Browse Skills

MITRE ATT&CK Mapper

    NIST CSF DE.AE SIEM MITRE ATT&CK Detection Sigma
    Get Started with This Skill

    Overview

    Document SIEM alert logic and map alerts to MITRE ATT&CK® techniques (DE.AE). Suggests Detection Logic (e.g. Sigma rules) for Process Injection, Credential Dumping, and related threats; validates Threshold and Suppression/Contextualization to reduce alert fatigue. One built-in validation tool runs on the detection documentation to flag alerts that lack Suppression or Contextualization and may cause alert fatigue.

    Example Conversation

    You: We want to document our SIEM alerts and map them to MITRE ATT&CK. Can you draft detection logic for “Suspicious LSASS access” and “Process injection from Office”, and run the alert fatigue check?

    Agent: I’ll use the MITRE ATT&CK Mapper. I’ll map LSASS access to T1003 (Credential Dumping) and process injection from Office to T1055 (Process Injection), add Sigma-style detection logic and thresholds, then document Suppression/Contextualization so the validator passes. Creating detection-logic-de-ae.md.

    Agent: (Adds alert sections with technique IDs, detection conditions, and threshold. Adds a Suppression section for dev/test hosts and a Contextualization step: “Correlate with EDR; escalate only if not from approved admin tool.”) Running alert_fatigue_reducer on the draft…

    Agent: Result of alert_fatigue_reducer:

    — ALERT FATIGUE REDUCER (DE.AE) — Result: PASS Alerts/detections reviewed: 2. With Threshold (or similar) documented: 2. All detected alert sections with Threshold have Suppression or Contextualization documented.

    The detection doc is ready. Both alerts are mapped to ATT&CK, have clear thresholds, and include suppression or contextualization to reduce false positives.

    Output Excerpt

    After the agent drafts the detection logic and the reducer passes, a typical document includes alert names, MITRE ATT&CK mapping, detection logic, threshold, and suppression or contextualization. Excerpt:

    # Detection logic — DE.AE (Alert documentation)

## Alert: Suspicious LSASS access

**MITRE ATT&CK:** T1003.001 (LSASS Memory)

**Detection logic:** Windows Security event 10 (Process Access) where TargetImage contains `lsass.exe` and CallTrace or SourceImage suggests non-system tool. Sigma rule: `sigma/rules/windows/process_access/process_creation_win_lsass_access.yml`.

**Threshold:** Fire when count ≥ 1 in 5 minutes from same host (no aggregation across hosts).

**Suppression:** Exclude: dev and test OU; allowlist: known admin and backup tools (e.g. CrowdStrike, Wireshark debug). Disable in canary for first 2 weeks.

**Contextualization:** Before escalation: correlate with EDR; if the accessing process is an approved security/backup product, add context and do not escalate to L2.

---

## Alert: Process injection from Office

**MITRE ATT&CK:** T1055 (Process Injection)

**Detection logic:** Process creation where parent is WINWORD.EXE or EXCEL.EXE and child is not a known Office subprocess; or cross-process memory write from Office PID. Sigma: `sigma/rules/windows/process_creation/win_office_shell.yml`.

**Threshold:** Fire when count ≥ 1 per host per hour (reduce noise from macros).

**Contextualization:** Enrich with parent command line; if macro or add-in is signed and in allowlist, annotate and route to low priority. Otherwise escalate to L2.

    The validation script would report PASS because both alerts have Threshold and at least one of Suppression or Contextualization documented.

    Extension Tools and Validations

    The skill includes one validation tool that runs on the detection logic document (Markdown or text).

    alert_fatigue_reducer evaluates whether each documented alert has both a defined Threshold and either Suppression or Contextualization, to avoid overly sensitive alerts that drive alert fatigue:

    • Alert section detection — Finds blocks that look like alert or detection entries: headings (e.g. ## Alert: …, ### Detection) or list items like “Alert: …” or “Detection: …”. Also treats blocks that mention “MITRE”, “ATT&CK”, or technique IDs (e.g. T1…) as alert-related.
    • Threshold check — For each such block, looks for “threshold”, “count”, “within N”, “aggregat”, “triggers when”, “fires when”, or similar phrasing indicating when the alert fires.
    • Suppression / Contextualization check — Looks for “suppression”, “suppress”, “exclusion”, “allowlist”, “whitelist”, “disabled in”, “exclude”, or “contextualization”, “context” (with step/reduce/noise/escalat), “additional context”, “enrichment”, “correlation”.
    • ResultPASS only when every alert section that has Threshold also has at least one of Suppression or Contextualization. FAIL otherwise; the report lists which alerts are missing Suppression or Contextualization so you can add exclusions, allowlists, or context steps before deployment.

    If the document has no structured alert sections, the tool falls back to a document-level check: if “threshold” (or equivalent) appears but neither “suppression” nor “contextualization” (or equivalents) appears, it reports FAIL with guidance to add at least one.

    Run this tool after drafting or updating detection logic documentation and address any flagged alerts before rolling out to SIEM.

    Getting Started

    Add your alert list or existing detection docs to the project workspace and activate the MITRE ATT&CK Mapper skill. The agent will map alerts to MITRE ATT&CK techniques, suggest Detection Logic (e.g. Sigma), and document Threshold and Suppression/Contextualization. Run alert_fatigue_reducer on the draft and refine any flagged alerts until the report shows PASS.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started