docs: expand MITRE ATT&CK integration with examples and mappings

[MalathiBalaraman31]

Description

This PR expands the MITRE ATT&CK attribution documentation to better explain how AlertSage maps incident classifications to ATT&CK techniques for SOC analysts.

It adds:

• A clear explanation of incident-level MITRE mapping
• References to the UI implementation (ui_premium.py)
• Three concrete incident examples (Phishing, Malware, Web Attack)
• A reference table mapping incident types to MITRE techniques
• An example MITRE-enriched JSON output

This improves clarity, analyst usability, and alignment with existing UI behavior while preserving original licensing and attribution context.

Fixes #16

Type of change

• Documentation update

How Has This Been Tested?

Documentation changes only. No code execution required.

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation

[texasbe2trill]

@MalathiBalaraman31 Thank you for looking into this! Are you able to add screenshots to the documentation on how MITRE is implemented into the ui? Have a second reviewer look over the MITRE mapping you implemented in the documentation before merge. Thanks!

[MalathiBalaraman31]

@texasbe2trill Thanks for the feedback! Yes, I can add UI screenshots showing how MITRE techniques are displayed in AlertSage. I’ll also do a second review of the MITRE mappings in the documentation and update the PR shortly.

[MalathiBalaraman31]

@texasbe2trill Thanks for the review! I’ve added UI screenshots showing how MITRE ATT&CK is surfaced across:

• Single Incident Analysis
• Coverage visualizations
• Threat Intelligence mapping
• SOC Playbook context

I also re-reviewed the technique mappings for accuracy and consistency. Please let me know if any adjustments are needed.

[Copilot]

Pull request overview

This PR expands the MITRE ATT&CK integration documentation in AlertSage to provide clearer guidance for SOC analysts on how incident classifications map to ATT&CK techniques.

Key Changes:

• Added detailed explanation of incident-level MITRE ATT&CK mapping methodology
• Included three concrete incident examples (Phishing, Malware, Web Attack) with technique mappings
• Added a reference table mapping incident types to MITRE techniques and tactics
• Included example JSON output and references to UI screenshots

Reviewed changes

Copilot reviewed 1 out of 6 changed files in this pull request and generated 2 comments.

File	Description
docs/mitre-attribution.md	Adds comprehensive documentation explaining how AlertSage maps incidents to MITRE ATT&CK techniques, including examples, reference table, JSON output format, and UI screenshot references
docs/images/mitre_threat_intel.png	Updates the threat intelligence UI screenshot showing MITRE technique mappings (binary PNG file)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The code block for the JSON example should specify the language identifier for proper syntax highlighting. Change the opening fence from triple backticks alone to triple backticks followed by 'json'.

Suggested change

	```
	```json

[Copilot]

This paragraph is quite long and could benefit from being split into two separate paragraphs for better readability. Consider adding a line break between the sentence ending with "adversary context." and the sentence starting with "This mapping is implemented".

Suggested change

	AlertSage maps MITRE ATT&CK techniques at the **incident classification level**. Once an incident description is analyzed and classified (for example, phishing or malware), a predefined set of relevant ATT&CK technique IDs is associated with that incident type to provide standardized adversary context.
	AlertSage maps MITRE ATT&CK techniques at the **incident classification level**. Once an incident description is analyzed and classified (for example, phishing or malware), a predefined set of relevant ATT&CK technique IDs is associated with that incident type to provide standardized adversary context.

[texasbe2trill]

@texasbe2trill Thanks for the review! I’ve added UI screenshots showing how MITRE ATT&CK is surfaced across:

• Single Incident Analysis
• Coverage visualizations
• Threat Intelligence mapping
• SOC Playbook context

I also re-reviewed the technique mappings for accuracy and consistency. Please let me know if any adjustments are needed.

@MalathiBalaraman31 This looks good! We are missing this screenshot from the documentation. I noticed it wasn't included in your last commit. Copilot also has a couple of suggestions above to implement before squash and merge of this PR.

Here are some sample incidents you can run via batch mode or single analysis mode to accurately capture the current state of MITRE mappings in the UI:

incidents.txt

[MalathiBalaraman31]

@texasbe2trill Thanks for the clarification — I’ve added the missing MITRE ATT&CK Coverage heatmap screenshot to the documentation and pushed the update. The screenshot reflects the current UI state using the provided incident examples. Please let me know if anything else is needed before merge.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 6 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The JSON example is missing a closing code fence. Line 111 opens a code block with triple backticks, but line 127 should also have triple backticks to properly close it. Currently line 127 only shows "}" which closes the JSON object but not the code block.

[texasbe2trill]

@MalathiBalaraman31 When you get a chance, add the missing closing code fence and I’ll go ahead and squash and merge this PR. Thanks for the excellent work!

[MalathiBalaraman31]

@texasbe2trill Thanks for the note! I’ve added the missing closing code fence and pushed the fix.

[texasbe2trill]

@MalathiBalaraman31 Excellent work. I approve of these changes. Thanks again for your contribution and support!