Skip to main content

Map your Sigma detection rules onto the MITRE ATT&CK matrix and find coverage gaps.

Project description

attack-mapper ๐ŸŽฏ

CI ATT&CK dataset PyPI License: MIT

Map your Sigma detection rules onto the MITRE ATT&CK matrix and find your coverage gaps โ€” fast, offline, and CI-friendly.

Part of a detection-engineering toolkit that pairs perfectly with a Detection-as-Code pipeline (Sigma โ†’ CI โ†’ SIEM). It answers the question every blue team eventually asks: "Which ATT&CK techniques do my rules actually cover, and where are the blind spots?"

Features

  • ๐Ÿ” Extracts ATT&CK technique IDs from Sigma rules via:
    • canonical attack.<id> tags,
    • raw T1059 tags,
    • attack.mitre.org/techniques/... URLs in references:.
  • ๐Ÿ“Š Per-tactic coverage bars + overall coverage ratio in the terminal.
  • ๐ŸŽจ Four HTML styles to show off your coverage:
    • matrix (default) โ€” tactic cards with technique chips,
    • rows โ€” compact tactic progress bars,
    • heat โ€” dense heatmap of every technique,
    • report โ€” print-ready dossier with canonical vertical ATT&CK columns and sub-techniques nested under their parents (PDF it for audits/portfolio).
  • ๐ŸŸข Covered techniques (incl. parent techniques of covered sub-techniques) render green; gaps render red; explicitly ignored ones render grey.
  • ๐Ÿ”Ž Scope filters โ€” --include and --ignore narrow the analysis to the techniques/tactics you care about (or exclude the ones you don't). The active scope is shown in the report so readers know what was filtered.
  • ๐Ÿ… Portfolio badge (--badge) โ€” a shields.io-style SVG coverage badge.
  • ๐Ÿงพ JSON summary (--json) โ€” machine-readable output for dashboards/CI.
  • ๐Ÿงญ ATT&CK Navigator export โ€” every HTML report embeds an "Export layer" button that downloads a ready-to-import Navigator layer.
  • ๐Ÿงฑ Uses the real MITRE ATT&CK enterprise dataset (v19 structure: Stealth + Defense Impairment). Revoked/deprecated techniques are filtered out so the coverage denominator matches the official matrix (15 tactics, 222 techniques, 475 sub-techniques). Shipped as a compact JSON, no network needed at runtime.
  • โœ… Pure Python stdlib + pyyaml; tiny dependency footprint.
  • ๐Ÿค– Non-zero exit when nothing maps โ†’ use it as a CI gate in your detection repo.

Screenshots

report (print-ready dossier) matrix (cards)
report style matrix style

Install

pip install attack-mapper

For development:

python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest

Usage

# Map a folder of Sigma rules, print the terminal report, emit HTML (matrix)
attack-mapper rules/ --html sample/coverage_matrix.html

# Try the other HTML styles
attack-mapper rules/ --html sample/coverage_rows.html  --style rows
attack-mapper rules/ --html sample/coverage_heat.html  --style heat
attack-mapper rules/ --html sample/coverage_report.html --style report

# Scope the analysis: only Execution + T1053, ignore Reconnaissance
attack-mapper rules/ --include T1059 TA0002 --ignore Reconnaissance

# Portfolio artifacts: badge + JSON
attack-mapper rules/ --badge sample/coverage_badge.svg --json sample/coverage.json

Run against the bundled sample rules:

attack-mapper rules/ --html sample/coverage_matrix.html --badge sample/coverage_badge.svg

Why not sigma2attack or DeTT&CT?

Both are excellent and you should know they exist. sigma2attack (from the Sigma tooling) converts Sigma rules into an ATT&CK Navigator heatmap layer โ€” if all you need is a layer file, it does the job. DeTT&CT is the heavyweight: it scores data-source visibility as well as detection coverage, and is the right tool for a mature SOC doing formal capability assessments.

attack-mapper sits in between, optimized for Detection-as-Code pipelines: it runs offline with a bundled dataset, produces self-contained HTML reports you can email or print (plus the Navigator layer, a badge, and JSON), gates CI with its exit code, and supports scope filters for counting only the techniques relevant to your environment. It is also ATT&CK v19-native (Stealth + Defense Impairment) with a scheduled workflow that flags future MITRE updates automatically.

How it works

Sigma rules โ”€โ”€โ–ถ sigma_parser โ”€โ”€โ–ถ technique IDs
                                    โ”‚
ATT&CK DB  โ”€โ”€โ–ถ attack_loader       โ”‚
                                    โ–ผ
            coverage.build_report (with --include/--ignore) โ”€โ”€โ–ถ CoverageReport
                                    โ”‚
            renderers (terminal / HTML matrix|rows|heat)
            plugins  (badge SVG / JSON)

Scope filters

--include and --ignore accept technique IDs (e.g. T1059), sub-technique prefixes (e.g. T1059 also covers T1059.001), tactic shortnames (e.g. execution) or tactic IDs (e.g. TA0002). A covered technique is always recorded as covered even if it falls outside an --include scope, but only in-scope covered techniques count toward the coverage ratio (both numerator and denominator are scoped).

Updating the ATT&CK dataset

The shipped attack_mapper/data/attack_db.json is a snapshot (regenerated automatically by a monthly GitHub Action that fails when MITRE ships an update). To regenerate from the latest official STIX bundle:

curl -L -o enterprise-attack.json \
  https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
ATTACK_MAPPER_STIX=enterprise-attack.json python -m attack_mapper.build_db

You can also run directly off the STIX bundle at runtime by setting ATTACK_MAPPER_STIX.

Project layout

attack-mapper/
โ”œโ”€โ”€ attack_mapper/
โ”‚   โ”œโ”€โ”€ cli.py            # argparse entry point
โ”‚   โ”œโ”€โ”€ sigma_parser.py   # Sigma โ†’ ATT&CK technique IDs
โ”‚   โ”œโ”€โ”€ attack_loader.py  # ATT&CK DB (compact JSON / STIX)
โ”‚   โ”œโ”€โ”€ coverage.py       # coverage + gaps + scope filters
โ”‚   โ”œโ”€โ”€ renderers.py      # terminal table + 4 HTML styles
โ”‚   โ”œโ”€โ”€ plugins.py        # badge SVG + JSON summary
โ”‚   โ”œโ”€โ”€ build_db.py       # regenerate the compact ATT&CK DB
โ”‚   โ””โ”€โ”€ data/attack_db.json  # real ATT&CK (compact, ships with the package)
โ”œโ”€โ”€ rules/                # sample Sigma rules
โ”œโ”€โ”€ sample/               # generated HTML / badge / JSON examples
โ”œโ”€โ”€ tests/                # pytest suite
โ””โ”€โ”€ pyproject.toml

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attack_mapper-0.4.0.tar.gz (47.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

attack_mapper-0.4.0-py3-none-any.whl (42.9 kB view details)

Uploaded Python 3

File details

Details for the file attack_mapper-0.4.0.tar.gz.

File metadata

  • Download URL: attack_mapper-0.4.0.tar.gz
  • Upload date:
  • Size: 47.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for attack_mapper-0.4.0.tar.gz
Algorithm Hash digest
SHA256 a9c1f0d098e7a987a48b5654fe4dcb63531089a79b8c3b5036db02246ebbae66
MD5 c386efe154d99bed2aaabcdcb8b2acf8
BLAKE2b-256 32d0f0f4c5fbe796d38f01e40de486e4e9e9a43181609961571bbb23aff1ef93

See more details on using hashes here.

File details

Details for the file attack_mapper-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: attack_mapper-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 42.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for attack_mapper-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 48a7790ca5d50213abcc178649b22eb13b0f1fb2c3faedd414103af5bb66faa9
MD5 cbbc188bb53ab9fb77e6132c2cbb9ab1
BLAKE2b-256 23db9c86e2cbc7de41d6b977f1d890185ca91baaa6ec1339f4744e635adf61bc

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page