Knowledge Base
Green = Seen: Insider Tactics, Techniques, and Procedures
The ATT&CK® Navigator matrix below (which the team calls the “green = seen” chart) depicts the TTPs observed in the case data submitted by participating organizations. This illustrates the potential TTPs an enterprise could see in their network.
Click to enlarge.
View or Download Green=Seen Data
Open in ATT&CK® Navigator Download EXCEL (18kb) Download JSON (153kb)
See also
See the heatmap to visualize the frequency of each technique.
Data Collection
The data in the knowledge base is reported by contributors and validated by the Center’s research team. It is represented as TTPs used by the subject and method of detection, in line with ATT&CK. Data in the knowledge base is collected through submissions by data contributors into a secure case submission portal. Contributors provided a sequential list of TTPs per case, with additional information on the data sources used to detect those TTPs, observable human indicators, and notes about the subject. The data in the knowledge base includes the following:
Case Number |
Additional Notes |
Case Summary |
Suspect Industry |
Technique |
Suspect Info |
Technique ID |
Suspect Admin (Y/N) |
Sub Technique |
Suspect Monitoring (Y/N) |
Sub Technique ID |
Suspect Teleworker (Y/N) |
Tactic |
Suspect on Performance Improvement Plan (Y/N) |
Data Source |
Turnover Rate of Employee Role |
Data component |
Tenure of Suspect |
Timestamp |
Management Level of Suspect |
Timestamp Offset |
Seniority Level of Suspect |
Log Type |
Government Security Clearance of Suspect |