ATT&CK Log Source Inventory

MITRE CTI → log inventory → data components → detection strategies → threats → coverage

Ready

1. MITRE CTI Data

Pulls the latest enterprise-attack.json from github.com/mitre-attack/attack-stix-data. Cached in your browser (IndexedDB) after the first load.

πŸ“– How to use this tab + Quick start workflow

Quick start (the whole app in 4 steps)

  1. Tab 1 (here): load ATT&CK data β€” done automatically on first visit, click Load / Refresh to update. Or click ⚑ Run a sample assessment end-to-end for a one-click demo of the whole flow.
  2. Tab 2 β€” Log Inventory: every log source starts disabled by default. Tick each channel (sysmon/1, windows-security/4624, …) you collect and set a 0–5 quality score. Scores flow up the chain Log Source β†’ Component β†’ Analytic β†’ Detection Strategy β†’ Technique. If your SIEM has a detection the chain can't auto-validate, jump to tab 4 and tick the strategy's "covered" box to claim manual coverage.
  3. Tab 5 β€” Threats: tick the threat-actor groups (APT29, FIN7, …) you care about.
  4. Tab 6 β€” Coverage: see which threats you can detect and where the gaps are. Export a Navigator layer for a heatmap.

This tab specifically: loads the STIX bundle. Pick a domain (Enterprise is the default), click Load / Refresh. If GitHub is blocked the app auto-falls back to the bundled offline ATT&CK fixture β€” you'll see a banner explaining the fallback. Optional: upload a local STIX bundle for air-gapped or pinned-version use, or click the Sample mini-bundle link to kick the tires.

Sample mini-bundle

2. Log Inventory

Score each log source you collect (0 = none, 5 = excellent). Log sources roll up to data components and on through analytics β†’ detection strategies β†’ techniques. Saved to your browser automatically.

πŸ“– How to use this tab

What it does: the single place where you tell the app "here's the telemetry I collect." Every other tab derives its numbers from what you score here.

Steps:

  1. Group by defaults to Log source name (sysmon, windows-security, powershell, …). Switch to Data component if you'd rather see channels grouped by what they detect.
  2. Expand a name banner β€” every event-code channel (e.g. sysmon/1, sysmon/3, sysmon/11) is listed.
  3. Set a 0–5 score on each channel (0 = not collected, 5 = excellent quality / full retention).
  4. Use the enabled checkbox to park a feed without losing the saved score (useful for "we have this but it's down for maintenance").
  5. Use "+ Add channel under <name>" to add new event codes inline. If the channel matches a known bundle log source it merges in and immediately drives coverage.
  6. Use "+ Add log source by hand" (top of tab) for arbitrary tuples β€” vendor-specific event IDs, Sigma product/category/service strings, or any custom SIEM index.
  7. Import a sample inventory to see realistic numbers fast β€” four bundled personas (mature enterprise, cloud SaaS, network MSSP, greenfield startup) cover the spectrum.

Capabilities: import / export YAML or JSON, four bundled persona examples, per-row Γ— remove on custom entries, "Reset" wipes your inventory and clears localStorage.

Samples: mature Β· cloud Β· mssp Β· greenfield
Group by:
+ Add log source by hand (event ID / channel / SIEM-specific)

Useful when your tool emits a log under a different name than the bundle's defaults β€” e.g. winlogbeat / Security/4688, edr-vendor / process_creation, or a Sigma-style product/category/service. If the (name, channel) matches a log source the bundle already knows about, your score lands on that record and immediately drives coverage. Otherwise it's stored as a custom entry so you can keep track of it.

Map to data components 0 selected

If your tuple doesn't match a known bundle log source, scoring it alone won't drive coverage. Tick the data components this feed actually observes (Process Creation, Logon Session Creation, etc.) and the score will project onto them.

2. Log Inventory merged preview

Single place to score channels, watch the analytic / detection-strategy / TTP chain light up, and see what threats you can detect.

Data flow diagram

Auto-generated from your selections β€” Data Component β†’ Log Source β†’ Channel β†’ Analytic β†’ Strategy β†’ Technique. Greyed nodes are incomplete chains.

Inventory

Load ATT&CK data first.

Analytics

Score at least one channel to populate.

Detection strategies

Populated automatically by the analytics above.

Detected TTPs

No active detection strategies yet.

3. Data Components

Flat list of every ATT&CK data component. The score on the right is the maximum score across the log sources that feed this component (set on tab 2). Use it to spot collection gaps quickly.

πŸ“– How to use this tab

What it does: read-only roll-up. Every ATT&CK data component (Process Creation, File Modification, Logon Session, …) shows the count of log sources that feed it, the count of analytics that reference it, and the effective score derived from your inventory.

Steps:

  1. Score log sources on tab 2 β€” those scores propagate here automatically.
  2. Filter by name / source or by score bucket above the table.
  3. Components with score 0 are the immediate collection gaps; bring them up by scoring at least one of the log sources listed in the row meta.

Capabilities: name + source filter, score-bucket filter, sort by score then source name. The stat cards at the top summarise total / covered / good / uncovered counts plus the bundle's total log sources and analytics.

4. Detection strategies

Detection strategies (top) bundle one or more analytics, each tied to specific log sources. Lit strategies surface the techniques you can detect (table below).

πŸ“– How to use this tab

What it does: shows every x-mitre-detection-strategy in the loaded bundle and the techniques they unlock. A strategy is "lit" iff at least one of its analytics is lit; an analytic is "lit" iff every required log source has score > 0.

Steps:

  1. Read the strategy summary cards at the top β€” green border = chain-lit, green dotted border = manually claimed coverage, dim = unlit. Each card lists the analytics it bundles, how many log sources are required, and how many techniques it detects.
  2. "covered" checkbox per strategy β€” if your SIEM / EDR has a detection in place for this strategy even though the bundle's analytic spec wouldn't auto-light from your log scores, tick it to claim manual coverage. Useful for "we have a custom Splunk rule that catches this even though the analytic wants log sources we don't ship." Lights the strategy at score 5.
  3. "enabled" checkbox per strategy β€” park a strategy you don't intend to run; it's hidden from coverage entirely (overrides any "covered" claim).
  4. Pick the Analytic score aggregator: min = strict (a chain is only as strong as its weakest log source); avg = lenient.
  5. Scroll to the technique table β€” score / coverage ratio / lit/partial badges per technique. Filter by tactic or coverage class.
  6. Click βœ“ on any technique row to mark it risk accepted (acknowledged gap). It moves out of Uncovered and into the Risk accepted bucket.
  7. Use Download detections Navigator layer to export a heatmap.

Capabilities: tactic + coverage filters, min/avg aggregator toggle, per-strategy park / claim-coverage toggles, per-technique risk-accept toggle, Navigator layer export.

Detection strategies in this bundle (0)

5. Threats

Pick the MITRE ATT&CK threat-actor groups (e.g. APT29, FIN7) you care about. The next tab compares their techniques against your detection coverage.

πŸ“– How to use this tab

What it does: picks intrusion-set STIX objects (threat-actor groups) so the Coverage tab can cross-reference them against your detections.

Steps:

  1. Tick groups in the list, OR import a YAML file of groups (see Samples).
  2. Filter the list by name, alias, or ATT&CK ID (e.g. G0016).
  3. Move to tab 6 (Coverage) to see what your inventory does and doesn't catch for the picked groups.

Capabilities: bundled threat-set samples (mixed, ransomware, state APTs, financial), import / export YAML, Clear selection.

Samples: mixed Β· ransomware crews Β· state APTs Β· financial

6. Coverage

Cross-references the techniques used by the threat groups you picked against your detection strategies. Gaps are techniques those groups use that your inventory can't catch.

πŸ“– How to use this tab

What it does: turns "what threats do we worry about?" + "what telemetry do we have?" into a prioritised gap list.

Steps:

  1. Make sure you've scored an inventory on tab 2 and ticked at least one group on tab 5.
  2. Read the stat cards: Threat techniques = total your selected groups use; Covered = you'd detect; Partial = you'd detect some occurrences; Gaps = you can detect in principle but don't; Undetectable = no detections defined in the bundle for it; Risk accepted = you've explicitly acknowledged the gap on tab 4.
  3. Filter by status to focus on gaps or partials.
  4. Download Threat-groups overlay (score = number of selected groups using each technique) or Gap layer (score = uncovered weight Γ— group count) Navigator layers.

Capabilities: per-status filtering, two distinct Navigator-layer exports.

Relationship Diagrams

Renders the data flow as Mermaid diagrams. Use them to explain to stakeholders how a log feeds a detection, or to drill into a specific source / technique.

πŸ“– How to use this tab

What it does: visual explainers for the coverage chain. Three sub-sections you can scroll between:

  • Conceptual model β€” abstract diagram of how a raw log becomes a Navigator score. No interaction.
  • Log source utility cascade β€” the most useful one. Pick log sources from the multi-select; the diagram renders Log Source β†’ Component β†’ Analytic β†’ Detection Strategy β†’ Technique β†’ Threat Group. Lit (green) nodes are fully covered by your inventory; dim/yellow are blocked because at least one upstream log source is unscored. Use it to communicate why a particular event-code matters.
  • Component category / technique drill-down β€” pick a component category or technique to see its components and detections.

Capabilities: log-source multi-select with filter + "Select all visible", per-technique drill-down, smooth-fade re-renders. Diagrams scroll horizontally on phones.

Conceptual model

How a raw log becomes a detection-ready signal.

Log source utility β€” what does logging this unlock?

Pick one or more log sources to see the cascade Log Source → Data Component → Analytic → Detection Strategy → Technique → Threat Group. Use it to communicate why eventcode 1 or eventcode 4624 logon_type 2 matter β€” each link upward is the threat-intel value that log carries. Lit (green) nodes are fully covered by your inventory; dim/yellow are blocked because at least one upstream log source is unscored.

0 selected

Component category → components → techniques

Technique → detecting components

Coverage overview (top sources)

Top 12 component categories by total detections; bar shows your covered / total ratio.

Export ATT&CK Navigator layer

Customise and download a Navigator layer JSON of your detection coverage. Open it in MITRE ATT&CK Navigator via Open Existing Layer → Upload from local. (Threat-group and gap layers are exported from the Threats and Gap-Analysis tabs.)

πŸ“– How to use this tab

What it does: generates a Navigator layer 4.5 JSON of your detection coverage so you can drop it into the official ATT&CK Navigator for a colored heatmap.

Steps:

  1. Score your inventory on tab 2.
  2. Customise the layer name, description, and gradient colors above.
  3. Toggle Include uncovered techniques if you want every technique in the matrix (vs. just covered ones).
  4. Click Download Navigator layer (or Copy JSON for clipboard).
  5. In Navigator: Open Existing Layer β†’ Upload from local.

Capabilities: live JSON preview, copy / download, per-technique metadata (covered components, max score, ratio).