npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE ATLAS
MITRE D3FEND
When to Use
Use this skill when:
- SOC teams need to build or expand their SIEM detection library from scratch
- Threat assessments identify ATT&CK technique gaps requiring new detection rules
- Detection engineers need a structured process for use case design, testing, and deployment
- Compliance requirements mandate specific detection capabilities (PCI DSS, HIPAA, SOX)
Do not use for ad-hoc hunting queries — use cases are formalized, tested, and maintained detection rules, not exploratory searches.
Prerequisites
- SIEM platform (Splunk ES, Elastic Security, or Microsoft Sentinel) with production data
- ATT&CK Navigator for coverage gap analysis
- Log sources normalized to CIM/ECS field standards
- Use case documentation framework (wiki, Git repo, or detection engineering platform)
- Testing environment with attack simulation tools (Atomic Red Team, MITRE Caldera)
Workflow
Step 1: Assess Detection Coverage Gaps
Map current detection rules to ATT&CK and identify gaps:
import json
# Load current detection rules mapped to ATT&CK
current_rules = [
{"name": "Brute Force Detection", "techniques": ["T1110.001", "T1110.003"]},
{"name": "Malware Hash Match", "techniques": ["T1204.002"]},
{"name": "Suspicious PowerShell", "techniques": ["T1059.001"]},
]
# Load ATT&CK Enterprise techniques
with open("enterprise-attack.json") as f:
attack = json.load(f)
all_techniques = set()
for obj in attack["objects"]:
if obj["type"] == "attack-pattern":
ext = obj.get("external_references", [])
for ref in ext:
if ref.get("source_name") == "mitre-attack":
all_techniques.add(ref["external_id"])
covered = set()
for rule in current_rules:
covered.update(rule["techniques"])
gaps = all_techniques - covered
print(f"Total techniques: {len(all_techniques)}")
print(f"Covered: {len(covered)} ({len(covered)/len(all_techniques)*100:.1f}%)")
print(f"Gaps: {len(gaps)}")
# Prioritize gaps by threat relevance
priority_techniques = [
"T1003", "T1021", "T1053", "T1547", "T1078",
"T1055", "T1071", "T1105", "T1036", "T1070"
]
priority_gaps = [t for t in priority_techniques if t in gaps]
print(f"Priority gaps: {priority_gaps}")Step 2: Design Use Case Specification
Document each use case with a standardized template:
use_case_id: UC-2024-015
name: Credential Dumping via LSASS Access
description: Detects tools accessing LSASS process memory for credential extraction
mitre_attack:
tactic: Credential Access (TA0006)
technique: T1003.001 - LSASS Memory
data_sources:
- Process: OS API Execution (Sysmon EventCode 10)
- Process: Process Access (Windows Security 4663)
log_sources:
- index: sysmon, sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- index: wineventlog, sourcetype: WinEventLog:Security
severity: High
confidence: Medium-High
false_positive_sources:
- Antivirus products scanning LSASS
- CrowdStrike Falcon sensor
- Windows Defender ATP
- SCCM client
tuning_notes: >
Maintain exclusion list for known security tools that legitimately access LSASS.
Review exclusions quarterly for newly deployed security products.
sla: Alert within 5 minutes of detection
owner: detection_engineering_team
status: Production
created: 2024-03-15
last_tested: 2024-03-15Step 3: Implement Detection Logic Across Platforms
Splunk ES Correlation Search:
| tstats summariesonly=true count from datamodel=Endpoint.Processes
where Processes.process_name="lsass.exe"
by Processes.dest, Processes.user, Processes.process_name,
Processes.parent_process_name, Processes.parent_process
| `drop_dm_object_name(Processes)`
| lookup lsass_access_whitelist parent_process AS parent_process OUTPUT is_whitelisted
| where isnull(is_whitelisted) OR is_whitelisted!="true"
| `credential_dumping_lsass_filter`Or using raw Sysmon data:
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
NOT [| inputlookup lsass_whitelist.csv | fields SourceImage]
| stats count, values(GrantedAccess) AS access_flags by Computer, SourceImage, SourceUser
| where count > 0Elastic Security EQL Rule:
process where event.type == "access" and
process.name == "lsass.exe" and
not process.executable : (
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\csrss.exe",
"?:\\Program Files\\CrowdStrike\\*",
"?:\\ProgramData\\Microsoft\\Windows Defender\\*"
)Microsoft Sentinel KQL Rule:
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName == "lsass.exe"
| where ActionType == "ProcessAccessed"
| where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe", "MsMpEng.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine, AccountNameStep 4: Test with Attack Simulation
Validate detection rules using Atomic Red Team:
# Install Atomic Red Team
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
# Execute T1003.001 - Credential Dumping
Invoke-AtomicTest T1003.001 -TestNumbers 1,2,3
# Execute T1053.005 - Scheduled Task
Invoke-AtomicTest T1053.005 -TestNumbers 1
# Execute T1547.001 - Registry Run Key
Invoke-AtomicTest T1547.001 -TestNumbers 1,2Verify detection in SIEM:
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
earliest=-1h
| stats count by Computer, SourceImage, GrantedAccess
| where count > 0Document test results:
TEST RESULTS — UC-2024-015
Atomic Test T1003.001-1 (Mimikatz): DETECTED (alert fired in 47s)
Atomic Test T1003.001-2 (ProcDump): DETECTED (alert fired in 32s)
Atomic Test T1003.001-3 (Task Manager): FALSE NEGATIVE (excluded by whitelist — expected)
False Positive Rate (7-day backtest): 2 events (CrowdStrike scan — added to whitelist)Step 5: Deploy and Monitor Use Case Health
Track detection rule effectiveness:
-- Use case firing frequency
index=notable
| stats count AS fires, dc(src) AS unique_sources,
dc(dest) AS unique_dests
by rule_name, status_label
| eval true_positive_rate = round(
sum(eval(if(status_label="Resolved - True Positive", 1, 0))) /
count * 100, 1)
| sort - fires
| table rule_name, fires, unique_sources, unique_dests, true_positive_rate
-- Detection latency monitoring
index=notable
| eval detection_latency = _time - orig_time
| stats avg(detection_latency) AS avg_latency_sec,
perc95(detection_latency) AS p95_latency_sec
by rule_name
| eval avg_latency_min = round(avg_latency_sec / 60, 1)
| sort - avg_latency_secStep 6: Maintain Use Case Library
Establish lifecycle management for all detection use cases:
USE CASE LIFECYCLE
━━━━━━━━━━━━━━━━━━
1. PROPOSED → New detection need identified (threat intel, gap analysis, incident finding)
2. DEVELOPMENT → Query written, false positive analysis, tuning
3. TESTING → Atomic Red Team validation, 7-day backtest
4. STAGING → Deployed in alert-only mode (no incident creation) for 14 days
5. PRODUCTION → Full production with incident creation and SOAR integration
6. REVIEW → Quarterly review of effectiveness, false positive rate, relevance
7. DEPRECATED → Technique no longer relevant or replaced by better detectionKey Concepts
| Term | Definition |
|---|---|
| Use Case | Formalized detection rule with documented logic, testing, tuning, and lifecycle management |
| Detection Engineering | Practice of designing, testing, and maintaining SIEM detection rules as a software development discipline |
| Correlation Search | SIEM query that combines events from multiple sources to identify attack patterns |
| False Positive Rate | Percentage of alerts that are benign activity — target <20% for production use cases |
| Detection Latency | Time between event occurrence and alert generation — target <5 minutes for critical detections |
| ATT&CK Coverage | Percentage of relevant ATT&CK techniques with at least one production detection rule |
Tools & Systems
- Splunk ES: Enterprise SIEM with correlation searches, risk-based alerting, and Incident Review
- Elastic Security: SIEM with detection rules, EQL sequences, and ML-based anomaly detection
- Microsoft Sentinel: Cloud SIEM with KQL analytics rules, Fusion ML engine, and Lighthouse multi-tenant
- Atomic Red Team: Open-source attack simulation framework for testing detection rules against ATT&CK techniques
- ATT&CK Navigator: MITRE visualization tool for mapping and tracking detection coverage across techniques
Common Scenarios
- Post-Incident Use Case: After a ransomware incident, build detection for the initial access vector discovered during investigation
- Compliance-Driven: PCI DSS requires detection of admin account misuse — build use cases for 4672/4720/4732 events
- Threat-Intel Driven: New APT group targets your sector — build use cases for their documented TTPs
- Red Team Findings: Purple team exercise identifies blind spots — convert findings into production detection rules
- SIEM Migration: Migrating from QRadar to Splunk — convert and validate all existing use cases on new platform
Output Format
USE CASE DEPLOYMENT REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━
Quarter: Q1 2024
Total Use Cases: 147 (Production: 128, Staging: 12, Development: 7)
New Deployments This Quarter:
UC-2024-012 Kerberoasting Detection (T1558.003) — Production
UC-2024-013 DLL Side-Loading (T1574.002) — Production
UC-2024-014 Scheduled Task Persistence (T1053.005) — Production
UC-2024-015 LSASS Memory Access (T1003.001) — Staging
ATT&CK Coverage:
Overall: 67% of relevant techniques (up from 61%)
Initial Access: 78%
Execution: 82%
Persistence: 71%
Credential Access: 65%
Lateral Movement: 58% (priority gap area)
Health Metrics:
Avg True Positive Rate: 74% (target: >70%)
Avg Detection Latency: 2.3 min (target: <5 min)
Use Cases Deprecated: 3 (replaced by improved versions)References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.1 KB
API Reference: Implementing SIEM Use Cases for Detection
Libraries
attackcti (MITRE ATT&CK)
- Install:
pip install attackcti attack_client()-- Initialize ATT&CK data clientget_techniques()-- All techniques for coverage calculationget_groups()-- Threat groups for threat-informed use cases
splunk-sdk (Splunk Integration)
- Install:
pip install splunk-sdk splunklib.client.connect()-- Connect to Splunk instanceservice.jobs.create(query)-- Execute detection rule SPL
Use Case Lifecycle
| Phase | Activities |
|---|---|
| Design | Map to ATT&CK, define data sources, write detection logic |
| Test | Validate with Atomic Red Team, measure FP/TP rates |
| Deploy | Push to SIEM with alerting and SLA configuration |
| Tune | Refine based on FP feedback, add exclusions |
| Retire | Deprecate when superseded or no longer relevant |
Key ATT&CK Techniques for Use Cases
| ID | Name | Tactic |
|---|---|---|
| T1110 | Brute Force | Credential Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1059.001 | PowerShell | Execution |
| T1048.003 | Exfiltration over DNS | Exfiltration |
| T1003.001 | LSASS Memory | Credential Access |
| T1098 | Account Manipulation | Persistence |
| T1486 | Data Encrypted for Impact | Impact |
Sigma Rule Format
- Spec: https://sigmahq.io/docs/basics/rules.html
- Fields:
title,logsource,detection,level,tags - Tools:
sigma-clifor converting to Splunk SPL, Elastic EQL, Sentinel KQL - Repository: https://github.com/SigmaHQ/sigma
Detection Quality Metrics
- True Positive Rate: Target >70%
- False Positive Rate: Target <30%
- Mean Time to Detect (MTTD): Varies by severity
- Coverage: Percentage of ATT&CK techniques with detections
External References
- ATT&CK Techniques: https://attack.mitre.org/techniques/enterprise/
- Sigma Rules: https://github.com/SigmaHQ/sigma
- Atomic Red Team: https://github.com/redcanaryco/atomic-red-team
- Splunk ES Detections: https://research.splunk.com/detections/
- Elastic Detection Rules: https://github.com/elastic/detection-rules
Scripts 1
agent.py8.7 KB
#!/usr/bin/env python3
"""SIEM detection use case management agent with ATT&CK coverage mapping."""
import json
import sys
import argparse
from datetime import datetime
from collections import Counter
try:
from attackcti import attack_client
except ImportError:
print("Install attackcti: pip install attackcti")
sys.exit(1)
try:
HAS_SPLUNK = True
except ImportError:
HAS_SPLUNK = False
USE_CASE_TEMPLATES = {
"brute_force_login": {
"name": "Brute Force Authentication Attempt",
"technique": "T1110",
"tactic": "credential-access",
"data_sources": ["Windows Security 4625", "Linux auth.log", "VPN logs"],
"splunk_query": ('index=wineventlog EventCode=4625 '
'| stats count by src_ip, TargetUserName '
'| where count > 10'),
"threshold": 10,
"severity": "high",
"sla_response": "15 minutes",
},
"lateral_movement_psexec": {
"name": "Lateral Movement via PsExec",
"technique": "T1021.002",
"tactic": "lateral-movement",
"data_sources": ["Windows Security 7045", "Sysmon EventID 1"],
"splunk_query": ('index=wineventlog EventCode=7045 '
'ServiceFileName="*PSEXESVC*" '
'| stats count by ComputerName, ServiceName'),
"threshold": 1,
"severity": "critical",
"sla_response": "5 minutes",
},
"suspicious_powershell": {
"name": "Suspicious PowerShell Execution",
"technique": "T1059.001",
"tactic": "execution",
"data_sources": ["Sysmon EventID 1", "PowerShell 4104"],
"splunk_query": ('index=sysmon EventCode=1 Image="*powershell.exe" '
'(CommandLine="*-enc*" OR CommandLine="*invoke-expression*" '
'OR CommandLine="*downloadstring*")'),
"threshold": 1,
"severity": "high",
"sla_response": "10 minutes",
},
"data_exfiltration_dns": {
"name": "DNS-Based Data Exfiltration",
"technique": "T1048.003",
"tactic": "exfiltration",
"data_sources": ["DNS query logs", "Zeek dns.log"],
"splunk_query": ('index=dns query_length>50 '
'| stats count dc(query) as unique_queries by src_ip '
'| where unique_queries > 100'),
"threshold": 100,
"severity": "high",
"sla_response": "15 minutes",
},
"privilege_escalation_new_admin": {
"name": "Privilege Escalation - New Admin Account",
"technique": "T1098",
"tactic": "persistence",
"data_sources": ["Windows Security 4728", "Windows Security 4732"],
"splunk_query": ('index=wineventlog (EventCode=4728 OR EventCode=4732) '
'TargetGroup="Administrators" '
'| stats count by SubjectUserName, MemberName, TargetGroup'),
"threshold": 1,
"severity": "critical",
"sla_response": "5 minutes",
},
"credential_dumping_lsass": {
"name": "Credential Dumping - LSASS Access",
"technique": "T1003.001",
"tactic": "credential-access",
"data_sources": ["Sysmon EventID 10"],
"splunk_query": ('index=sysmon EventCode=10 TargetImage="*lsass.exe" '
'NOT SourceImage IN ("*\\csrss.exe","*\\services.exe") '
'| stats count by SourceImage, SourceUser'),
"threshold": 1,
"severity": "critical",
"sla_response": "5 minutes",
},
"ransomware_file_encryption": {
"name": "Ransomware File Encryption Activity",
"technique": "T1486",
"tactic": "impact",
"data_sources": ["Sysmon EventID 11", "Windows Security 4663"],
"splunk_query": ('index=sysmon EventCode=11 '
'| stats dc(TargetFilename) as file_count by Image '
'| where file_count > 100'),
"threshold": 100,
"severity": "critical",
"sla_response": "immediate",
},
}
def get_attack_coverage(techniques_covered):
"""Calculate ATT&CK coverage percentage."""
client = attack_client()
all_techniques = client.get_techniques()
enterprise = [t for t in all_techniques
if any("enterprise-attack" in ref.get("url", "")
for ref in t.get("external_references", []))]
total = len(enterprise)
covered = len(set(techniques_covered))
return {"total_techniques": total, "covered": covered,
"coverage_pct": round(covered / max(total, 1) * 100, 1)}
def map_use_cases_to_attack():
"""Map all use case templates to ATT&CK techniques and tactics."""
tactic_coverage = Counter()
technique_list = []
for uc_id, uc in USE_CASE_TEMPLATES.items():
tactic_coverage[uc["tactic"]] += 1
technique_list.append(uc["technique"])
return {"tactics": dict(tactic_coverage), "techniques": technique_list,
"total_use_cases": len(USE_CASE_TEMPLATES)}
def validate_use_case_data_sources(use_case_id):
"""Validate that required data sources are available for a use case."""
uc = USE_CASE_TEMPLATES.get(use_case_id)
if not uc:
return {"error": f"Use case {use_case_id} not found"}
return {
"use_case": uc["name"],
"required_data_sources": uc["data_sources"],
"validation_note": "Verify these log sources are ingested into SIEM with correct parsing",
}
def generate_sigma_rule(use_case_id):
"""Generate a Sigma detection rule for a use case."""
uc = USE_CASE_TEMPLATES.get(use_case_id)
if not uc:
return None
return {
"title": uc["name"],
"id": f"sigma-{use_case_id}",
"status": "experimental",
"description": f"Detects {uc['name']} mapped to ATT&CK {uc['technique']}",
"references": [f"https://attack.mitre.org/techniques/{uc['technique'].replace('.', '/')}/"],
"tags": [f"attack.{uc['tactic']}", f"attack.{uc['technique'].lower()}"],
"logsource": {"product": "windows", "service": "security"},
"detection": {"condition": "selection"},
"level": uc["severity"],
"falsepositives": ["Legitimate administrative activity"],
}
def run_detection_coverage_report():
"""Generate SIEM detection coverage report."""
print(f"\n{'='*60}")
print(f" SIEM DETECTION USE CASE REPORT")
print(f" Generated: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')} UTC")
print(f"{'='*60}\n")
mapping = map_use_cases_to_attack()
print(f"--- USE CASE LIBRARY ({mapping['total_use_cases']} rules) ---")
for uc_id, uc in USE_CASE_TEMPLATES.items():
print(f" [{uc['severity'].upper():>8}] {uc['name']}")
print(f" ATT&CK: {uc['technique']} ({uc['tactic']}) | SLA: {uc['sla_response']}")
print(f"\n--- TACTIC COVERAGE ---")
for tactic, count in sorted(mapping["tactics"].items(), key=lambda x: -x[1]):
bar = "#" * count
print(f" {tactic:<25} {bar} ({count})")
print(f"\n--- ATT&CK COVERAGE ---")
try:
coverage = get_attack_coverage(mapping["techniques"])
print(f" Total Enterprise Techniques: {coverage['total_techniques']}")
print(f" Covered by Use Cases: {coverage['covered']}")
print(f" Coverage Percentage: {coverage['coverage_pct']}%")
except Exception as e:
print(f" Could not calculate coverage: {e}")
print(f"\n--- DATA SOURCE REQUIREMENTS ---")
all_sources = set()
for uc in USE_CASE_TEMPLATES.values():
all_sources.update(uc["data_sources"])
for src in sorted(all_sources):
print(f" - {src}")
print(f"\n{'='*60}\n")
return {"use_cases": mapping, "data_sources": list(all_sources)}
def main():
parser = argparse.ArgumentParser(description="SIEM Use Case Detection Agent")
parser.add_argument("--report", action="store_true", help="Generate detection coverage report")
parser.add_argument("--sigma", help="Generate Sigma rule for use case ID")
parser.add_argument("--validate", help="Validate data sources for use case ID")
parser.add_argument("--output", help="Save report to JSON")
args = parser.parse_args()
if args.report:
report = run_detection_coverage_report()
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
elif args.sigma:
rule = generate_sigma_rule(args.sigma)
print(json.dumps(rule, indent=2) if rule else f"Use case '{args.sigma}' not found")
elif args.validate:
result = validate_use_case_data_sources(args.validate)
print(json.dumps(result, indent=2))
else:
parser.print_help()
if __name__ == "__main__":
main()