Technical
MITRE ATT&CK integration.
Loupe bundles 30 MITRE ATT&CK technique references in Resources/attack/techniques.json and surfaces them inline next to every rule fire in the narrator brief, so the supporting evidence reads in the audit-recognized vocabulary your reviewers already use.
What it looks like in the brief
Rule fires render with the technique inline. Sample rendered line from the narrator prompt (and surfaced in the export bundle's Markdown brief):
Rule sigma.linux.auth.ssh_bruteforce named "SSH Brute Force from Single Source" (category auth, severity high, MITRE ATT&CK T1110.001 "Brute Force: Password Guessing" (Credential Access)) fired with 12 events between 13:18:59 on April 23, 2026 and 13:21:14 on April 23, 2026.
Featured technique mappings (v1.0)
Eight hand-rolled rules carry MITRE ATT&CK technique references at v1.0; the 35 SigmaHQ-imported rules carry their upstream tags resolved at load time via MITREAttackDatabase.resolve(tags:). The rules below are the most-frequently-fired pairings.
| Technique | Tactic | Loupe rules |
|---|---|---|
| T1110.001 Brute Force: Password Guessing | Credential Access | auth.ssh.bruteforce, sigma.linux.builtin.sshd_* |
| T1110.004 Brute Force: Credential Stuffing | Credential Access | web.auth.401_burst, sigma.web.credential_stuffing |
| T1595.003 Active Scanning: Wordlist Scanning | Reconnaissance | web.recon.path_scanning, sigma.web.path_recon |
| T1190 Exploit Public-Facing Application | Initial Access | web.apache.child_segfault, web.write.5xx_burst, sigma.web.jndi_exploit |
| T1499 Endpoint Denial of Service | Impact | web.upstream.5xx_burst |
| T1498 Network Denial of Service | Impact | net.icmp.unreachable_burst |
| T1078 Valid Accounts | Defense Evasion | auth.privilege.escalation |
| T1021.004 Remote Services: SSH | Lateral Movement | auth.ssh.bruteforce |
| T1556 Modify Authentication Process | Credential Access | auth.ssh.host_key_change |
| T1046 Network Service Discovery | Discovery | net.firewall.deny_burst |
Also bundled
These techniques are bundled and resolvable from upstream Sigma tags but don't yet have a direct hand-rolled Loupe rule. They light up automatically when an imported Sigma rule with the matching tag fires.
- T1110 (Brute Force, parent)
- T1110.003 (Password Spraying)
- T1595 (Active Scanning, parent)
- T1133 (External Remote Services)
- T1021 (Remote Services, parent)
- T1505 + T1505.003 (Server Software Component, Web Shell)
- T1071 + T1071.001 (Application Layer Protocol, Web Protocols)
- T1018 (Remote System Discovery)
- T1083 (File and Directory Discovery)
- T1486 (Data Encrypted for Impact)
- T1485 (Data Destruction)
- T1562 + T1562.004 (Impair Defenses, Disable/Modify System Firewall)
- T1136 (Create Account)
- T1078.003 (Valid Accounts: Local Accounts)
- T1098 (Account Manipulation)
- T1611 (Escape to Host)
- T1213 (Data from Information Repositories)
Roadmap
v1.x will lift hand-rolled-rule ATT&CK coverage from 8/26 toward full coverage on every rule where a defensible technique mapping exists. The v1.x Sigma corpus expansion (field-aware conversion to lift the rule count toward ~300) will also roughly triple the technique-resolution surface, since SigmaHQ's tag coverage is broader than what v1.0 imports.
Reproducibility
Bundle: Sources/Loupe/Resources/attack/techniques.json (30 records). Resolver: Sources/Loupe/Models/MITREAttack.swift. Hand-rolled rule tag bindings: Sources/Loupe/Services/DefaultRules.swift (search for attackTechniques:). Render path: Sources/Loupe/Services/NarratorPrompt.swift (renderAttack helper).