Fortinet black logo

MITRE ATT&CK v2.0.2

Copy Link
Copy Doc ID e0dc2ca8-82be-11ed-8e6d-fa163e15d75b:469

About the connector

The MITRE ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies.

This MITRE ATT&CK connector helps to import MITRE ATT&CK techniques from the static data available within the connector and adds the data to FortiSOAR in MITRE ATT&CK Techniques module. This import procedure helps in replicating the knowledge base of adversary tactics and techniques based on real-world observations.

The MITRE ATT&CK connector leverages the ingestion wizard for seamless ingestion of the MITRE ATT&CK Framework on a set schedule. You can also provide inputs that specify which MITRE ATT&CK matrix should be used for pulling the data. For more information, see the Data Ingestion Support section.

FortiSOAR provides you with a MITRE ATT&CK Content Pack, which enables you to use the information and knowledge base that's provided by the MITRE ATT&CK Framework to its full extent. For more information about the MITRE ATT&CK Content Pack, see the MITRE ATT&CK Content Pack article.

Version information

Connector Version: 2.0.2

FortiSOAR™ Version Tested on: 7.3.0-2034

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.2

Following enhancements have been made in the MITRE ATT&CK connector in version 2.0.2:

  • Preemptively fixed technique/subtechnique ingestion issues caused due to inconsistent labeling in the MITRE dataset received.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-mitre-attack

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the MITRE ATT&CK connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Upload JSON Manually Select this checkbox if you want to import the MITRE datasets manually using the file selector or if you don't have access to GITHUB or no connection to the internet. You can provide the following type of MITRE datasets in the JSON format:
  • Enterprise ATT&CK JSON
  • Mobile ATT&CK JSON
  • ICS ATT&CK JSON
If you do not select the Upload JSON Manually checkbox, then from the Matrices selection, you must select the type of MITRE ATT&CK techniques matrices data that you want to pull in the form of records to the "MITRE ATT&CK Techniques" module in FortiSOAR. You can select one or more of the following options: Enterprise, Mobile, or ICS.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

Function Description Annotation and Category
Get MITRE Data Ingests latest data from MITRE based on the modules you have specified. get_mitre_data
Investigation
Get MITRE Sample Data Ingests sample data from MITRE get_mitre_data_sample
Investigation

operation: Get MITRE Data

Input parameters

Parameter Description
Modules Select the modules for which you want to ingest the latest data from MITRE. You can select one or more of the following options: Tactics, Groups, Techniques, Subtechniques, Mitigations, or Software
Force Ingestion Select this checkbox to force ingestion of data.

Output

The output contains a non-dictionary value.

operation: Get MITRE Sample Data

Input parameters

None.

Output

No output schema is available at this time.

Included playbooks

The Sample - MITRE ATT&CK - 2.0.2 playbook collection comes bundled with the MITRE ATT&CK connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MITRE ATT&CK connector.

  • MITRE ATT&CK > Create
  • > MITRE ATT&CK > Fetch
  • MITRE ATT&CK > Fetch Latest Data
  • MITRE ATT&CK > Ingest

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling MITRE ATT&CK content. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the Data Ingestion Wizard to seamlessly map MITRE ATT&CK content to related FortiSOAR™ modules.

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Exchange into FortiSOAR™. It also lets you pull some sample data from MITRE ATT&CK Framework using which you can define the mapping of data between MITRE ATT&CK and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to MITRE ATT&CK content.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the MITRE ATT&CK connector's Configurations page.
    Click Let's start by fetching some data, to open the Fetch Sample Data screen.

    Sample data is required to create a field mapping between the MITRE ATT&CK data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch MITRE ATT&CK data.
    From the Matrices selection, select the type of MITRE ATT&CK techniques matrices data that you want to pull in the form of records to the "MITRE ATT&CK Techniques" module in FortiSOAR. You can select one or more of the following options: Enterprise, Mobile, or ICS.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of MITRE ATT&CK data ingested from Exchange to the fields of related modules such as Groups present in FortiSOAR™.
    To map a field, click the key in the sample data to add the jinja value of the field. For example, to map the name parameter of MITRE ATT&CK data ingested to the Name parameter of a FortiSOAR™ group record, click the Name field and then click the name field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to MITRE ATT&CK Framework, so that the content gets pulled from the MITRE ATT&CK integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull MITRE ATT&CK content on the 1st day of every month at 5 am, then click the Monthly, then in the hour field enter 5, and in the minute field, enter 0. This would mean that based on the configuration you have set up, content from MITRE ATT&CK will be on the first day of every month at 5 am.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Previous
Next

About the connector

The MITRE ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies.

This MITRE ATT&CK connector helps to import MITRE ATT&CK techniques from the static data available within the connector and adds the data to FortiSOAR in MITRE ATT&CK Techniques module. This import procedure helps in replicating the knowledge base of adversary tactics and techniques based on real-world observations.

The MITRE ATT&CK connector leverages the ingestion wizard for seamless ingestion of the MITRE ATT&CK Framework on a set schedule. You can also provide inputs that specify which MITRE ATT&CK matrix should be used for pulling the data. For more information, see the Data Ingestion Support section.

FortiSOAR provides you with a MITRE ATT&CK Content Pack, which enables you to use the information and knowledge base that's provided by the MITRE ATT&CK Framework to its full extent. For more information about the MITRE ATT&CK Content Pack, see the MITRE ATT&CK Content Pack article.

Version information

Connector Version: 2.0.2

FortiSOAR™ Version Tested on: 7.3.0-2034

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.2

Following enhancements have been made in the MITRE ATT&CK connector in version 2.0.2:

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-mitre-attack

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the MITRE ATT&CK connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Upload JSON Manually Select this checkbox if you want to import the MITRE datasets manually using the file selector or if you don't have access to GITHUB or no connection to the internet. You can provide the following type of MITRE datasets in the JSON format:
  • Enterprise ATT&CK JSON
  • Mobile ATT&CK JSON
  • ICS ATT&CK JSON
If you do not select the Upload JSON Manually checkbox, then from the Matrices selection, you must select the type of MITRE ATT&CK techniques matrices data that you want to pull in the form of records to the "MITRE ATT&CK Techniques" module in FortiSOAR. You can select one or more of the following options: Enterprise, Mobile, or ICS.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations:

Function Description Annotation and Category
Get MITRE Data Ingests latest data from MITRE based on the modules you have specified. get_mitre_data
Investigation
Get MITRE Sample Data Ingests sample data from MITRE get_mitre_data_sample
Investigation

operation: Get MITRE Data

Input parameters

Parameter Description
Modules Select the modules for which you want to ingest the latest data from MITRE. You can select one or more of the following options: Tactics, Groups, Techniques, Subtechniques, Mitigations, or Software
Force Ingestion Select this checkbox to force ingestion of data.

Output

The output contains a non-dictionary value.

operation: Get MITRE Sample Data

Input parameters

None.

Output

No output schema is available at this time.

Included playbooks

The Sample - MITRE ATT&CK - 2.0.2 playbook collection comes bundled with the MITRE ATT&CK connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MITRE ATT&CK connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling MITRE ATT&CK content. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the Data Ingestion Wizard to seamlessly map MITRE ATT&CK content to related FortiSOAR™ modules.

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Exchange into FortiSOAR™. It also lets you pull some sample data from MITRE ATT&CK Framework using which you can define the mapping of data between MITRE ATT&CK and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to MITRE ATT&CK content.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the MITRE ATT&CK connector's Configurations page.
    Click Let's start by fetching some data, to open the Fetch Sample Data screen.

    Sample data is required to create a field mapping between the MITRE ATT&CK data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch MITRE ATT&CK data.
    From the Matrices selection, select the type of MITRE ATT&CK techniques matrices data that you want to pull in the form of records to the "MITRE ATT&CK Techniques" module in FortiSOAR. You can select one or more of the following options: Enterprise, Mobile, or ICS.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of MITRE ATT&CK data ingested from Exchange to the fields of related modules such as Groups present in FortiSOAR™.
    To map a field, click the key in the sample data to add the jinja value of the field. For example, to map the name parameter of MITRE ATT&CK data ingested to the Name parameter of a FortiSOAR™ group record, click the Name field and then click the name field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to MITRE ATT&CK Framework, so that the content gets pulled from the MITRE ATT&CK integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull MITRE ATT&CK content on the 1st day of every month at 5 am, then click the Monthly, then in the hour field enter 5, and in the minute field, enter 0. This would mean that based on the configuration you have set up, content from MITRE ATT&CK will be on the first day of every month at 5 am.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

Previous
Next