Attack Detection Scenario Generator — ATT&CK Threat Profiler

Environment Profile

Declare your vendor stack

Scenario Construction

Technique, variant, log sources

Curation

Review, edit, annotate events

Send

Deliver to DCVE + export JSON

Environment Profile

Declare your vendor stack and versions. Add multiple sources per layer to reflect mixed or transitional environments. Each source resolves its own pySigma pipeline independently.

Layer 1 — Endpoint / EDR

Add each EDR or endpoint sensor deployed in your environment. Mixed deployments (e.g. CrowdStrike + Defender during migration) are supported — add one card per product.

Layer 2 — Email Security

Add each email security product deployed. Environments with both a secure email gateway and Microsoft Defender for O365 should have both listed.

Layer 3 — Identity

Add each identity provider. Hybrid environments with both on-prem Active Directory and a cloud IdP (Entra ID, Okta) should have both listed.

Layer 4 — Network

Add each network security product. Environments with both a perimeter firewall and a cloud proxy (e.g. Palo Alto + Zscaler) should have both listed.

Layer 5 — Cloud

Select all cloud providers in use. Log sources for each are enabled independently.

Cloud Providers

AWS

Azure

GCP

None

Layer 6 — SIEM & Normalization

Add each SIEM or data lake in use. Multi-SIEM environments (e.g. Sentinel + Splunk during migration) should have both listed. The primary SIEM determines the default rule output format.

Default Normalization Schema

Profile not yet saved.

Scenario Construction

Select the ATT&CK technique, execution variant, log sources, and scenario context. The generator produces a realistic event sequence using your declared environment schema.

Technique

Search by T-code or name

Filter by Tactic

Execution Variant

Select a technique to see available variants.

Log Sources

Select a technique to see available log sources.

Actor Context

Privilege Level

Kill Chain Position

Execution Environment

Domain Context

Time Context

Noise Events

Noise Density

Scenario Type

Noise Types

Process creation

Network connections

Authentication

File operations

Registry access

Curation

Review the generated event sequence. Edit field values, add or remove events, adjust timestamps, and annotate which events should trigger your detection rule.

Event Sequence

✅

Analyst Confirmation

Confirming means you attest this scenario is a realistic representation of the technique executing in your environment. Confirmation elevates scenario quality to Silver tier and increases the Block 4 validation score contribution in the DIP.

Send to DCVE

Review the scenario pack summary before sending. Clicking Send performs two simultaneous actions: delivers the scenario to the DCVE panel (right) and exports the complete scenario JSON to your downloads folder.

Scenario Start Time (for absolute timestamps)

Absolute timestamps in the exported JSON are derived from this start time plus each event's relative offset.

DCVE — Detection Correctness Verification Engine

Receives scenario packs from the ADSG

📥

No scenario received yet.
Complete the ADSG workflow and click Send to deliver a scenario pack here.