MITRE ATT&CK (PyAttck)

swimlane pyattck connector the mitre att\&ck (pyattck) connector enables automated interaction with the mitre att\&ck framework using the pyattck library mitre att\&ck is a globally accessible knowledge base of adversary tactics and techniques based on real world observations the pyattck connector allows swimlane turbine users to seamlessly integrate this intelligence into their security automation workflows by leveraging this integration, users can enhance their threat detection and response capabilities, automate the retrieval of threat actor, malware, and technique data, and generate formatted intelligence for use in security operations this empowers security teams to make informed decisions and respond swiftly to threats, improving overall security posture swimlane pyattck connector pyattck is a light weight python package to retrieve actors, malware, mitigations, tactics, techniques and tools from mitre att\&ck frameworks with pyattck you can access data from the enterprise, mobile, and pre att\&ck mitre att\&ck frameworks additionally, you have access to external data which provides more rich context like the ability to retrieve potential commands, queries, and detections for techniques actors and tools also have additional contextual data available this connector pulls information from swimlane's open source project, pyattck prerequisites before you can use the mitre att\&ck (pyattck) connector for turbine, ensure the following prerequisites are met access to the mitre att\&ck framework via the pyattck library no additional parameters are required for this integration capabilities each task in this connector allows you to retrieve all named objects (e g actors, malwares, etc ) as well as filter based on property values of related object types additionally, you can select which mitre att\&ck framework to pull data from (default is enterprise) this connector provides the following tasks get actors get controls get malwares get mitigations get tactics get techniques get tools get data notes mitre att\&ck https //attack mitre org/pyattck source code https //github com/swimlane/pyattckpyattck docs https //pyattck readthedocs io/en/latest/ configurations mitre att\&ck (pyattck) authentication retrieve informaton about mitre att\&ck via swimlane's open source project pyattck configuration parameters parameter description type required nested subtechniques whether or not to nest subtechniques defaults to false boolean optional enterprise attck json the location of the enterprise att\&ck json string optional pre attck json the location of the pre att\&ck json string optional mobile attck json the location of the mobile att\&ck json string optional ics attck json the location of the ics att\&ck json string optional nist controls json the location of the nist 800 53 controls json string optional generated attck json the location of the generated contextual att\&ck json string optional generated nist json the location of the generated nist json string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get actors retrieve a list of threat actors from the mitre att\&ck framework using the pyattck connector endpoint method get input argument name type required description attack framework string optional parameter for get actors match malware string optional parameter for get actors match malware name string optional name of the resource match malware id string optional unique identifier match technique string optional parameter for get actors match technique name string optional name of the resource match technique id string optional unique identifier match tool string optional parameter for get actors match tool name string optional name of the resource match tool id string optional unique identifier input example {"attack framework" "enterprise","match malware" "autoit backdoor","match malware name" "4h rat","match malware id" "s0331","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059","match tool" "psexec","match tool name" "psexec","match tool id" "s0190"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get controls provides detailed information on compliance controls associated with mitre att\&ck framework techniques endpoint method get input argument name type required description match technique string optional parameter for get controls match technique name string optional name of the resource match technique id string optional unique identifier input example {"match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get data obtain all or specific data from the mitre att\&ck dataset using the pyattck connector endpoint method get input argument name type required description type string optional type of the resource attack framework string optional parameter for get data input example {"type" "all","attack framework" "enterprise"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get formatted string from array generate a formatted string for swimlane use cases and widgets from an array of technique names or ids endpoint method get input argument name type required description attack framework string optional mitre att\&ck domain to load (enterprise, preattack, or mobile) determines which dataset is used to resolve techniques and tactics techniques array optional list of technique ids (e g t1059, t1055 011) or exact technique display names to format for subtechnique ids, the parent technique is used for lookup each matching item yields one or more "tactic / technique" strings per tactic associated with the technique input example {"attack framework" "enterprise","techniques" \["t1055 011"]} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"formatted results" \["privilege escalation / process injection","defense evasion / process injection","defense evasion / debugger evasion"]}} get formatted tactic and technique string generate a formatted string of mitre att\&ck tactic and technique for swimlane widgets using a specified technique id endpoint method get input argument name type required description technique id string required unique identifier attack framework string optional parameter for get formatted tactic and technique string tactic id string optional unique identifier input example {"technique id" "t1059 002","attack framework" "enterprise","tactic id" 123} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get malwares retrieve malware objects from the mitre att\&ck framework using the pyattck connector endpoint method get input argument name type required description attack framework string optional parameter for get malwares match actor string optional parameter for get malwares match actor name string optional name of the resource match actor id string optional unique identifier match technique string optional parameter for get malwares match technique name string optional name of the resource match technique id string optional unique identifier input example {"attack framework" "enterprise","match actor" "apt1","match actor name" "apt33","match actor id" "g0005","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get mitigations obtain a list of mitigation strategies and techniques from the mitre att\&ck framework input argument name type required description attack framework string optional provide enterprise or mobile to retrieve data from those att\&ck frameworks default is enterprise match technique string optional provide a property value for a given technique and return mitigations for that technique match technique name string optional provide the name of a technique and return mitigations for that technique match technique id string optional provide the mitre att\&ck id of a technique and return mitigations for that technique input example {"attack framework" "enterprise","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description mitigations array output field mitigations mitigations id string unique identifier mitigations name string name of the resource mitigations description string output field mitigations description output example {"mitigations" \[{"id" "m1017","name" "user training","description" "train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction "},{"id" "m1032","name" "multi factor authentication","description" "use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator "},{"i get tactics obtain a list of tactic objects from the mitre att\&ck framework using the pyattck connector endpoint method get input argument name type required description attack framework string optional parameter for get tactics match technique string optional parameter for get tactics match technique name string optional name of the resource match technique id string optional unique identifier input example {"attack framework" "enterprise","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get techniques access additional relationships and details within the mitre att\&ck frameworks using the get technique action endpoint method get input argument name type required description attack framework string optional parameter for get techniques match actor string optional parameter for get techniques match actor name string optional name of the resource match actor id string optional unique identifier match control string optional parameter for get techniques match control name string optional name of the resource match control id string optional unique identifier match mitigation string optional parameter for get techniques match mitigation name string optional name of the resource match mitigation id string optional unique identifier match tactic string optional parameter for get techniques match tactic name string optional name of the resource match tactic id string optional unique identifier input example {"attack framework" "enterprise","match actor" "apt1","match actor name" "apt33","match actor id" "g0005","match control" "provenance","match control name" "spam protection","match control id" "sr 5","match mitigation" "m1036","match mitigation name" "system shutdown/reboot","match mitigation id" "m1040","match tactic" "account discovery","match tactic name" "system shutdown/reboot","match tactic id" "ta0003"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get tools obtain tool objects from mitre att\&ck, including attributes and relationships relevant to the tools endpoint method get input argument name type required description attack framework string optional parameter for get tools match actor string optional parameter for get tools match actor name string optional name of the resource match actor id string optional unique identifier match technique string optional parameter for get tools match technique name string optional name of the resource match technique id string optional unique identifier input example {"attack framework" "enterprise","match actor" "apt1","match actor name" "apt33","match actor id" "g0005","match technique" "stored data manipulation","match technique name" "system shutdown/reboot","match technique id" "t1059"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt