Package Documentation
Storm Package: synapse-mitre-attack
The following Commands are available from this package. This documentation is generated for version 2.2.0 of the package.
Storm Commands
This package implements the following Storm Commands.
mitre.attack.enrich
Scrape fields from known forms for MITRE ATT&CK elements and link with refs light-edges.
Examples:
// Lift all `inet:web:post` nodes from a given site and scrape them for references
// to MITRE ATT&CK elements and record links.
inet:web:post:site=foobar.com | mitre.attack.enrich
// Use --yield to yield the nodes representing the MITRE ATT&CK elements which where found.
inet:web:post:site=foobar.com | mitre.attack.enrich --yield
Usage: mitre.attack.enrich [options]
Options:
--help : Display the command usage.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
mitre.attack.scrape
Scrape text fields for references to MITRE ATT&CK elements and link with refs light-edges.
NOTE: To minimize false positives, this command will only scrape and link to existing MITRE ATT&CK nodes.
Examples:
// Lift all `media:news` nodes with a `:summary` property and scrape them for references
// to MITRE ATT&CK elements and record links.
media:news:summary | mitre.attack.scrape :summary
Usage: mitre.attack.scrape [options] <text>
Options:
--help : Display the command usage.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
Arguments:
<text> : The text to scrape for MITRE ATT&CK elements.
mitre.attack.scrapefile
Use the synapse-fileparser to scrape text from a file and link references to MITRE ATT&CK elements.
NOTE: To minimize false positives, this command will only scrape and link to existing MITRE ATT&CK nodes.
Examples:
file:bytes#foo.bar | mitre.attack.scrapefile
Usage: mitre.attack.scrapefile [options]
Options:
--help : Display the command usage.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
mitre.attack.sync
Download and populate MITRE ATT&CK definitions.
By default this will populate the Enterprise, Mobile, and ICS definitions. A `--url` argument
can be provided to download a definition from an alternate location. An optional `--matrix`
argument can be provided with `--url`. If `--matrix` is provided, its value is set in the
`:matrix` property of `it:mitre:attack:technique`, `it:mitre:attack:tactic`, and
`it:mitre:attack:mitigation` nodes.
Examples:
// Download and populate the ATT&CK definitions.
mitre.attack.sync
// Yield the MITRE ATT&CK nodes and translate them
// ( see mitre.attack.translate command help for additional details )
mitre.attack.sync --yield | mitre.attack.translate
Note:
The data used to populate the MITRE ATT&CK nodes is retrieved from the following URLs:
1. https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
2. https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json
3. https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json
Usage: mitre.attack.sync [options]
Options:
--help : Display the command usage.
--url <url> : Alternative location to obtain the MITRE ATT&CK definition from.
--matrix <matrix> : Optional name of the MITRE ATT&CK matrix provided with `--url`.
--yield : Yield the newly created nodes.
mitre.attack.translate
Translate MITRE ATT&CK nodes into corresponding risk and ou nodes.
This command accepts and translates the following nodes:
it:mitre:attack:campaign -> ou:campaign
it:mitre:attack:group -> risk:threat
it:mitre:attack:mitigation -> risk:mitigation
it:mitre:attack:software -> risk:tool:software
it:mitre:attack:technique -> ou:technique
Examples:
// Translate techniques and yield ou:technique nodes
it:mitre:attack:technique | mitre.attack.translate --yield
// Translate nodes when running the sync command
mitre.attack.sync --yield | mitre.attack.translate
Usage: mitre.attack.translate [options]
Options:
--help : Display the command usage.
--yield : Yield the newly created nodes.
--debug : Show verbose debug output.
Storm Modules
This package does not export any Storm APIs.