MITRE ATT&CK (PyAttck)

swimlane pyattck connector the mitre att\&ck (pyattck) connector provides access to an extensive database of adversary tactics and techniques, enabling enhanced threat analysis and strategic defense planning the mitre att\&ck (pyattck) connector provides a direct link to the comprehensive mitre att\&ck framework, enabling users to retrieve detailed information on threat actors, techniques, tools, and mitigations by integrating with swimlane turbine, security professionals can enrich their automation playbooks with actionable intelligence, enhancing threat hunting and incident response capabilities this connector streamlines the process of accessing and leveraging att\&ck data, allowing for more informed decision making and improved security posture swimlane pyattck connector pyattck is a light weight python package to retrieve actors, malware, mitigations, tactics, techniques and tools from mitre att\&ck frameworks with pyattck you can access data from the enterprise, mobile, and pre att\&ck mitre att\&ck frameworks additionally, you have access to external data which provides more rich context like the ability to retrieve potential commands, queries, and detections for techniques actors and tools also have additional contextual data available this connector pulls information from swimlane's open source project, pyattck prerequisites to utilize the mitre att\&ck (pyattck) connector within swimlane, ensure you have the following custom configuration for accessing mitre att\&ck data no additional parameters required capabilities each task in this connector allows you to retrieve all named objects (e g actors, malwares, etc ) as well as filter based on property values of related object types additionally, you can select which mitre att\&ck framework to pull data from (default is enterprise) this connector provides the following tasks get actors get controls get malwares get mitigations get tactics get techniques get tools get data notes https //attack mitre org/ https //github com/swimlane/pyattck https //pyattck readthedocs io/en/latest/ configurations mitre att\&ck (pyattck) authentication retrieve informaton about mitre att\&ck via swimlane's open source project pyattck configuration parameters parameter description type required nested subtechniques whether or not to nest subtechniques defaults to false boolean optional enterprise attck json the location of the enterprise att\&ck json string optional pre attck json the location of the pre att\&ck json string optional mobile attck json the location of the mobile att\&ck json string optional ics attck json the location of the ics att\&ck json string optional nist controls json the location of the nist 800 53 controls json string optional generated attck json the location of the generated contextual att\&ck json string optional generated nist json the location of the generated nist json string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get actors retrieve a list of threat actors from the mitre att\&ck framework using the pyattck connector endpoint method get input argument name type required description attack framework string optional parameter for get actors match malware string optional parameter for get actors match malware name string optional name of the resource match malware id string optional unique identifier match technique string optional parameter for get actors match technique name string optional name of the resource match technique id string optional unique identifier match tool string optional parameter for get actors match tool name string optional name of the resource match tool id string optional unique identifier input example {"attack framework" "enterprise","match malware" "autoit backdoor","match malware name" "4h rat","match malware id" "s0331","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059","match tool" "psexec","match tool name" "psexec","match tool id" "s0190"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get controls provides detailed information on compliance controls associated with mitre att\&ck framework techniques endpoint method get input argument name type required description match technique string optional parameter for get controls match technique name string optional name of the resource match technique id string optional unique identifier input example {"match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get data obtain all or targeted data from the mitre att\&ck dataset using the pyattck connector endpoint method get input argument name type required description type string optional type of the resource attack framework string optional parameter for get data input example {"type" "all","attack framework" "enterprise"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get formatted tactic and technique string generates a formatted string of mitre att\&ck tactic and technique for use in swimlane widgets, requiring a technique id endpoint method get input argument name type required description technique id string required unique identifier attack framework string optional parameter for get formatted tactic and technique string tactic id string optional unique identifier input example {"technique id" "t1059 002","attack framework" "enterprise","tactic id" 123} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get malwares retrieve malware objects from the mitre att\&ck framework using the pyattck connector endpoint method get input argument name type required description attack framework string optional parameter for get malwares match actor string optional parameter for get malwares match actor name string optional name of the resource match actor id string optional unique identifier match technique string optional parameter for get malwares match technique name string optional name of the resource match technique id string optional unique identifier input example {"attack framework" "enterprise","match actor" "apt1","match actor name" "apt33","match actor id" "g0005","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get mitigations obtain a list of mitigation strategies and techniques from the mitre att\&ck framework input argument name type required description attack framework string optional provide enterprise or mobile to retrieve data from those att\&ck frameworks default is enterprise match technique string optional provide a property value for a given technique and return mitigations for that technique match technique name string optional provide the name of a technique and return mitigations for that technique match technique id string optional provide the mitre att\&ck id of a technique and return mitigations for that technique input example {"attack framework" "enterprise","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description mitigations object output field mitigations mitigations mitigations names array name of the resource mitigations mitigations ids array unique identifier mitigations mitigations descriptions array output field mitigations mitigations descriptions output example {"mitigations" {"mitigations names" \["user training","limit software installation","software configuration"],"mitigations ids" \["m1015","m1042","m1055"],"mitigations descriptions" \["prevent modification of environment variables by unauthorized users and groups ","manage the creation, modification, use, and permissions associated to privileged accounts, including system and root ","use network appliances to filter ingress or egress traffic and perform protocol based filtering configure software get tactics obtain a list of tactic objects from the mitre att\&ck framework using the pyattck connector endpoint method get input argument name type required description attack framework string optional parameter for get tactics match technique string optional parameter for get tactics match technique name string optional name of the resource match technique id string optional unique identifier input example {"attack framework" "enterprise","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get techniques access additional relationships and details within the mitre att\&ck frameworks using the get technique action endpoint method get input argument name type required description attack framework string optional parameter for get techniques match actor string optional parameter for get techniques match actor name string optional name of the resource match actor id string optional unique identifier match control string optional parameter for get techniques match control name string optional name of the resource match control id string optional unique identifier match mitigation string optional parameter for get techniques match mitigation name string optional name of the resource match mitigation id string optional unique identifier match tactic string optional parameter for get techniques match tactic name string optional name of the resource match tactic id string optional unique identifier input example {"attack framework" "enterprise","match actor" "apt1","match actor name" "apt33","match actor id" "g0005","match control" "provenance","match control name" "spam protection","match control id" "sr 5","match mitigation" "m1036","match mitigation name" "system shutdown/reboot","match mitigation id" "m1040","match tactic" "account discovery","match tactic name" "system shutdown/reboot","match tactic id" "ta0003"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get tools obtain tool objects from mitre att\&ck, which may include various attributes and relationships relevant to the tools endpoint method get input argument name type required description attack framework string optional parameter for get tools match actor string optional parameter for get tools match actor name string optional name of the resource match actor id string optional unique identifier match technique string optional parameter for get tools match technique name string optional name of the resource match technique id string optional unique identifier input example {"attack framework" "enterprise","match actor" "apt1","match actor name" "apt33","match actor id" "g0005","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt