Why Map Detections to ATT&CK
Security teams implement hundreds of detection rules, alerts, and monitoring systems. Without organization, you can't effectively assess your actual defensive coverage. Mapping detections to MITRE ATT&CK techniques answers critical questions:
- Which techniques can we detect?
- Which techniques are we blind to?
- Do we have redundant detections for the same technique?
- Are we detecting the right techniques for our threat landscape?
This mapping transforms a collection of disconnected alerts into a coherent defensive strategy aligned with adversary tactics and techniques.
The Mapping Process
Mapping detections to ATT&CK is systematic. For each detection, determine which technique(s) it addresses, then document the mapping.
Step 1: Inventory Your Detections
First, create a complete list of your detections:
- Automated detection rules (SIEM, endpoint detection, network IDS)
- Manual alerts (threshold-based, anomaly-based)
- Specific indicators of compromise
- Hunt rules (systematic searches for suspicious activity)
- Preventive controls (blocked actions, denied access)
This inventory should be comprehensive—document every way you attempt to detect adversary activity.
Step 2: Understand Detection Scope
For each detection, document:
- What indicator or behavior does it look for?
- What systems does it monitor?
- What is the false positive rate?
- How reliable is it?
- What is the detection latency (how quickly does it detect)?
This context helps evaluate detection quality beyond just "technique coverage."
Step 3: Map to Specific Techniques
For each detection, identify which ATT&CK technique(s) it detects. This requires understanding both:
- What the detection looks for
- What techniques map to that behavior
Example mapping:
Detection: "Logon failure rate exceeds threshold on domain controller" Technique: T1110 (Brute Force) Comment: Detects brute force attacks against domain accounts
Detection: "PowerShell process with suspicious command line including "-EncodedCommand"" Technique: T1059.001 (Command and Scripting Interpreter: PowerShell) Comment: Detects suspicious PowerShell execution
Step 4: Handle Ambiguous Mappings
Some detections might map to multiple techniques. Be specific:
Detection: "Network connection to known malware C2 IP" Primary Technique: T1071 (Application Layer Protocol) Secondary Technique: T1090 (Proxy) Comment: Detects command and control communication; exact technique depends on protocol
Document both primary and secondary mappings rather than forcing one-to-one relationships.
Step 5: Create a Mapping Document
Organize all mappings in a matrix:
| Detection Name | Data Source | Technique | Sub-Technique | Confidence | Latency |
|---|---|---|---|---|---|
| Failed Logon Threshold | Windows Security Log | T1110 | T1110.001 | High | 1 hour |
| PowerShell Suspicious Command | Endpoint Detection | T1059 | T1059.001 | High | 1 second |
| File Encryption Detected | File System Monitoring | T1486 | N/A | High | 1 second |
This matrix becomes your detection coverage map.
Using Detection Maps for Coverage Analysis
Once you've mapped detections to techniques, analyze your coverage:
Identify Covered Techniques
Techniques with multiple detections have redundant coverage—probably good. Techniques with single detections have single points of failure—consider additional detection. Techniques with no detections represent coverage gaps.
Visualize Gaps with ATT&CK Navigator
Import your mapping into the ATT&CK Navigator:
- Create a new layer called "Detection Coverage"
- Color techniques you detect: green
- Color techniques you don't detect: red
- Save the visualization
The color-coded matrix reveals your coverage visually.
Prioritize Gap Coverage
Not all gaps are equally important. Prioritize covering gaps based on:
- Threat likelihood: Techniques commonly used against your industry
- Impact: Techniques with high impact if successful
- Capability maturity: Techniques attackers targeting you likely use
- Feasibility: Techniques you can realistically detect given your infrastructure
Asking "Which gap is most important to close first?" is more valuable than closing gaps randomly.
Advanced Mapping Considerations
Coverage vs. Prevention
Distinguish between:
- Detection: Identifying activity after it occurs
- Prevention: Blocking activity before it succeeds
Some "detections" are actually preventions. A firewall rule blocking outbound DNS to external resolvers prevents T1040 (Exfiltration Over Alternative Protocol) but doesn't detect it.
Document both separately. Prevention is better than detection but doesn't provide visibility.
Behavior vs. Tools
Map to techniques, not tools. Rather than "Detects Mimikatz," map to the technique Mimikatz implements.
This matters because:
- Different tools implement the same technique
- The same tool might implement multiple techniques
- Technique-focused mapping survives tool updates
Evasion-Aware Mapping
Some detections are easily evaded. An IDS rule looking for specific malware signature is evaded by simple code changes.
Behavior-based detection is harder to evade. A detection of "Process accessing lsass memory" is harder to evade than "Mimikatz process creation."
Document evasion resistance alongside your mappings.
False Positive Tuning
Unmapped detections might indicate false positive issues. If a detection generates too many false positives, document that:
Detection: "Large file transfer detected" Technique: Potential T1020 (Exfiltration Over Alternative Protocol) or T1041 (Exfiltration Over Command and Control Channel) False Positive Rate: High (legitimate file transfers trigger this) Note: Consider tuning thresholds or refining detection logic
Building Detections for Unmapped Techniques
Once you've identified coverage gaps, prioritize building detections for critical gaps.
For each critical unmapped technique:
- Research how adversaries implement the technique
- Identify observable behaviors
- Design detection logic
- Tune for your environment
- Validate the detection
- Map it once deployed
This systematic approach prevents ad-hoc detection development.
Coordinating Detection Development
In larger organizations, multiple teams might develop detections independently:
- SIEM team builds correlation rules
- Endpoint team develops EDR rules
- Network team creates IDS signatures
- Security team hunts manually
Mapping creates alignment. All teams reference the same ATT&CK techniques, preventing duplicated effort and ensuring coordinated coverage.
Create a shared mapping document that all teams update. This becomes your single source of truth for coverage.
Detecting Attacker Behaviors vs. Specific Tools
Newer detections focus on behavioral patterns rather than specific tools:
Tool-focused detection (fragile): "Alert if process name is mimikatz.exe"
Behavior-focused detection (robust): "Alert if process opens handle to lsass.exe with PROCESS_VM_READ access"
The second survives tool renames and variants. When mapping, prefer behavioral mappings over tool-specific ones.
Seasonal Coverage Updates
Threat landscapes change seasonally:
- Phishing campaigns spike before holidays
- Ransomware campaigns target year-end backups
- Nation-states ramp up before elections
Consider seasonal detection adjustments. Maybe increase sensitivity for Credential Access techniques before holidays when people are more likely to click phishing links.
Document these seasonal adjustments in your mapping.
Measuring Detection Maturity
Use mappings to measure your detection program maturity:
Level 1: No mapping; detection program is ad-hoc Level 2: Partial mapping; most critical techniques mapped Level 3: Complete coverage mapping; clear gaps identified Level 4: Actively closing gaps; high coverage for critical techniques Level 5: Comprehensive coverage; continuous improvement
Track your progression toward higher maturity.
Exporting Mappings
Document your mappings in shareable formats:
CSV Format:
Technique,Sub-Technique,Detection Name,Data Source,Mapped By,Date
T1110,T1110.001,Failed Logon Threshold,Windows Security Log,John Smith,2025-01-31
T1059,T1059.001,PowerShell Suspicious Command,Endpoint Detection,Sarah Jones,2025-01-31
JSON Format:
{
"technique": "T1110",
"sub_technique": "T1110.001",
"detection": "Failed Logon Threshold",
"data_source": "Windows Security Log",
"mapped_by": "John Smith",
"date": "2025-01-31"
}
These formats enable sharing with tools, colleagues, and leadership.
Tools Supporting Detection Mapping
Several tools automate or support detection mapping:
ATT&CK Navigator: Visualize detection coverage Splunk: MITRE ATT&CK App for Splunk Microsoft Sentinel: ATT&CK content integration CrowdStrike Falcon: Technique mapping in reports Elastic: ATT&CK mapping in Elastic Security
Check your tools for built-in ATT&CK support.
Conclusion
Mapping detections to MITRE ATT&CK techniques transforms your detection program from a collection of independent rules into a strategic defense aligned with real-world adversary tactics and techniques. Systematically inventory your detections, map each to relevant techniques, and visualize coverage gaps. Prioritize closing critical gaps and continuously improve your mappings as your detection program evolves. This mapping becomes the foundation for objective assessment of your defensive capabilities and helps justify security investments based on threat-aligned prioritization.
