soc operations

Implementing MITRE ATT&CK Coverage Mapping

Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure SOC detection maturity against adversary techniques.

attack-navigatordetection-coveragedetection-engineeringgap-analysismitre-attacksoc
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

MITRE ATT&CK coverage mapping gives SOC teams a structured, adversary-centric lens to evaluate detection capabilities. Enterprise SIEMs on average have detection coverage for only 21% of ATT&CK techniques (2025 CardinalOps report), with 13% of existing rules being non-functional due to misconfigured data sources. Systematic coverage mapping identifies gaps, prioritizes rule development, and tracks detection maturity over time. ATT&CK v18.1 (December 2025) is the latest version.

When to Use

  • When deploying or configuring implementing mitre attack coverage mapping capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Access to MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/)
  • Inventory of all active SIEM detection rules
  • MITRE ATT&CK technique mapping for each detection rule
  • Data source inventory (which log sources are ingested)
  • Understanding of adversary threat profiles relevant to your industry

Coverage Mapping Process

Step 1: Export Current Detection Rules

# Splunk ES - Export all active correlation searches with MITRE mappings
| rest /services/saved/searches
| search disabled=0 action.correlationsearch.enabled=1
| table title, search, action.notable.param.security_domain,
    action.notable.param.severity, action.correlationsearch.annotations
| eval mitre_techniques=mvfilter(match('action.correlationsearch.annotations', "mitre_attack"))
// Microsoft Sentinel - Export analytics rules with MITRE mapping
SecurityAlert
| summarize count() by AlertName, ProductName
| join kind=inner (
    resources
    | where type == "microsoft.securityinsights/alertrules"
    | extend tactics = properties.tactics
) on $left.AlertName == $right.name

Step 2: Build the Coverage Matrix

ATT&CK Navigator Layer Format

{
    "name": "SOC Detection Coverage - 2025",
    "versions": {
        "attack": "16",
        "navigator": "5.1",
        "layer": "4.5"
    },
    "domain": "enterprise-attack",
    "description": "Current detection coverage mapping",
    "techniques": [
        {
            "techniqueID": "T1110",
            "tactic": "credential-access",
            "color": "#00ff00",
            "comment": "2 active rules - Brute Force detection via EventCode 4625",
            "score": 75,
            "metadata": [
                {"name": "rule_count", "value": "2"},
                {"name": "data_sources", "value": "Windows Security Log, Linux Auth"},
                {"name": "last_validated", "value": "2025-01-15"}
            ]
        },
        {
            "techniqueID": "T1059.001",
            "tactic": "execution",
            "color": "#00ff00",
            "comment": "3 rules - PowerShell Script Block Logging",
            "score": 85
        },
        {
            "techniqueID": "T1055",
            "tactic": "defense-evasion",
            "color": "#ff0000",
            "comment": "NO DETECTION - Requires Sysmon EventCode 8/10",
            "score": 0
        }
    ],
    "gradient": {
        "colors": ["#ff0000", "#ffff00", "#00ff00"],
        "minValue": 0,
        "maxValue": 100
    }
}

Step 3: Score Each Technique

Score Color Meaning Criteria
0 Red No Detection No rules, missing data sources
25 Orange Minimal Rule exists but not validated/tested
50 Yellow Partial Rule works but limited coverage
75 Light Green Good Validated rule with good data sources
100 Green Excellent Multiple validated rules, tested with emulation

Scoring Criteria Detail

Score = Data_Source_Score (0-25) + Rule_Quality_Score (0-25) +
        Validation_Score (0-25) + Enrichment_Score (0-25)
 
Data_Source_Score:
  25: All required data sources ingested and parsed
  15: Primary data source available
  5:  Partial data source coverage
  0:  Required data sources not available
 
Rule_Quality_Score:
  25: Rule uses CIM-compliant queries with proper thresholds
  15: Rule works but may generate false positives
  5:  Basic rule with no tuning
  0:  No detection rule
 
Validation_Score:
  25: Validated with adversary emulation (Atomic Red Team)
  15: Tested with synthetic data
  5:  Logic reviewed but not tested
  0:  Not validated
 
Enrichment_Score:
  25: Context-rich with asset, identity, and TI enrichment
  15: Basic enrichment (asset lookup)
  5:  No enrichment
  0:  N/A (no rule)

Step 4: Identify Priority Gaps

Gap Prioritization Framework

Priority = Technique_Prevalence x Impact x Feasibility
 
Technique_Prevalence (0-10):
  - Based on MITRE Top Techniques report
  - Frequency in your industry's threat landscape
  - Observed in recent incidents/breaches
 
Impact (0-10):
  - Damage potential if technique succeeds
  - Difficulty of recovery
  - Data sensitivity at risk
 
Feasibility (0-10):
  - Data source availability
  - Rule complexity
  - Engineering effort required

Top Priority Techniques to Cover (2025)

Technique ID Prevalence Typical Gap Reason
Command and Scripting Interpreter T1059 Very High Requires script block logging
Phishing T1566 Very High Email gateway integration
Valid Accounts T1078 High Baseline behavior needed
Process Injection T1055 High Requires Sysmon or EDR
Lateral Movement (RDP/SMB) T1021 High Network segmentation visibility
Scheduled Task/Job T1053 High Event log collection
Data Encrypted for Impact T1486 High File system monitoring
Ingress Tool Transfer T1105 Medium Network traffic analysis

Step 5: Build Detection Roadmap

Quarter 1: Close Critical Gaps (Score 0, High Prevalence)
  Week 1-2: Enable missing data sources
  Week 3-4: Build and test rules for top 5 gap techniques
  Week 5-8: Validate with adversary emulation
  Week 9-12: Tune and operationalize
 
Quarter 2: Improve Partial Coverage (Score 25-50)
  - Upgrade existing rules with enrichment
  - Add secondary detection methods
  - Validate with purple team exercises
 
Quarter 3: Mature Good Coverage (Score 50-75)
  - Add behavioral analytics
  - Implement detection-as-code pipeline
  - Cross-technique correlation rules
 
Quarter 4: Excellence (Score 75-100)
  - Continuous testing with BAS tools
  - Automated coverage regression testing
  - Red team validation

Automated Coverage Assessment

Data Source to Technique Mapping

# Map available data sources to detectable techniques
DATA_SOURCE_TECHNIQUE_MAP = {
    "Windows Security Event Log": [
        "T1110", "T1078", "T1053.005", "T1098", "T1136",
        "T1070.001", "T1021.001", "T1543.003"
    ],
    "Sysmon": [
        "T1055", "T1059", "T1003", "T1547.001", "T1036",
        "T1218", "T1105", "T1071"
    ],
    "Network Traffic (Firewall/IDS)": [
        "T1071", "T1048", "T1105", "T1572", "T1090",
        "T1571", "T1573"
    ],
    "DNS Logs": [
        "T1071.004", "T1568", "T1583.001", "T1048.003"
    ],
    "Email Gateway": [
        "T1566.001", "T1566.002", "T1534"
    ],
    "Cloud Audit Logs": [
        "T1078.004", "T1537", "T1530", "T1580",
        "T1087.004", "T1098.001"
    ],
}

Reporting Dashboard Queries

Coverage Summary by Tactic

| inputlookup mitre_coverage_lookup
| stats avg(score) as avg_score count(eval(score=0)) as no_coverage
    count(eval(score>0 AND score<50)) as partial
    count(eval(score>=50 AND score<75)) as good
    count(eval(score>=75)) as excellent
    count as total
    by tactic
| eval coverage_pct=round((total - no_coverage) / total * 100, 1)
| sort -coverage_pct

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.4 KB

API Reference: Implementing MITRE ATT&CK Coverage Mapping

ATT&CK Enterprise STIX Data

# Download latest ATT&CK STIX bundle
curl -sL "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" -o attack.json

ATT&CK Navigator Layer Format

{
  "name": "Detection Coverage",
  "domain": "enterprise-attack",
  "versions": {"attack": "14", "navigator": "4.9.1"},
  "techniques": [
    {"techniqueID": "T1566", "score": 3, "color": "#80b1d3"}
  ]
}

ATT&CK Tactics (Enterprise)

ID Tactic Example Technique
TA0001 Initial Access T1566 Phishing
TA0002 Execution T1059 Command Interpreter
TA0003 Persistence T1053 Scheduled Task
TA0004 Privilege Escalation T1078 Valid Accounts
TA0005 Defense Evasion T1027 Obfuscation
TA0006 Credential Access T1003 OS Credential Dumping
TA0008 Lateral Movement T1021 Remote Services
TA0011 Command and Control T1071 Application Layer Protocol

Coverage Score

Score Meaning Color
0 No detection White
1 Single rule Yellow
2 Multiple rules Green
3 Good coverage Blue
4+ Excellent Red

References

standards.md1.1 KB

Standards - MITRE ATT&CK Coverage Mapping

MITRE ATT&CK Framework

  • Current version: v18.1 (December 2025)
  • 14 Tactics, 200+ Techniques, 400+ Sub-Techniques
  • Domains: Enterprise, Mobile, ICS

Tactics (Kill Chain Order)

  1. Reconnaissance (TA0043)
  2. Resource Development (TA0042)
  3. Initial Access (TA0001)
  4. Execution (TA0002)
  5. Persistence (TA0003)
  6. Privilege Escalation (TA0004)
  7. Defense Evasion (TA0005)
  8. Credential Access (TA0006)
  9. Discovery (TA0007)
  10. Lateral Movement (TA0008)
  11. Collection (TA0009)
  12. Command and Control (TA0011)
  13. Exfiltration (TA0010)
  14. Impact (TA0040)

Detection Maturity Model

Level Description
L0 No detection capability for the technique
L1 Basic log collection for relevant data sources
L2 Detection rule deployed but not validated
L3 Validated detection with known false positive rate
L4 Automated testing and continuous validation
L5 Behavioral detection with ML-based anomaly detection

Related Frameworks

  • MITRE D3FEND (Defensive techniques)
  • MITRE ATT&CK Data Sources
  • NIST CSF Detection function
  • SANS Detection Maturity Level model
workflows.md1.0 KB

Workflows - MITRE ATT&CK Coverage Mapping

Quarterly Coverage Assessment Workflow

1. Export all active SIEM detection rules
   |
   v
2. Map each rule to MITRE ATT&CK technique(s)
   |
   v
3. Score each technique (0-100)
   |
   v
4. Generate ATT&CK Navigator heatmap
   |
   v
5. Identify top 10 gap techniques
   |
   v
6. Prioritize based on threat landscape
   |
   v
7. Create detection engineering backlog
   |
   v
8. Build and deploy new rules
   |
   v
9. Validate with adversary emulation
   |
   v
10. Update coverage map

Continuous Improvement Cycle

Assess Coverage --> Identify Gaps --> Prioritize -->
Build Rules --> Test Rules --> Deploy --> Validate -->
Measure --> Report --> Repeat

Gap Closure Tracking

Week New Rules Techniques Covered Coverage Delta
1 3 T1059, T1055, T1003 +1.5%
2 2 T1053, T1547 +1.0%
3 3 T1071, T1105, T1048 +1.5%
4 2 T1218, T1036 +1.0%

Scripts 2

agent.py6.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""MITRE ATT&CK Coverage Mapping Agent - maps detection rules to ATT&CK techniques and identifies gaps."""

import json
import argparse
import logging
from collections import defaultdict
from datetime import datetime

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

ENTERPRISE_TACTICS = [
    "TA0001", "TA0002", "TA0003", "TA0004", "TA0005",
    "TA0006", "TA0007", "TA0008", "TA0009", "TA0010",
    "TA0011", "TA0040", "TA0042", "TA0043",
]

TACTIC_NAMES = {
    "TA0001": "Initial Access", "TA0002": "Execution", "TA0003": "Persistence",
    "TA0004": "Privilege Escalation", "TA0005": "Defense Evasion",
    "TA0006": "Credential Access", "TA0007": "Discovery", "TA0008": "Lateral Movement",
    "TA0009": "Collection", "TA0010": "Exfiltration", "TA0011": "Command and Control",
    "TA0040": "Impact", "TA0042": "Resource Development", "TA0043": "Reconnaissance",
}


def load_detection_rules(filepath):
    """Load detection rules with ATT&CK mappings."""
    with open(filepath) as f:
        return json.load(f)


def load_attack_matrix(filepath):
    """Load ATT&CK enterprise matrix (techniques per tactic)."""
    with open(filepath) as f:
        return json.load(f)


def map_rules_to_techniques(rules):
    """Map detection rules to ATT&CK technique IDs."""
    technique_rules = defaultdict(list)
    unmapped = []
    for rule in rules:
        techniques = rule.get("mitre_attack", [])
        if not techniques:
            unmapped.append(rule.get("name", "unknown"))
            continue
        for tech in techniques:
            technique_rules[tech].append({
                "rule_name": rule.get("name", ""),
                "severity": rule.get("severity", "medium"),
                "data_source": rule.get("data_source", ""),
                "enabled": rule.get("enabled", True),
            })
    return dict(technique_rules), unmapped


def calculate_coverage(technique_rules, attack_matrix):
    """Calculate coverage percentage per tactic."""
    tactic_coverage = {}
    for tactic_id, tactic_name in TACTIC_NAMES.items():
        techniques_in_tactic = attack_matrix.get(tactic_id, [])
        total = len(techniques_in_tactic)
        covered = sum(1 for t in techniques_in_tactic if t in technique_rules)
        tactic_coverage[tactic_id] = {
            "tactic_name": tactic_name,
            "total_techniques": total,
            "covered": covered,
            "coverage_percent": round(covered / max(total, 1) * 100, 1),
            "gaps": [t for t in techniques_in_tactic if t not in technique_rules],
        }
    return tactic_coverage


def identify_priority_gaps(tactic_coverage, priority_techniques=None):
    """Identify high-priority coverage gaps."""
    gaps = []
    for tactic_id, data in tactic_coverage.items():
        for tech in data["gaps"]:
            priority = "high" if (priority_techniques and tech in priority_techniques) else "medium"
            gaps.append({
                "technique": tech,
                "tactic": data["tactic_name"],
                "tactic_id": tactic_id,
                "priority": priority,
            })
    return sorted(gaps, key=lambda x: (0 if x["priority"] == "high" else 1, x["tactic"]))


def calculate_detection_depth(technique_rules):
    """Assess detection depth per technique (number of rules covering it)."""
    depth = {}
    for tech, rules in technique_rules.items():
        enabled_rules = [r for r in rules if r["enabled"]]
        data_sources = list(set(r["data_source"] for r in enabled_rules if r["data_source"]))
        depth[tech] = {
            "total_rules": len(rules),
            "enabled_rules": len(enabled_rules),
            "data_sources": data_sources,
            "depth": "deep" if len(enabled_rules) >= 3 else "moderate" if len(enabled_rules) >= 2 else "shallow",
        }
    return depth


def generate_navigator_layer(technique_rules, tactic_coverage):
    """Generate ATT&CK Navigator layer JSON."""
    techniques = []
    for tech_id, rules in technique_rules.items():
        score = min(len(rules), 4)
        techniques.append({
            "techniqueID": tech_id,
            "score": score,
            "comment": f"{len(rules)} detection rules",
            "enabled": True,
        })
    layer = {
        "name": "Detection Coverage",
        "versions": {"attack": "14", "navigator": "4.9.1", "layer": "4.5"},
        "domain": "enterprise-attack",
        "techniques": techniques,
        "gradient": {"colors": ["#ffffff", "#66b1ff", "#0044cc"], "minValue": 0, "maxValue": 4},
    }
    return layer


def generate_report(rules, technique_rules, unmapped, tactic_coverage, depth):
    total_techniques_covered = len(technique_rules)
    total_rules = len(rules)
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "total_detection_rules": total_rules,
        "mapped_rules": total_rules - len(unmapped),
        "unmapped_rules": len(unmapped),
        "techniques_covered": total_techniques_covered,
        "tactic_coverage": tactic_coverage,
        "detection_depth_summary": {
            "deep": sum(1 for d in depth.values() if d["depth"] == "deep"),
            "moderate": sum(1 for d in depth.values() if d["depth"] == "moderate"),
            "shallow": sum(1 for d in depth.values() if d["depth"] == "shallow"),
        },
        "priority_gaps": identify_priority_gaps(tactic_coverage)[:20],
    }
    return report


def main():
    parser = argparse.ArgumentParser(description="MITRE ATT&CK Coverage Mapping Agent")
    parser.add_argument("--rules", required=True, help="JSON file with detection rules and ATT&CK mappings")
    parser.add_argument("--matrix", help="ATT&CK matrix JSON (techniques per tactic)")
    parser.add_argument("--navigator-output", help="Output ATT&CK Navigator layer JSON")
    parser.add_argument("--output", default="attack_coverage_report.json")
    args = parser.parse_args()

    rules = load_detection_rules(args.rules)
    attack_matrix = load_attack_matrix(args.matrix) if args.matrix else {t: [] for t in ENTERPRISE_TACTICS}

    technique_rules, unmapped = map_rules_to_techniques(rules)
    tactic_coverage = calculate_coverage(technique_rules, attack_matrix)
    depth = calculate_detection_depth(technique_rules)
    report = generate_report(rules, technique_rules, unmapped, tactic_coverage, depth)

    if args.navigator_output:
        layer = generate_navigator_layer(technique_rules, tactic_coverage)
        with open(args.navigator_output, "w") as f:
            json.dump(layer, f, indent=2)
        logger.info("Navigator layer saved to %s", args.navigator_output)

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    logger.info("Coverage: %d techniques covered by %d rules", len(technique_rules), len(rules))
    print(json.dumps(report, indent=2, default=str))


if __name__ == "__main__":
    main()
process.py8.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
MITRE ATT&CK Coverage Mapping Tool

Builds and analyzes detection coverage maps against the
MITRE ATT&CK framework for SOC detection gap analysis.
"""

import json
from datetime import datetime


ATTACK_TACTICS = {
    "TA0043": "Reconnaissance",
    "TA0042": "Resource Development",
    "TA0001": "Initial Access",
    "TA0002": "Execution",
    "TA0003": "Persistence",
    "TA0004": "Privilege Escalation",
    "TA0005": "Defense Evasion",
    "TA0006": "Credential Access",
    "TA0007": "Discovery",
    "TA0008": "Lateral Movement",
    "TA0009": "Collection",
    "TA0011": "Command and Control",
    "TA0010": "Exfiltration",
    "TA0040": "Impact",
}

ENTERPRISE_TECHNIQUES = {
    "T1110": {"name": "Brute Force", "tactic": "TA0006", "subtechniques": 4},
    "T1059": {"name": "Command and Scripting Interpreter", "tactic": "TA0002", "subtechniques": 9},
    "T1078": {"name": "Valid Accounts", "tactic": "TA0005", "subtechniques": 4},
    "T1055": {"name": "Process Injection", "tactic": "TA0005", "subtechniques": 15},
    "T1021": {"name": "Remote Services", "tactic": "TA0008", "subtechniques": 7},
    "T1053": {"name": "Scheduled Task/Job", "tactic": "TA0003", "subtechniques": 6},
    "T1566": {"name": "Phishing", "tactic": "TA0001", "subtechniques": 4},
    "T1003": {"name": "OS Credential Dumping", "tactic": "TA0006", "subtechniques": 8},
    "T1071": {"name": "Application Layer Protocol", "tactic": "TA0011", "subtechniques": 4},
    "T1048": {"name": "Exfiltration Over Alternative Protocol", "tactic": "TA0010", "subtechniques": 3},
    "T1105": {"name": "Ingress Tool Transfer", "tactic": "TA0011", "subtechniques": 0},
    "T1547": {"name": "Boot or Logon Autostart Execution", "tactic": "TA0003", "subtechniques": 15},
    "T1036": {"name": "Masquerading", "tactic": "TA0005", "subtechniques": 9},
    "T1218": {"name": "System Binary Proxy Execution", "tactic": "TA0005", "subtechniques": 14},
    "T1027": {"name": "Obfuscated Files or Information", "tactic": "TA0005", "subtechniques": 12},
    "T1486": {"name": "Data Encrypted for Impact", "tactic": "TA0040", "subtechniques": 0},
    "T1098": {"name": "Account Manipulation", "tactic": "TA0003", "subtechniques": 6},
    "T1070": {"name": "Indicator Removal", "tactic": "TA0005", "subtechniques": 9},
    "T1543": {"name": "Create or Modify System Process", "tactic": "TA0003", "subtechniques": 4},
    "T1136": {"name": "Create Account", "tactic": "TA0003", "subtechniques": 3},
}


class DetectionRule:
    """Represents a SIEM detection rule with MITRE mapping."""

    def __init__(self, name: str, techniques: list, score: int,
                 data_sources: list, validated: bool = False):
        self.name = name
        self.techniques = techniques
        self.score = score
        self.data_sources = data_sources
        self.validated = validated


class CoverageMap:
    """MITRE ATT&CK coverage map for detection gap analysis."""

    def __init__(self, organization: str):
        self.organization = organization
        self.rules = []
        self.technique_scores = {}
        self.generated = datetime.utcnow().isoformat()

    def add_rule(self, rule: DetectionRule):
        self.rules.append(rule)
        for tech_id in rule.techniques:
            if tech_id not in self.technique_scores:
                self.technique_scores[tech_id] = {"rules": [], "max_score": 0}
            self.technique_scores[tech_id]["rules"].append(rule.name)
            self.technique_scores[tech_id]["max_score"] = max(
                self.technique_scores[tech_id]["max_score"], rule.score
            )

    def get_coverage_summary(self) -> dict:
        total_techniques = len(ENTERPRISE_TECHNIQUES)
        covered = sum(1 for t in ENTERPRISE_TECHNIQUES if t in self.technique_scores and self.technique_scores[t]["max_score"] > 0)
        no_coverage = total_techniques - covered

        scores = [self.technique_scores.get(t, {}).get("max_score", 0) for t in ENTERPRISE_TECHNIQUES]
        avg_score = round(sum(scores) / max(1, len(scores)), 1)

        return {
            "organization": self.organization,
            "total_techniques": total_techniques,
            "covered": covered,
            "no_coverage": no_coverage,
            "coverage_pct": round(covered / total_techniques * 100, 1),
            "avg_score": avg_score,
            "total_rules": len(self.rules),
            "generated": self.generated,
        }

    def get_tactic_coverage(self) -> dict:
        tactic_data = {}
        for tactic_id, tactic_name in ATTACK_TACTICS.items():
            techniques_in_tactic = [
                t for t, info in ENTERPRISE_TECHNIQUES.items()
                if info["tactic"] == tactic_id
            ]
            covered = sum(1 for t in techniques_in_tactic if t in self.technique_scores and self.technique_scores[t]["max_score"] > 0)
            total = len(techniques_in_tactic)
            tactic_data[tactic_name] = {
                "total": total,
                "covered": covered,
                "pct": round(covered / max(1, total) * 100, 1),
            }
        return tactic_data

    def get_gaps(self, min_priority: int = 0) -> list:
        gaps = []
        for tech_id, info in ENTERPRISE_TECHNIQUES.items():
            score = self.technique_scores.get(tech_id, {}).get("max_score", 0)
            if score < 50:
                gaps.append({
                    "technique_id": tech_id,
                    "technique_name": info["name"],
                    "tactic": ATTACK_TACTICS.get(info["tactic"], "Unknown"),
                    "current_score": score,
                    "subtechniques": info["subtechniques"],
                    "rules_count": len(self.technique_scores.get(tech_id, {}).get("rules", [])),
                })
        return sorted(gaps, key=lambda x: x["current_score"])

    def generate_navigator_layer(self) -> dict:
        techniques = []
        for tech_id, info in ENTERPRISE_TECHNIQUES.items():
            score = self.technique_scores.get(tech_id, {}).get("max_score", 0)
            rules = self.technique_scores.get(tech_id, {}).get("rules", [])
            color = "#ff0000" if score == 0 else "#ffff00" if score < 50 else "#90ee90" if score < 75 else "#00ff00"
            techniques.append({
                "techniqueID": tech_id,
                "color": color,
                "score": score,
                "comment": f"{len(rules)} rules: {', '.join(rules[:3])}" if rules else "NO DETECTION",
            })
        return {
            "name": f"{self.organization} - Detection Coverage",
            "versions": {"attack": "16", "navigator": "5.1", "layer": "4.5"},
            "domain": "enterprise-attack",
            "techniques": techniques,
            "gradient": {"colors": ["#ff0000", "#ffff00", "#00ff00"], "minValue": 0, "maxValue": 100},
        }


if __name__ == "__main__":
    cmap = CoverageMap("Example Corp SOC")

    rules = [
        DetectionRule("Brute Force Detection", ["T1110"], 85, ["Windows Security Log"], True),
        DetectionRule("Suspicious PowerShell", ["T1059"], 75, ["PowerShell Script Block"], True),
        DetectionRule("New Account Created", ["T1136"], 60, ["Windows Security Log"], False),
        DetectionRule("Lateral Movement RDP", ["T1021"], 70, ["Windows Security Log", "Firewall"], True),
        DetectionRule("Phishing Email Detected", ["T1566"], 80, ["Email Gateway"], True),
        DetectionRule("Credential Dumping", ["T1003"], 50, ["Sysmon"], False),
        DetectionRule("Scheduled Task Created", ["T1053"], 65, ["Windows Security Log"], True),
        DetectionRule("C2 Beaconing", ["T1071"], 45, ["Firewall", "DNS"], False),
        DetectionRule("Data Exfiltration", ["T1048"], 30, ["Firewall"], False),
        DetectionRule("Ransomware Encryption", ["T1486"], 40, ["EDR"], False),
    ]

    for rule in rules:
        cmap.add_rule(rule)

    print("=" * 70)
    print("MITRE ATT&CK COVERAGE MAP")
    print("=" * 70)

    summary = cmap.get_coverage_summary()
    print(f"\nOrganization: {summary['organization']}")
    print(f"Coverage: {summary['covered']}/{summary['total_techniques']} techniques ({summary['coverage_pct']}%)")
    print(f"Average Score: {summary['avg_score']}/100")
    print(f"Total Rules: {summary['total_rules']}")

    print(f"\n{'Tactic':<30} {'Covered':<10} {'Total':<8} {'Coverage'}")
    print("-" * 60)
    for tactic, data in cmap.get_tactic_coverage().items():
        if data["total"] > 0:
            bar = "#" * int(data["pct"] / 5) + "." * (20 - int(data["pct"] / 5))
            print(f"{tactic:<30} {data['covered']:<10} {data['total']:<8} [{bar}] {data['pct']}%")

    print(f"\nDetection Gaps (Score < 50):")
    for gap in cmap.get_gaps():
        print(f"  [{gap['current_score']:>3}] {gap['technique_id']} - {gap['technique_name']} ({gap['tactic']})")

    # Export Navigator layer
    layer = cmap.generate_navigator_layer()
    print(f"\nATT&CK Navigator Layer exported ({len(layer['techniques'])} techniques)")

Assets 1

template.mdtext/markdown · 1.0 KB
Keep exploring