MITRE ATT&CK Mapping
Every Pro, Team, and Enterprise / MSSP analysis maps detections to MITRE ATT&CK techniques and visualizes them on MITRE’s Enterprise matrix. Export to ATT&CK Navigator JSON for cross-team sharing. (“Enterprise matrix” here refers to MITRE’s own taxonomy, not the Intreys tier.)
Opening the overlay
From the sidebar, choose MITRE (or press Ctrl/Cmd + 5). MITRE’s Enterprise matrix renders with detected techniques highlighted by a heat colour:
- Bright cyan — high-confidence detection backed by multiple signals
- Dim cyan — lower-confidence; one signal only
- Outline only — technique is in your saved-hunt scope but no detection fired
Reading a technique cell
Click a highlighted technique to open the detail panel:
- Confidence — 0–1 score from the rule that fired
- Evidence — packet IDs, flows, and hosts that triggered the rule
- Pyramid of Pain class — hash, IP, domain, host artifact, network artifact, tool, TTP
- Sub-techniques — if the rule mapped to a sub-technique, it’s listed
- Suggested action — investigate, isolate, ignore (analyst override)
How techniques are detected
The map_mitre stage runs after detection. Each detection rule declares the techniques it implies. Examples:
| Detection | ATT&CK technique |
|---|---|
| DNS tunneling | T1071.004 Application Layer Protocol: DNS |
| Beacon to known C2 IP | T1071 Application Layer Protocol; T1573 Encrypted Channel |
| SMB lateral movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
| Mimikatz signature in traffic | T1003 OS Credential Dumping |
| Port scan | T1046 Network Service Discovery |
| DGA domain queries | T1568.002 Dynamic Resolution: DGAs |
| Mass file exfil over HTTPS | T1041 Exfiltration Over C2 Channel |
Confidence scoring
Confidence is a weighted average of:
- Detector specificity (rare-signal detectors score higher)
- Number of evidence packets
- Threat-intel corroboration (any IOC matches)
- Pyramid-of-Pain weighting (TTP-class signals weigh more than hash-class)
Exporting to ATT&CK Navigator
From the MITRE view, click Export → Navigator JSON. The download is compatible with attack-navigator.github.io:
- Open ATT&CK Navigator in your browser
- Click Open Existing Layer → Upload from local
- Select the JSON Intreys exported
The layer renders with the same heat-map and includes per-technique notes from your investigation.
Exporting to Sigma rules
Each detection that fires also generates a Sigma rule under Export → Sigma. Useful for pushing rules into your detection-engineering pipeline.
Custom MITRE coverage scope
Mature security teams often want a coverage view rather than a detection view: which techniques would my saved hunts catch, regardless of whether they fired today? Configure under Settings → MITRE → Coverage scope. The matrix can render in coverage, detection, or combined mode.
Limitations
- The mapping is necessarily best-effort — many techniques have no purely-network signal.
- ICS-specific techniques (TA0108 Initial Access for ICS, TA0110 Impact for ICS) are mapped on the Team and Enterprise / MSSP tiers when the ICS module is enabled.
- Mobile (M-codes) and Cloud-only (T1078.004) techniques are out-of-scope for a network-forensics tool.