Mitre ATT&CK
Integration version: 15.0
Configure Mitre ATT&CK integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Root | String | https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json | Yes | Address of the Mitre ATT&CK instance. |
| Verify SSL | Checkbox | Checked | No | Use this checkbox, if your Mitre ATT&CK connection requires an SSL verification. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Get Associated Intrusions
Description
Retrieves information about intrusions that are associated with MITRE attack technique.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Technique ID | String | N/A | Yes | Specifies the identifier that will be used to find the associated intrusions. |
| Identifier Type | DDL | Attack ID Optional Values: Attack Name, Attack ID, External Attack ID |
Yes | Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050) |
| Max Intrusions to Return | String | 20 | No | Specify how many intrusions to return. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group ...",
"created":"2017-12-14T16:46:06.044Z",
"x_mitre_contributors":["Romain Dumont, ESET"],
"modified":"2019-07-17T13:11:37.402Z",
"name":"APT32",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_version":"2.0",
"aliases":["APT32","SeaLotus","OceanLotus","APT-C-00"],
"type":"intrusion-set",
"id":"intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"external_references":
[
{
"url":"https://attack.mitre.org/groups/G0050",
"source_name":"mitre-attack",
"external_id":"G0050"
},{
"source_name":"APT32",
"description":"(Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)"
}]},{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name":"BRONZE BUTLER",
"created":"2018-01-16T16:13:52.465Z",
"description":"[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with...",
"modified":"2019-03-22T19:57:36.804Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references": [
{
"url":"https://attack.mitre.org/groups/G0060",
"source_name":"mitre-attack",
"external_id":"G0060"
},{
"source_name":"BRONZE BUTLER",
"description":"(Citation: Trend Micro Daserf Nov 2017)"
}],
"x_mitre_version":"1.0",
"type":"intrusion-set",
"id":"intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"aliases":["BRONZE BUTLER","REDBALDKNIGHT","Tick"]
},{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name":"CopyKittens",
"created":"2018-01-16T16:13:52.465Z",
"description":"[CopyKittens](https://attack.mitre.org/groups/G0052) is a cyber espionage group that has been ...",
"modified":"2019-05-03T16:42:19.026Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":
[{
"url":"https://attack.mitre.org/groups/G0052",
"source_name":"mitre-attack",
"external_id":"G0052"
},{
"source_name":"CopyKittens",
"description":"(Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)"
},],
"x_mitre_version":"1.1",
"type":"intrusion-set",
"id":"intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"aliases":["CopyKittens"]
}
]
Get Mitigations
Description
Retrieves information about mitigations that are associated with MITRE attack technique.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Technique ID | String | N/A | Yes | Specifies the identifier that will be used to find the mitigations related to attack technique. |
| Identifier Type | DDL | Attack ID Optional Values: Attack Name, Attack ID, External Attack ID |
Yes | Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050) |
| Max Intrusions to Return | String | 20 | No | Specify how many intrusions to return. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"created":"2018-10-17T00:14:20.652Z",
"x_mitre_deprecated":true,
"modified":"2019-07-24T14:26:14.411Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":
[{
"url":"https://attack.mitre.org/mitigations/T1022",
"source_name":"mitre-attack",
"external_id":"T1022"
},{
"url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"source_name":"Beechey 2010",
"description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
},{
"url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"source_name":"Windows Commands JPCERT",
"description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
},{
"url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"source_name":"NSA MS AppLocker",
"description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
},{
"url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"source_name":"Corio 2008",
"description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
},{
"url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
"source_name":"TechNet Applocker vs SRP",
"description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}],
"x_mitre_version":"1.0",
"type":"course-of-action",
"id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
"name":"Data Encrypted Mitigation"
}
]
Get Technique Details
Description
Retrieves detailed information about MITRE attack technique.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Technique Identifier | String | N/A | Yes | Specify the comma-separated list of identifiers that will be used to find the detailed information about techniques. Example: identifier_1,identifier_2 |
| Identifier Type | DDL | Attack ID Optional Values: Attack Name, Attack ID, External Attack ID |
Yes | Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050) |
| Create Insights | Checkbox | Unchecked | No | If enabled, action will create a separate insight for every processed technique. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references":
[{
"url":"https://attack.mitre.org/techniques/T1022",
"external_id":"T1022",
"source_name":"mitre-attack"
},{
"url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
"source_name":"Zhang 2013",
"description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
},{
"url":"https://en.wikipedia.org/wiki/List_of_file_signatures",
"source_name":"Wikipedia File Header Signatures",
"description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
}],
"created":"2017-05-31T21:30:30.26Z",
"x_mitre_platforms":["Linux","macOS","Windows"],
"type":"attack-pattern",
"description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\\n\\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
"kill_chain_phases":
[{
"phase_name":"exfiltration",
"kill_chain_name":"mitre-attack"
}],
"modified":"2018-10-17T00:14:20.652Z",
"id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_network_requirements":false,
"x_mitre_version":"1.0",
"x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
"x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \\n\\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \\n\\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
"name":"Data Encrypted"
}
Get Techniques Details
Description
Retrieve detailed information about MITRE attack techniques.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Technique Identifier | String | N/A | Yes | Specify the comma-separated list of identifiers that will be used to find the detailed information about techniques. Example: identifier_1,identifier_2 |
| Identifier Type | DDL | Attack ID Optional Values: Attack Name, Attack ID, External Attack ID |
Yes | Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050) |
| Create Insights | Checkbox | Unchecked | No | If enabled, action will create a separate insight for every processed technique. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{
"Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
"EntityResult": {
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references":[{
"url":"https://attack.mitre.org/techniques/T1022",
"external_id":"T1022",
"source_name":"mitre-attack"
},{
"url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
"source_name":"Zhang 2013",
"description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
},{
"url":"https://en.wikipedia.org/wiki/List_of_file_signatures","source_name":"Wikipedia File Header Signatures",
"description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
}],
"created":"2017-05-31T21:30:30.26Z",
"x_mitre_platforms":["Linux","macOS","Windows"],
"type":"attack-pattern",
"description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.nnOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
"kill_chain_phases":[{
"phase_name":"exfiltration",
"kill_chain_name":"mitre-attack"
}],
"modified":"2018-10-17T00:14:20.652Z",
"id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_network_requirements":false,
"x_mitre_version":"1.0",
"x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
"x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. nnA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. nnNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
"name":"Data Encrypted"
}
}]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If at least one identifier was processed: print "Retrieved detailed information about the following techniques: {0}\n".format(new line separated list of processed techniques) If at least one identifier was not processed: print "Action wasn't able to retrieve detailed information about the following techniques: {0}\n".format(new line separated list of unprocessed techniques) If no identifier was processed print "Action wasn't able to find the provided techniques." |
General |
Get Techniques Mitigations
Description
Retrieve information about mitigations that are associated with MITRE attack techniques.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Technique ID | String | N/A | Yes | Specify the identifier that will be used to find the mitigations related to attack technique. Comma-separated values. |
| Attack ID | DDL | Attack ID Optional Values: Attack Name, Attack ID, External Attack ID |
Yes | Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050) |
| Max Mitigations to Return | String | 20 | No | Specify how many mitigations to return. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{
"Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
"EntityResult": {
"mitigations": [{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"created":"2018-10-17T00:14:20.652Z",
"x_mitre_deprecated":true,
"modified":"2019-07-24T14:26:14.411Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":[{"url":"https://attack.mitre.org/mitigations/T1022",
"source_name":"mitre-attack",
"external_id":"T1022"
},{
"url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"source_name":"Beechey 2010",
"description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
},{
"url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"source_name":"Windows Commands JPCERT",
"description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
},{
"url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"source_name":"NSA MS AppLocker",
"description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
},{
"url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"source_name":"Corio 2008",
"description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
},{
"url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
"source_name":"TechNet Applocker vs SRP",
"description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}],
"x_mitre_version":"1.0",
"type":"course-of-action",
"id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
"name":"Data Encrypted Mitigation"
}]
}
}]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If "ErrorCode" in the response (is_success=false) or if no data returned (is_success=true) "Action wasn't able to find mitigations for the following techniques: <identifiers> If successful: "Successfully retrieved mitigations for the following techniques: <identifiers>" The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection, other: "Error executing action "Get Techniques Mitigations". Reason: {0}''.format(error.Stacktrace) |
General |
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |