// Create grouped detection narratives that tie individual rules into coherent threat stories. Covers Splunk Analytic Stories, Elastic detection rule groups, and Sentinel analytics grouping.
Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app.
Execute and validate adversary emulation tests using Atomic Red Team. Covers standard atomics, custom atomics (T9999.XXX), deployment workflows, and detection validation.
Build and manage adversary emulation lab environments for any SIEM. Covers Splunk Attack Range, Elastic Security labs, Azure Sentinel labs, and Docker-based setups. Maps data source requirements to infrastructure components.
Expert CTI analyst specializing in detection engineering, MITRE ATT&CK mapping, behavioral analysis, and intelligence-driven detection creation. SIEM-agnostic methodology that works with Splunk SPL, KQL, Sigma, and Elastic. Use when analyzing threat reports, creating detections, mapping MITRE techniques, or developing behavioral analytics.
Create, deploy, and execute custom Atomic Red Team tests (T9999.XXX series) for detection validation. Covers YAML authoring, Ansible deployment, and manual alternatives.
Map MITRE ATT&CK techniques to required data sources across Windows, Linux, cloud, network, and EDR telemetry. Includes CIM, ECS, Sigma, and KQL (Sentinel) field mapping comparisons.
| name | Analytic Story Builder |
| description | Create grouped detection narratives that tie individual rules into coherent threat stories. Covers Splunk Analytic Stories, Elastic detection rule groups, and Sentinel analytics grouping. |
An analytic story groups related detections into a narrative around a threat scenario, campaign, or attacker behavior chain. While the "analytic story" concept originated in Splunk's ESCU, the principle — grouping detections by threat context — applies to every SIEM.
| SIEM | Concept | Implementation |
|---|---|---|
| Splunk ESCU | Analytic Story | YAML story file + detection references |
| Elastic Security | Detection rule group / Tag | Tags + rule grouping in Kibana |
| Microsoft Sentinel | Analytics rule template | Grouping via Solution/Content Hub |
| Sigma | Tags / rule collections | tags field + directory structure |
| Chronicle SOAR | Playbook grouping | Playbooks referencing detection sets |
The canonical format. Other SIEMs can adapt this structure to their own grouping mechanism.
name: Story Name Here
id: <uuid>
version: 1
date: 'YYYY-MM-DD'
author: Your Name
description: >-
One to three sentences describing the threat scenario. What is the attacker
trying to do? Why should a defender care?
narrative: >-
Three to five sentences providing deeper context. Include references to
real-world campaigns, common attack chains, and why these detections were
grouped together. Explain how the detections work together to provide
coverage across the kill chain.
references:
- https://attack.mitre.org/techniques/TXXXX/
- https://relevant-blog-or-advisory.example.com
tags:
analytic_story: Story Name Here
category:
- Malware # or: Adversary Tactics, Abuse, Cloud Security, etc.
product:
- Splunk Enterprise
- Splunk Cloud
usecase: Security Monitoring
mitre_attack:
- T1059.001
- T1547.001
Stories should be 17–19 lines of YAML (excluding blank lines). Keep it tight:
description: 1–3 sentences. What is the threat?narrative: 3–5 sentences. Why do these detections belong together?references: 2–5 links. ATT&CK technique page + source blog/advisory.tags.mitre_attack: List every technique covered by detections in the story.Anti-patterns to avoid:
Create a new story when:
| Category | Description | Example |
|---|---|---|
| Malware | Specific malware families | "IcedID", "QakBot Execution Chain" |
| Adversary Tactics | Technique-focused groups | "Windows Persistence Techniques" |
| Abuse | Legitimate tool abuse | "Living Off The Land Binaries" |
| Cloud Security | Cloud-specific threats | "AWS IAM Privilege Escalation" |
| Vulnerability | CVE-specific detection sets | "Log4Shell CVE-2021-44228" |
| Compliance | Regulatory monitoring | "PCI DSS Log Monitoring" |
Start from one of:
Check if a story already exists that this fits into:
search_stories("ransomware")
search_stories("persistence")
Use the YAML format above. Focus on:
Each detection references its story via tags:
# In the detection YAML
tags:
analytic_story:
- Story Name Here
For non-Splunk SIEMs, use whatever grouping mechanism is available (tags, folders, rule groups).
mitre_attack list matches the union of all detection technique mappingsGroup detections using tags in the rule YAML:
tags:
- "campaign:storm-0501"
- "story:ransomware-encryption"
Use Sentinel Solutions or Content Hub packages to group related analytics rules. Alternatively, use consistent naming prefixes: [STORM-0501] - Detection Name.
Use directory structure and tags:
rules/
windows/
storm-0501/
proc_creation_storm0501_initial_access.yml
proc_creation_storm0501_persistence.yml