security analyst security skill risk: medium

APT TTP Mapping with MITRE Navigator

Provides steps to query ATT&CK STIX data for a threat group using attackcti, extract associated techniques, generate a Navigator layer JSON, and overlay detection coverage.

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: analyzing-threat-actor-ttps-with-mitre-navigator
description: "Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework"
---
# Analyzing Threat Actor TTPs with MITRE Navigator

## Overview

The MITRE ATT&CK Navigator is a web application for annotating and visualizing ATT&CK matrices.
Combined with the attackcti Python library (which queries ATT&CK STIX data via TAXII), analysts
can programmatically generate Navigator layer files mapping specific threat group TTPs, compare
multiple groups, and assess detection coverage gaps against known adversaries.


## When to Use

- When investigating security incidents that require analyzing threat actor ttps with mitre navigator
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Python 3.8+ with attackcti and stix2 libraries installed
- MITRE ATT&CK Navigator (web UI or local instance)
- Understanding of STIX 2.1 objects and relationships

## Steps

1. Query ATT&CK STIX data for target threat group using attackcti
2. Extract techniques associated with the group via STIX relationships
3. Generate ATT&CK Navigator layer JSON with technique annotations
4. Overlay detection coverage to identify gaps
5. Export layer for team review and defensive planning

## Expected Output

```json
{
  "name": "APT29 TTPs",
  "domain": "enterprise-attack",
  "techniques": [
    {"techniqueID": "T1566.001", "score": 1, "comment": "Spearphishing Attachment"},
    {"techniqueID": "T1059.001", "score": 1, "comment": "PowerShell"}
  ]
}
```

REQUIRED CONTEXT

target threat group

OPTIONAL CONTEXT

detection coverage data

TOOLS REQUIRED

attackcti
stix2

EXPECTED OUTPUT

Format

json

Schema

json_schema · name, domain, techniques

Constraints

valid Navigator layer JSON
include techniqueID, score, and comment fields

EXAMPLES

Includes one sample Navigator layer JSON output for APT29 TTPs.

CAVEATS

Dependencies

Python 3.8+ with attackcti and stix2 libraries installed
MITRE ATT&CK Navigator (web UI or local instance)
Understanding of STIX 2.1 objects and relationships

Missing context

Target threat group name or identifier as explicit input
Exact output file path or layer name conventions

Ambiguities

Steps are high-level and do not specify exact function calls or parameters for attackcti queries.
Does not define how detection coverage overlay should be computed or represented.

QUALITY

OVERALL: 0.78
CLARITY: 0.85
SPECIFICITY: 0.70
REUSABILITY: 0.75
COMPLETENESS: 0.80

IMPROVEMENT SUGGESTIONS

Add explicit input parameters section (e.g., threat_group_name, include_subtechniques)
Expand each step with concrete code snippets or attackcti method names
Specify required fields and schema for the generated Navigator layer JSON

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.