The MITRE ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies.
This MITRE ATT&CK connector helps to import MITRE ATT&CK techniques from the static data available within the connector and adds the data to FortiSOAR in MITRE ATT&CK Techniques module. This import procedure helps in replicating the knowledge base of adversary tactics and techniques based on real-world observations.
The MITRE ATT&CK connector leverages the ingestion wizard for seamless ingestion of the MITRE ATT&CK Framework on a set schedule. You can also provide inputs that specify which MITRE ATT&CK matrix should be used for pulling the data. For more information, see the Data Ingestion Support section.
FortiSOAR provides you with a MITRE ATT&CK Content Pack, which enables you to use the information and knowledge base that's provided by the MITRE ATT&CK Framework to its full extent. For more information about the MITRE ATT&CK Content Pack, see the MITRE ATT&CK Content Pack article.
Connector Version: 2.0.2
FortiSOAR™ Version Tested on: 7.3.0-2034
Authored By: Fortinet
Certified: Yes
Following enhancements have been made in the MITRE ATT&CK connector in version 2.0.2:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-mitre-attack
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the MITRE ATT&CK connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Upload JSON Manually | Select this checkbox if you want to import the MITRE datasets manually using the file selector or if you don't have access to GITHUB or no connection to the internet. You can provide the following type of MITRE datasets in the JSON format:
|
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get MITRE Data | Ingests latest data from MITRE based on the modules you have specified. | get_mitre_data Investigation |
Get MITRE Sample Data | Ingests sample data from MITRE | get_mitre_data_sample Investigation |
Parameter | Description |
---|---|
Modules | Select the modules for which you want to ingest the latest data from MITRE. You can select one or more of the following options: Tactics, Groups, Techniques, Subtechniques, Mitigations, or Software |
Force Ingestion | Select this checkbox to force ingestion of data. |
The output contains a non-dictionary value.
None.
No output schema is available at this time.
The Sample - MITRE ATT&CK - 2.0.2
playbook collection comes bundled with the MITRE ATT&CK connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MITRE ATT&CK connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling MITRE ATT&CK content. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map MITRE ATT&CK content to related FortiSOAR™ modules.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Exchange into FortiSOAR™. It also lets you pull some sample data from MITRE ATT&CK Framework using which you can define the mapping of data between MITRE ATT&CK and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to MITRE ATT&CK content.
On the Field Mapping screen, map the fields of MITRE ATT&CK data ingested from Exchange to the fields of related modules such as Groups present in FortiSOAR™.
To map a field, click the key in the sample data to add the jinja value of the field. For example, to map the name parameter of MITRE ATT&CK data ingested to the Name parameter of a FortiSOAR™ group record, click the Name field and then click the name field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to MITRE ATT&CK Framework, so that the content gets pulled from the MITRE ATT&CK integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull MITRE ATT&CK content on the 1st day of every month at 5 am, then click the Monthly, then in the hour field enter 5
, and in the minute field, enter 0
. This would mean that based on the configuration you have set up, content from MITRE ATT&CK will be on the first day of every month at 5 am.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
The MITRE ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies.
This MITRE ATT&CK connector helps to import MITRE ATT&CK techniques from the static data available within the connector and adds the data to FortiSOAR in MITRE ATT&CK Techniques module. This import procedure helps in replicating the knowledge base of adversary tactics and techniques based on real-world observations.
The MITRE ATT&CK connector leverages the ingestion wizard for seamless ingestion of the MITRE ATT&CK Framework on a set schedule. You can also provide inputs that specify which MITRE ATT&CK matrix should be used for pulling the data. For more information, see the Data Ingestion Support section.
FortiSOAR provides you with a MITRE ATT&CK Content Pack, which enables you to use the information and knowledge base that's provided by the MITRE ATT&CK Framework to its full extent. For more information about the MITRE ATT&CK Content Pack, see the MITRE ATT&CK Content Pack article.
Connector Version: 2.0.2
FortiSOAR™ Version Tested on: 7.3.0-2034
Authored By: Fortinet
Certified: Yes
Following enhancements have been made in the MITRE ATT&CK connector in version 2.0.2:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-mitre-attack
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the MITRE ATT&CK connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Upload JSON Manually | Select this checkbox if you want to import the MITRE datasets manually using the file selector or if you don't have access to GITHUB or no connection to the internet. You can provide the following type of MITRE datasets in the JSON format:
|
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get MITRE Data | Ingests latest data from MITRE based on the modules you have specified. | get_mitre_data Investigation |
Get MITRE Sample Data | Ingests sample data from MITRE | get_mitre_data_sample Investigation |
Parameter | Description |
---|---|
Modules | Select the modules for which you want to ingest the latest data from MITRE. You can select one or more of the following options: Tactics, Groups, Techniques, Subtechniques, Mitigations, or Software |
Force Ingestion | Select this checkbox to force ingestion of data. |
The output contains a non-dictionary value.
None.
No output schema is available at this time.
The Sample - MITRE ATT&CK - 2.0.2
playbook collection comes bundled with the MITRE ATT&CK connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MITRE ATT&CK connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling MITRE ATT&CK content. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map MITRE ATT&CK content to related FortiSOAR™ modules.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Exchange into FortiSOAR™. It also lets you pull some sample data from MITRE ATT&CK Framework using which you can define the mapping of data between MITRE ATT&CK and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to MITRE ATT&CK content.
On the Field Mapping screen, map the fields of MITRE ATT&CK data ingested from Exchange to the fields of related modules such as Groups present in FortiSOAR™.
To map a field, click the key in the sample data to add the jinja value of the field. For example, to map the name parameter of MITRE ATT&CK data ingested to the Name parameter of a FortiSOAR™ group record, click the Name field and then click the name field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to MITRE ATT&CK Framework, so that the content gets pulled from the MITRE ATT&CK integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull MITRE ATT&CK content on the 1st day of every month at 5 am, then click the Monthly, then in the hour field enter 5
, and in the minute field, enter 0
. This would mean that based on the configuration you have set up, content from MITRE ATT&CK will be on the first day of every month at 5 am.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.