task/Job", "tactic": "TA0003", "subtechniques": 6},
"T1566": {"name": "Phishing", "tactic": "TA0001", "subtechniques": 4},
"T1003": {"name": "OS Credential Dumping", "tactic": "TA0006", "subtechniques": 8},
"T1071": {"name": "Application Layer Protocol", "tactic": "TA0011", "subtechniques": 4},
"T1048": {"name": "Exfiltration Over Alternative Protocol", "tactic": "TA0010", "subtechniques": 3},
"T1105": {"name": "Ingress Tool Transfer", "tactic": "TA0011", "subtechniques": 0},
"T1547": {"name": "Boot or Logon Autostart Execution", "tactic": "TA0003", "subtechniques": 15},
"T1036": {"name": "Masquerading", "tactic": "TA0005", "subtechniques": 9},
"T1218": {"name": "System Binary Proxy Execution", "tactic": "TA0005", "subtechniques": 14},
"T1027": {"name": "Obfuscated Files or Information", "tactic": "TA0005", "subtechniques": 12},
"T1486": {"name": "Data Encrypted for Impact", "tactic": "TA0040", "subtechniques": 0},
"T1098": {"name": "Account Manipulation", "tactic": "TA0003", "subtechniques": 6},
"T1070": {"name": "Indicator Removal", "tactic": "TA0005", "subtechniques": 9},
"T1543": {"name": "Create or Modify System Process", "tactic": "TA0003", "subtechniques": 4},
"T1136": {"name": "Create Account", "tactic": "TA0003", "subtechniques": 3},
}
class DetectionRule:
"""Represents a SIEM detection rule with MITRE mapping."""
def __init__(self, name: str, techniques: list, score: int,
data_sources: list, validated: bool = False):
self.name = name
self.techniques = techniques
self.score = score
self.data_sources = data_sources
self.validated = validated
class CoverageMap:
"""MITRE ATT&CK coverage map for detection gap analysis."""
def __init__(self, organization: str):
self.organization = organization
self.rules = []
self.technique_scores = {}
self.generated = datetime.utcnow().isoformat()
def add_rule(self, rule: DetectionRule):
self.rules.append(rule)
for tech_id in rule.techniques:
if tech_id not in self.technique_scores:
self.technique_scores[tech_id] = {"rules": [], "max_score": 0}
self.technique_scores[tech_id]["rules"].append(rule.name)
self.technique_scores[tech_id]["max_score"] = max(
self.technique_scores[tech_id]["max_score"], rule.score
)
def get_coverage_summary(self) -> dict:
total_techniques = len(ENTERPRISE_TECHNIQUES)
covered = sum(1 for t in ENTERPRISE_TECHNIQUES if t in self.technique_scores and self.technique_scores[t]["max_score"] > 0)
no_coverage = total_techniques - covered
scores = [self.technique_scores.get(t, {}).get("max_score", 0) for t in ENTERPRISE_TECHNIQUES]
avg_score = round(sum(scores) / max(1, len(scores)), 1)
return {
"organization": self.organization,
"total_techniques": total_techniques,
"covered": covered,
"no_coverage": no_coverage,
"coverage_pct": round(covered / total_techniques * 100, 1),
"avg_score": avg_score,
"total_rules": len(self.rules),
"generated": self.generated,
}
def get_tactic_coverage(self) -> dict:
tactic_data = {}
for tactic_id, tactic_name in ATTACK_TACTICS.items():
techniques_in_tactic = [
t for t, info in ENTERPRISE_TECHNIQUES.items()
if info["tactic"] == tactic_id
]
covered = sum(1 for t in techniques_in_tactic if t in self.technique_scores and self.technique_scores[t]["max_score"] > 0)
total = len(techniques_in_tactic)
tactic_data[tactic_name] = {
"total": total,
"covered": covered,
"pct": round(covered / max(1, total) * 100, 1),
}
return tactic_data
def get_gaps(self, min_priority: int = 0) -> list:
gaps = []
for tech_id, info in ENTERPRISE_TECHNIQUES.items():
score = self.technique_scores.get(tech_id, {}).get("max_score", 0)
if score < 50:
gaps.append({
"technique_id": tech_id,
"technique_name": info["name"],
"tactic": ATTACK_TACTICS.get(info["tactic"], "Unknown"),
"current_score": score,
"subtechniques": info["subtechniques"],
"rules_count": len(self.technique_scores.get(tech_id, {}).get("rules", [])),
})
return sorted(gaps, key=lambda x: x["current_score"])
def generate_navigator_layer(self) -> dict:
techniques = []
for tech_id, info in ENTERPRISE_TECHNIQUES.items():
score = self.technique_scores.get(tech_id, {}).get("max_score", 0)
rules = self.technique_scores.get(tech_id, {}).get("rules", [])
color = "#ff0000" if score == 0 else "#ffff00" if score < 50 else "#90ee90" if score < 75 else "#00ff00"
techniques.append({
"techniqueID": tech_id,
"color": color,
"score": score,
"comment": f"{len(rules)} rules: {', '.join(rules[:3])}" if rules else "NO DETECTION",
})
return {
"name": f"{self.organization} - Detection Coverage",
"versions": {"attack": "16", "navigator": "5.1", "layer": "4.5"},
"domain": "enterprise-attack",
"techniques": techniques,
"gradient": {"colors": ["#ff0000", "#ffff00", "#00ff00"], "minValue": 0, "maxValue": 100},
}
if __name__ == "__main__":
cmap = CoverageMap("Example Corp SOC")
rules = [
DetectionRule("Brute Force Detection", ["T1110"], 85, ["Windows Security Log"], True),
DetectionRule("Suspicious PowerShell", ["T1059"], 75, ["PowerShell Script Block"], True),
DetectionRule("New Account Created", ["T1136"], 60, ["Windows Security Log"], False),
DetectionRule("Lateral Movement RDP", ["T1021"], 70, ["Windows Security Log", "Firewall"], True),
DetectionRule("Phishing Email Detected", ["T1566"], 80, ["Email Gateway"], True),
DetectionRule("Credential Dumping", ["T1003"], 50, ["Sysmon"], False),
DetectionRule("Scheduled Task Created", ["T1053"], 65, ["Windows Security Log"], True),
DetectionRule("C2 Beaconing", ["T1071"], 45, ["Firewall", "DNS"], False),
DetectionRule("Data Exfiltration", ["T1048"], 30, ["Firewall"], False),
DetectionRule("Ransomware Encryption", ["T1486"], 40, ["EDR"], False),
]
for rule in rules:
cmap.add_rule(rule)
print("=" * 70)
print("MITRE ATT&CK COVERAGE MAP")
print("=" * 70)
summary = cmap.get_coverage_summary()
print(f"\nOrganization: {summary['organization']}")
print(f"Coverage: {summary['covered']}/{summary['total_techniques']} techniques ({summary['coverage_pct']}%)")
print(f"Average Score: {summary['avg_score']}/100")
print(f"Total Rules: {summary['total_rules']}")
print(f"\n{'Tactic':<30} {'Covered':<10} {'Total':<8} {'Coverage'}")
print("-" * 60)
for tactic, data in cmap.get_tactic_coverage().items():
if data["total"] > 0:
bar = "#" * int(data["pct"] / 5) + "." * (20 - int(data["pct"] / 5))
print(f"{tactic:<30} {data['covered']:<10} {data['total']:<8} [{bar}] {data['pct']}%")
print(f"\nDetection Gaps (Score < 50):")
for gap in cmap.get_gaps():
print(f" [{gap['current_score']:>3}] {gap['technique_id']} - {gap['technique_name']} ({gap['tactic']})")
# Export Navigator layer
layer = cmap.generate_navigator_layer()
print(f"\nATT&CK Navigator Layer exported ({len(layer['techniques'])} techniques)")
Assets 1
template.mdtext/markdown · 1.0 KBKeep exploring