Skip to main content

MITRE ATT&CK

This Integration is part of the MITRE ATT&CK Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the MITRE ATT&CK Feed integration to fetch indicators from MITRE ATT&CK. For more information click here.

Note: When upgrading from v1 (MITRE IDs Feed) to v2 (MITRE ATT&CK) - disabling the MITRE IDs Feed indicator type, and instance are important for the smooth flow of the upgrade.

Configure MITRE ATT&CK Feed in Cortex#

ParameterDescriptionRequired
includeAPTThis option will also create indicators using APT / actor name references if they are part of a MITRE Intrusion SetFalse
feedReputationThe indicator reputation (defaults to 'None').False
feedReliabilityThe source's reliability.True
tlp_colorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlpFalse
feedExpirationPolicyThe feed's expiration policy.False
feedExpirationIntervalThe interval after which the feed expires.False
feedFetchIntervalThe feed fetch interval.False
feedBypassExclusionListWhether to bypass exclusion list.False
insecureWhether to trust any certificate (not secure).False
proxyWhether to use the system proxy settings.False
Create relationshipsCreate relationships between indicators as part of Enrichment.False

Feed timeouts:#

MITRE enforce a rate limit for connecting to their taxii server. Ensure that your fetch interval is reasonable, otherwise you will receive connection errors.

Commands#

You can execute these commands from the XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get Indicators#


Gets the indicators from MITRE ATT&CK.

Note: This command does not create indicators within Cortex XSOAR.

Base Command#

mitre-get-indicators

Input#
Argument NameDescriptionRequired
limitThe maximum number of indicators to return. The default value is 10.Optional
rawEnabling raw will also output the raw content of each indicatorOptional
Context Output#

The context is output as:

  • MITRE (dict)
    • ATT&CK (list)

Each item in the "ATT&CK" list contains the following keys:

  • fields (any fields that the indicator will attempt to map into the indicator)
  • rawJSON (the raw JSON of the indicator)
  • score (the indicator score)
  • type (the type of indicator - will always be "MITRE ATT&CK")
  • value (the indicator value, for example "T1134")
Command Example#

!mitre-get-indicators limit=2

Human Readable Output#

MITRE ATT&CK Indicators:#

ValueScoreType
T15310MITRE ATT&CK
T15060MITRE ATT&CK
Argument NameDescriptionRequired
indicatorIndicator to lookupRequired
Context Output#

The context is output as:

  • DBotScore
  • MITRE (dict)
    • ATT&CK (list)

Each item in the "ATT&CK" list contains the customFields that are mapped into the indicator (each beginning with 'mitre')

MITRE Show Feeds#


Displays the available feeds from the MITRE taxii service.

Base Command#

mitre-show-feeds

Input#

There are no inputs

Context Output#

There is no context output

Command Example#

!mitre-showfeeds

Human Readable Output#

MITRE ATT&CK Feeds:#

NameID
Enterprise ATT&CK95ecc380-afe9-11e4-9b6c-751b66dd541e
PRE-ATT&CK062767bd-02d2-4b72-84ba-56caef0f8658
Mobile ATT&CK2f669986-b40b-4423-b720-4396ca6a462b

MITRE Get Indicator Name#


Gets the Attack Pattern value from the Attack Pattern ID in the Enterprise collection only.

Base Command#

mitre-get-indicator-name

Input#
Argument NameDescriptionRequired
attack_idsThe Attack Pattern IDs listTrue
Context Output#
PathTypeDescription
MITREATTACK.idStringMITRE ATTACK Attack Pattern ID.
MITREATTACK.valueStringMITRE ATTACK Attack Pattern value.
Command Example#

!mitre-get-indicator-name attack_id=T1111

Human Readable Output#

MITRE ATTACK Attack Patterns values:#

Attack IDAttack Value
T1111Some Attack Value

attack-pattern#


Looks up the reputation of the indicator in the Enterprise collection only.

Base Command#

attack-pattern

Input#

Argument NameDescriptionRequired
attack_patternIndicator to look up.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.ScorenumberThe actual score.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
AttackPattern.STIXIDstringThe STIX ID of the Attack Pattern.
AttackPattern.KillChainPhasesstringThe kill chain phases of the Attack Pattern.
AttackPattern.FirstSeenBySourcestringThe first seen by source of the Attack Pattern.
AttackPattern.DescriptionstringThe description of the Attack Pattern.
AttackPattern.OperatingSystemRefsstringThe operating system references of the Attack Pattern.
AttackPattern.PublicationsstringThe publications of the Attack Pattern.
AttackPattern.MITREIDstringThe MITRE ID of the Attack Pattern.
AttackPattern.TagsstringThe tags of the Attack Pattern.

Command Example#

Human Readable Output#