Admin Guide

Synapse-MITRE ATT&CK Admin Guide

Configuration

Synapse-MITRE ATT&CK does not require any API keys to be configured to use.

Dependencies

Synapse-MITRE ATT&CK requires the following Power-Ups to be installed:

Name   : synapse-fileparser
Version: >=4.3.0,<5.0.0
Desc   : Synapse-FileParser is required in order to use the mitre.attack.scrapefile command.

Synapse-MITRE ATT&CK will conflict with the following Power-Ups:

Name   : mitre-attack
Version: any
Desc   : Synapse-MITRE ATT&CK conflicts with a deprecated Power-Up named "mitre-attack".

Permissions

Package (synapse-mitre-attack) defines the following permissions:
power-ups.mitre-attack.user      : Controls user access to Synapse-MITRE ATT&CK. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.mitre-attack.user
Added rule power-ups.mitre-attack.user to user visi.

or:

> auth.role.addrule ninjas power-ups.mitre-attack.user
Added rule power-ups.mitre-attack.user to role ninjas.

Exported APIs

Synapse-MITRE ATT&CK does not currently export any APIs.

Node Actions

Synapse-MITRE ATT&CK provides the following node actions in Optic:

Name : mitre.attack.enrich
Desc : Enrich nodes using Synapse-MITRE ATT&CK
Forms: media:news, inet:web:post

Onload Events

Synapse-MITRE ATT&CK does not use any onload events.

Migrations

Migrating to `v2.x.x`

The updates to the deconfliction strategies used when running mitre.attack.translate can result in duplicate nodes. Since the MITRE ID is used as the primary property for it:mitre:attack:* no duplicate nodes will be created when running any of the other commands that ingest the MITRE data.

After upgrading the Cortex to the minimum version required for Synapse-MITRE ATT&CK, the following Storm query can be run to update translated nodes to prevent duplicates from being created. Note that ou:campaign nodes are not impacted.

tee
    {
        ou:technique:mitre:attack:technique
        -:reporter:name [ :reporter:name=mitre ]
    }
    {
        it:mitre:attack:mitigation $id=$node.value()
        -> {
            risk:mitigation=(mitre, $id)
            -:mitre:attack:mitigation [ :mitre:attack:mitigation=$id ]
        }
    }
    {
        it:mitre:attack:group $id=$node.value()
        -> {
            ou:name=$id -> risk:threat
            -:mitre:attack:group +:reporter:name=mitre [ :mitre:attack:group=$id ]
        }
    }
    {
        it:mitre:attack:software $id=$node.value()
        -> {
            it:prod:softname=$id -> risk:tool:software
            -:mitre:attack:software +:reporter:name=mitre [ :mitre:attack:software=$id ]
        }
    }

It is recommended to run this in a forked view first, and if necessary adjust any of the logic. The view.exec command can then be used to run the migration globally.

for $view in $lib.view.list(deporder=$lib.true) {
    view.exec $view.iden {
        // storm query...
    }
}