Skip to main content

Map your Sigma detection rules onto the MITRE ATT&CK matrix and find coverage gaps.

Project description

attack-mapper ๐ŸŽฏ

CI ATT&CK dataset PyPI License: MIT

Map your Sigma detection rules onto the MITRE ATT&CK matrix and find your coverage gaps โ€” fast, offline, and CI-friendly.

Part of a detection-engineering toolkit that pairs perfectly with a Detection-as-Code pipeline (Sigma โ†’ CI โ†’ SIEM). It answers the question every blue team eventually asks: "Which ATT&CK techniques do my rules actually cover, and where are the blind spots?"

Features

  • ๐Ÿ” Extracts ATT&CK technique IDs from Sigma rules via:
    • canonical attack.<id> tags,
    • raw T1059 tags,
    • attack.mitre.org/techniques/... URLs in references:.
  • ๐Ÿ“Š Per-tactic coverage bars + overall coverage ratio in the terminal.
  • ๐ŸŽจ Four HTML styles to show off your coverage:
    • matrix (default) โ€” tactic cards with technique chips,
    • rows โ€” compact tactic progress bars,
    • heat โ€” dense heatmap of every technique,
    • report โ€” print-ready dossier with canonical vertical ATT&CK columns and sub-techniques nested under their parents (PDF it for audits/portfolio).
  • ๐ŸŸข Covered techniques (incl. parent techniques of covered sub-techniques) render green; gaps render red; explicitly ignored ones render grey.
  • ๐Ÿ”Ž Scope filters โ€” --include and --ignore narrow the analysis to the techniques/tactics you care about (or exclude the ones you don't). The active scope is shown in the report so readers know what was filtered.
  • ๐Ÿ… Portfolio badge (--badge) โ€” a shields.io-style SVG coverage badge.
  • ๐Ÿงพ JSON summary (--json) โ€” machine-readable output for dashboards/CI.
  • ๐Ÿงญ ATT&CK Navigator export โ€” every HTML report embeds an "Export layer" button that downloads a ready-to-import Navigator layer.
  • ๐Ÿงฑ Uses the real MITRE ATT&CK enterprise dataset (v19 structure: Stealth + Defense Impairment). Revoked/deprecated techniques are filtered out so the coverage denominator matches the official matrix (15 tactics, 222 techniques, 475 sub-techniques). Shipped as a compact JSON, no network needed at runtime.
  • โœ… Pure Python stdlib + pyyaml; tiny dependency footprint.
  • ๐Ÿค– Non-zero exit when nothing maps โ†’ use it as a CI gate in your detection repo.

Screenshots

report (print-ready dossier) matrix (cards)
report style matrix style

Install

pip install attack-mapper

For development:

python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest

Usage

# Map a folder of Sigma rules, print the terminal report, emit HTML (matrix)
attack-mapper rules/ --html sample/coverage_matrix.html

# Try the other HTML styles
attack-mapper rules/ --html sample/coverage_rows.html  --style rows
attack-mapper rules/ --html sample/coverage_heat.html  --style heat
attack-mapper rules/ --html sample/coverage_report.html --style report

# Scope the analysis: only Execution + T1053, ignore Reconnaissance
attack-mapper rules/ --include T1059 TA0002 --ignore Reconnaissance

# Portfolio artifacts: badge + JSON
attack-mapper rules/ --badge sample/coverage_badge.svg --json sample/coverage.json

Run against the bundled sample rules:

attack-mapper rules/ --html sample/coverage_matrix.html --badge sample/coverage_badge.svg

Why not sigma2attack or DeTT&CT?

Both are excellent and you should know they exist. sigma2attack (from the Sigma tooling) converts Sigma rules into an ATT&CK Navigator heatmap layer โ€” if all you need is a layer file, it does the job. DeTT&CT is the heavyweight: it scores data-source visibility as well as detection coverage, and is the right tool for a mature SOC doing formal capability assessments.

attack-mapper sits in between, optimized for Detection-as-Code pipelines: it runs offline with a bundled dataset, produces self-contained HTML reports you can email or print (plus the Navigator layer, a badge, and JSON), gates CI with its exit code, and supports scope filters for counting only the techniques relevant to your environment. It is also ATT&CK v19-native (Stealth + Defense Impairment) with a scheduled workflow that flags future MITRE updates automatically.

How it works

Sigma rules โ”€โ”€โ–ถ sigma_parser โ”€โ”€โ–ถ technique IDs
                                    โ”‚
ATT&CK DB  โ”€โ”€โ–ถ attack_loader       โ”‚
                                    โ–ผ
            coverage.build_report (with --include/--ignore) โ”€โ”€โ–ถ CoverageReport
                                    โ”‚
            renderers (terminal / HTML matrix|rows|heat)
            plugins  (badge SVG / JSON)

Scope filters

--include and --ignore accept technique IDs (e.g. T1059), sub-technique prefixes (e.g. T1059 also covers T1059.001), tactic shortnames (e.g. execution) or tactic IDs (e.g. TA0002). A covered technique is always recorded as covered even if it falls outside an --include scope, but only in-scope covered techniques count toward the coverage ratio (both numerator and denominator are scoped).

Updating the ATT&CK dataset

The shipped attack_mapper/data/attack_db.json is a snapshot (regenerated automatically by a monthly GitHub Action that fails when MITRE ships an update). To regenerate from the latest official STIX bundle:

curl -L -o enterprise-attack.json \
  https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
ATTACK_MAPPER_STIX=enterprise-attack.json python -m attack_mapper.build_db

You can also run directly off the STIX bundle at runtime by setting ATTACK_MAPPER_STIX.

Project layout

attack-mapper/
โ”œโ”€โ”€ attack_mapper/
โ”‚   โ”œโ”€โ”€ cli.py            # argparse entry point
โ”‚   โ”œโ”€โ”€ sigma_parser.py   # Sigma โ†’ ATT&CK technique IDs
โ”‚   โ”œโ”€โ”€ attack_loader.py  # ATT&CK DB (compact JSON / STIX)
โ”‚   โ”œโ”€โ”€ coverage.py       # coverage + gaps + scope filters
โ”‚   โ”œโ”€โ”€ renderers.py      # terminal table + 4 HTML styles
โ”‚   โ”œโ”€โ”€ plugins.py        # badge SVG + JSON summary
โ”‚   โ”œโ”€โ”€ build_db.py       # regenerate the compact ATT&CK DB
โ”‚   โ””โ”€โ”€ data/attack_db.json  # real ATT&CK (compact, ships with the package)
โ”œโ”€โ”€ rules/                # sample Sigma rules
โ”œโ”€โ”€ sample/               # generated HTML / badge / JSON examples
โ”œโ”€โ”€ tests/                # pytest suite
โ””โ”€โ”€ pyproject.toml

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attack_mapper-0.4.1.tar.gz (47.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

attack_mapper-0.4.1-py3-none-any.whl (42.9 kB view details)

Uploaded Python 3

File details

Details for the file attack_mapper-0.4.1.tar.gz.

File metadata

  • Download URL: attack_mapper-0.4.1.tar.gz
  • Upload date:
  • Size: 47.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for attack_mapper-0.4.1.tar.gz
Algorithm Hash digest
SHA256 e01e3a3a72b02bcc81995da771f1b8f8a9060f3e6bedb31b6490e81e41a8b298
MD5 ea2439d4c557d96e579ae3a42fc019bb
BLAKE2b-256 86c60e953c4f483d4de616141c8ee7862efa1f35ebbbc824bea2c3c166eaaa9b

See more details on using hashes here.

File details

Details for the file attack_mapper-0.4.1-py3-none-any.whl.

File metadata

  • Download URL: attack_mapper-0.4.1-py3-none-any.whl
  • Upload date:
  • Size: 42.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for attack_mapper-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b4d46af84e1c74e6e40d8439ed2d4631857b708b6aa1938cb54a565092429037
MD5 d7e1449b9e3ee40c0b81aa3847880c39
BLAKE2b-256 5cdcd88f130b84882f86a8952cd0dbd3c0863ff5305d41181a888dbd07ca239e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page