Assess your data potential with ATTACK Datamap

Olaf Hartong
Apr 7 · 4 min read
Sample output of the assessment in the “MITRE ATT&CK” Navigator

While helping clients that chose to work on coverage of the “ATT&CK” framework I found myself lacking a solid way to represent their options, which led me to the following approach.

I wanted to create a tool to see what is already potentially possible with the available data and what data should be onboarded to cover certain techniques, if possible.

Techniques (nearly) all state one or multiple data sources, this is still very generic in terms of dealing with logs so I made an attempt at adding that layer. I wanted to create something everyone on a normal Windows box is able to run, without having to install additional software.

I’ve ended up with a toolkit that consists of an Excel file and a PowerShell module, which can be downloaded here

This tool is developed by me and has no affiliation with “MITRE” nor with its great “ATT&CK” team, it is developed with the intention to ease the mapping of data sources to assess one’s potential coverage.


These scores will depict the potential value of the data source in finding more information about the technique, not everything is useful for detection rules. Some will be more useful for hunting or even only in Incident response.

This assessment will not be all covering, not will it be super exact on all levels. I’ve made the choice in favor of usability to not add weights to each individual event per technique, this would make it unusable for most people.

The Excel

Opening the file will take you to the DataSourceEvents worksheet. This is the most important page of the document in terms of scoring and maintaining.

Sample of the Excel file

The sheet contains the DataSource and Events, of which you can add as much as you like. Next to that are three subscores for Completeness, Timeliness and Availability, which result in the score for that Event.


Scoring your events is relatively straight forward, the legend is also included in the document on the RatingLegend page. I’ve tried to make this as simple as possible by using a 0–5 system. The total score is based on (2 * Completeness + Timeliness + 2 * Availability / 5) My rationale being the timeliness is less crucial than the other two, but should obviously be accounted for in the creation of hunts or detection rules.


Since not every data source is as important to each individual technique I decided to rate them by assigning a weight to them on a scale of 0–100, where the total should sum up to 100. This workbook can be edited, the weighing is based on my knowledge and experience. Pull requests are always welcome with improvements.

Knowledge base

I’ve been keeping track of a lot of logs, most of the relevant logs I’ve added to a workbook for easy reference;

The PowerShell module

This tool requires module ImportExcel,

Install it like this PS C:\> Install-Module ImportExcel

Import the module with Import-Module .\ATTACKdatamap.psd1

There are three commandlets available; Get-ATTACKdata, Invoke-ATTACK-UpdateExcel and Request-ATTACKjson.


This downloads the MITRE ATT&CK Enterprise JSON file

PS C:\> Get-ATTACKdata -AttackPath ./enterprise-attack.json

The -AttackPath parameter is optional


This generates all MITRE ATT&CK relevant fields into a table and creates or updates the REF-DataSources worksheet in an Excel sheet

PS C:\> Invoke-ATTACK-UpdateExcel -AttackPath .\enterprise-attack.json -Excelfile .\mitre_data_assessment.xlsx

The -AttackPath and -Excelfile parameters are optional


Generates a JSON file to be imported into the ATT&CK Navigator.

Each technique contains DataSources, which are individually scored by me with a weight. The DataSourceEventTypes need to be scored per environment.

This script multiplies the respective DataSource scores and adds them to a total technique score. The generation date is added to the description.


PS C:\> Request-ATTACKjson -Excelfile .\mitre_data_assessment.xlsx -Template .\template.json -Output 2019-03-23-ATTACKcoverage.json

This is all gathered into a JSON file which can be opened here; MITRE ATT&CK Navigator/enterprise/

Sample output of the assessment in the “MITRE ATT&CK” Navigator

Special thanks to @Carlos_Perez, Arris Huijgen and vivami for their help in getting this to work

Olaf Hartong

Written by

Photographer | InfoSec | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade