0Pricing
Cyber Security Academy · Lesson

Mapping to MITRE ATT&CK

Aligning detections to adversary techniques.

Why Map to ATT&CK

MITRE ATT&CK is a knowledge base of real-world adversary behavior, organized into tactics (the why) and techniques (the how). Mapping detections to ATT&CK gives every rule a shared, structured label.

The payoff:

  • Measure coverage against known adversary behavior
  • Communicate findings in a common vocabulary
  • Prioritize gaps by relevance to your threat model
  • Correlate alerts along an attack chain

Tactics, Techniques, Sub-techniques

ATT&CK has three nested levels:

  • Tactic — the adversary's goal, e.g. Credential Access (TA0006)
  • Technique — a method to achieve it, e.g. OS Credential Dumping (T1003)
  • Sub-technique — a specific variant, e.g. LSASS Memory (T1003.001)

Map as specifically as your detection logic supports. A rule that detects LSASS access should be tagged T1003.001, not just T1003.

All lessons in this course

  1. Detection-as-Code Principles
  2. Writing Sigma Rules
  3. Mapping to MITRE ATT&CK
  4. Testing and Tuning Detections
← Back to Cyber Security Academy