Detection Use Case Management

MaGMa Framework

Organize your detection capabilities from business objectives to implementation. Connect ATT&CK threats to D3FEND defenses with actionable detection rules.

FI-ISAC Documentation

Framework Overview

L1 Business

L2 Threats

L3 Rules

Free Access

The Three-Layer Hierarchy

L1 - Business

Business objectives and risk-based use cases that drive detection priorities. Aligned with compliance frameworks.

L2 - Threat

Threat-level use cases mapped to ATT&CK techniques and D3FEND countermeasures. Bridges business to technical.

L3 - Implementation

Concrete detection rules (Sigma, KQL, SPL) with data sources, test cases, and false positive guidance.

Use Case Library

How MaGMa Integrates with Purple Team

ATT&CK Mapping

Every L2 use case maps to specific ATT&CK techniques, connecting your detections to adversary behaviors.

Explore ATT&CK Hub

D3FEND Mapping

Each use case connects to D3FEND defensive techniques, showing how your detections support defense-in-depth.

Explore D3FEND Hub

Purple Team Coverage

Use the Purple Team Matrix to see how your MaGMa use cases contribute to overall detection coverage.

View Purple Matrix

Compliance Tracking

L1 use cases link to compliance frameworks (PCI-DSS, HIPAA, SOX), helping demonstrate regulatory coverage.

Filter by framework in the hierarchy above

Learn MaGMa in Depth

Module 5 of our Purple Team Detection Engineering course covers the complete MaGMa workflow: from creating business use cases to implementing and validating detection rules.

L1 Business Use CasesL2 Threat MappingL3 Rule ImplementationAI-Powered Generation

Unlock All Detection Rules

Premium members get full access to all 25 detection rules, compliance mapping exports, AI-powered rule generation, and integration with your SIEM.

The Three-Layer Hierarchy

L1 - Business

Business objectives and risk-based use cases that drive detection priorities. Aligned with compliance frameworks.

L2 - Threat

Threat-level use cases mapped to ATT&CK techniques and D3FEND countermeasures. Bridges business to technical.

L3 - Implementation

Concrete detection rules (Sigma, KQL, SPL) with data sources, test cases, and false positive guidance.

How MaGMa Integrates with Purple Team

ATT&CK Mapping

Every L2 use case maps to specific ATT&CK techniques, connecting your detections to adversary behaviors.

Explore ATT&CK Hub

D3FEND Mapping

Each use case connects to D3FEND defensive techniques, showing how your detections support defense-in-depth.

Explore D3FEND Hub

Purple Team Coverage

Use the Purple Team Matrix to see how your MaGMa use cases contribute to overall detection coverage.

View Purple Matrix

Compliance Tracking

L1 use cases link to compliance frameworks (PCI-DSS, HIPAA, SOX), helping demonstrate regulatory coverage.

Filter by framework in the hierarchy above

MaGMa Framework

Framework Overview

The Three-Layer Hierarchy

Use Case Library

Protect Against Ransomware

Detect Unauthorized Access

Prevent Data Exfiltration

Detect Insider Threats

Protect Email Communications

Secure Cloud Environments

Detect Malware Infections

Monitor Network Anomalies

Protect Identity Infrastructure

Ensure Business Continuity

How MaGMa Integrates with Purple Team

ATT&CK Mapping

D3FEND Mapping

Purple Team Coverage

Compliance Tracking

Learn MaGMa in Depth

Unlock All Detection Rules

MaGMa Framework

Framework Overview

The Three-Layer Hierarchy

Use Case Library

Protect Against Ransomware

Detect Unauthorized Access

Prevent Data Exfiltration

Detect Insider Threats

Protect Email Communications

Secure Cloud Environments

Detect Malware Infections

Monitor Network Anomalies

Protect Identity Infrastructure

Ensure Business Continuity

How MaGMa Integrates with Purple Team

ATT&CK Mapping

D3FEND Mapping

Purple Team Coverage

Compliance Tracking

Learn MaGMa in Depth

Unlock All Detection Rules