// Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app.
Create grouped detection narratives that tie individual rules into coherent threat stories. Covers Splunk Analytic Stories, Elastic detection rule groups, and Sentinel analytics grouping.
Execute and validate adversary emulation tests using Atomic Red Team. Covers standard atomics, custom atomics (T9999.XXX), deployment workflows, and detection validation.
Build and manage adversary emulation lab environments for any SIEM. Covers Splunk Attack Range, Elastic Security labs, Azure Sentinel labs, and Docker-based setups. Maps data source requirements to infrastructure components.
Expert CTI analyst specializing in detection engineering, MITRE ATT&CK mapping, behavioral analysis, and intelligence-driven detection creation. SIEM-agnostic methodology that works with Splunk SPL, KQL, Sigma, and Elastic. Use when analyzing threat reports, creating detections, mapping MITRE techniques, or developing behavioral analytics.
Create, deploy, and execute custom Atomic Red Team tests (T9999.XXX series) for detection validation. Covers YAML authoring, Ansible deployment, and manual alternatives.
Map MITRE ATT&CK techniques to required data sources across Windows, Linux, cloud, network, and EDR telemetry. Includes CIM, ECS, Sigma, and KQL (Sentinel) field mapping comparisons.
| name | ATT&CK Navigator Layer Generator |
| description | Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app. |
ATT&CK Navigator layers are JSON files that visualize technique coverage on the MITRE ATT&CK matrix. This skill covers generating layers for three primary use cases:
Every layer follows this structure:
{
"name": "Layer Name",
"versions": {
"attack": "18.1",
"navigator": "5.3.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "Layer description",
"techniques": [
{
"techniqueID": "T1059.001",
"tactic": "execution",
"score": 75,
"color": "#66b2ff",
"comment": "3 Sigma rules, 2 Splunk ESCU rules",
"enabled": true
}
],
"gradient": {
"colors": ["#ff6666", "#ffe766", "#8ec843"],
"minValue": 0,
"maxValue": 100
}
}
| Field | Type | Purpose |
|---|---|---|
techniqueID | string | MITRE technique ID (e.g., T1059.001) |
tactic | string | Tactic shortname (required for sub-techniques that appear in multiple tactics) |
score | number | 0–100, drives gradient coloring |
color | string | Hex color override (takes precedence over score gradient) |
comment | string | Hover text with details |
enabled | boolean | Whether technique is visible |
| Color | Meaning |
|---|---|
#8ec843 (green) | Good coverage (score 70–100) |
#ffe766 (yellow) | Partial coverage (score 30–69) |
#ff6666 (red) | Weak/no coverage (score 0–29) |
#6baed6 (blue) | Threat actor uses this technique |
#ffffff (white) | Not assessed / not applicable |
Visualize detection coverage across all techniques. Score is based on number and quality of detections.
Using MCP tools:
1. get_technique_ids() → Get all covered technique IDs
2. analyze_coverage() → Get tactic-level breakdown
3. generate_coverage_layer(covered_ids) → Generate the layer JSON
Scoring formula (suggested):
Highlight all techniques attributed to a specific threat group.
Using MCP tools:
1. search_groups("APT29") → Find group ID (G0016)
2. get_group_techniques("G0016") → Get technique list
3. generate_group_layer("G0016", "APT29") → Generate the layer
Compare your detection coverage against a target set of techniques (e.g., a threat actor's TTPs).
Using MCP tools:
1. get_technique_ids() → Your covered IDs
2. get_group_techniques("G0016") → Target IDs
3. generate_gap_layer(covered, target, "APT29 Gaps") → Gap layer
Gap layer color scheme:
If MCP tools aren't available, build the JSON directly:
import json
def make_layer(name, techniques, description=""):
return {
"name": name,
"versions": {"attack": "18.1", "navigator": "5.3.1", "layer": "4.5"},
"domain": "enterprise-attack",
"description": description,
"techniques": techniques,
"gradient": {
"colors": ["#ff6666", "#ffe766", "#8ec843"],
"minValue": 0,
"maxValue": 100,
},
}
techniques = [
{"techniqueID": "T1059.001", "score": 80, "comment": "5 detections"},
{"techniqueID": "T1053.005", "score": 40, "comment": "1 detection"},
]
layer = make_layer("My Coverage", techniques, "Detection coverage as of 2026-02")
with open("coverage_layer.json", "w") as f:
json.dump(layer, f, indent=2)
Or host Navigator locally:
git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator/nav-app
npm install && npm start
versions.attack to match the ATT&CK version your analysis used.