Package Documentation

Storm Package: synapse-mitre-attack

The following Commands are available from this package. This documentation is generated for version 2.4.0 of the package.

Storm Commands

This package implements the following Storm Commands.

mitre.attack.enrich

Scrape fields from known forms for MITRE ATT&CK elements and link with refs light-edges.

Examples:

  // Lift all `inet:service:message` nodes from a given platform and scrape them for references
  // to MITRE ATT&CK elements and record links.
  inet:service:message:platform::name=foobar | mitre.attack.enrich

  // Use --yield to yield the nodes representing the MITRE ATT&CK elements which where found.
  inet:service:message:platform::name=foobar | mitre.attack.enrich --yield


Usage: mitre.attack.enrich [options]

Options:

  --help                      : Display the command usage.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.

Inputs:

  inet:service:message        : Scrape the :text property for ATT&CK references.
  inet:web:post               : Scrape the :text property for ATT&CK references.
  media:news                  : Scrape the :summary property for ATT&CK references.

The command is accessible to users with one or more of the following permissions:

  • power-ups.mitre-attack.user

mitre.attack.scrape

Scrape text fields for references to MITRE ATT&CK elements and link with refs light-edges.

NOTE: To minimize false positives, this command will only scrape and link to existing MITRE ATT&CK nodes.

Examples:

  // Lift all `media:news` nodes with a `:summary` property and scrape them for references
  // to MITRE ATT&CK elements and record links.

  media:news:summary | mitre.attack.scrape :summary


Usage: mitre.attack.scrape [options] <text>

Options:

  --help                      : Display the command usage.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.

Arguments:

  <text>                      : The text to scrape for MITRE ATT&CK elements.

The command is accessible to users with one or more of the following permissions:

  • power-ups.mitre-attack.user

mitre.attack.scrapefile

Use the synapse-fileparser to scrape text from a file and link references to MITRE ATT&CK elements.

NOTE: To minimize false positives, this command will only scrape and link to existing MITRE ATT&CK nodes.

Examples:

  file:bytes#foo.bar | mitre.attack.scrapefile


Usage: mitre.attack.scrapefile [options]

Options:

  --help                      : Display the command usage.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.

The command is accessible to users with one or more of the following permissions:

  • power-ups.mitre-attack.user

mitre.attack.sync

Download and populate MITRE ATT&CK definitions.

By default this will populate the Enterprise, Mobile, and ICS definitions. A `--url` argument
can be provided to download a definition from an alternate location. An optional `--matrix`
argument can be provided with `--url`. If `--matrix` is provided, its value is set in the
`:matrix` property of `it:mitre:attack:technique`, `it:mitre:attack:tactic`, and
`it:mitre:attack:mitigation` nodes.

Examples:

  // Download and populate the ATT&CK definitions.
  mitre.attack.sync

  // Yield the MITRE ATT&CK nodes and translate them
  // ( see mitre.attack.translate command help for additional details )
  mitre.attack.sync --yield | mitre.attack.translate

Note:

  The data used to populate the MITRE ATT&CK nodes is retrieved from the following URLs:

  1.  https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
  2.  https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json
  3.  https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json


Usage: mitre.attack.sync [options]

Options:

  --help                      : Display the command usage.
  --url <url>                 : Alternative location to obtain the MITRE ATT&CK definition from.
  --matrix <matrix>           : Optional name of the MITRE ATT&CK matrix provided with `--url`.
  --yield                     : Yield the newly created nodes.

The command is accessible to users with one or more of the following permissions:

  • power-ups.mitre-attack.user

mitre.attack.translate

Translate MITRE ATT&CK nodes into corresponding risk and ou nodes.

This command accepts and translates the following nodes:
  it:mitre:attack:campaign -> ou:campaign
  it:mitre:attack:group -> risk:threat
  it:mitre:attack:mitigation -> risk:mitigation
  it:mitre:attack:software -> risk:tool:software
  it:mitre:attack:technique -> ou:technique

Examples:

  // Translate techniques and yield ou:technique nodes
  it:mitre:attack:technique | mitre.attack.translate --yield

  // Translate nodes when running the sync command
  mitre.attack.sync --yield | mitre.attack.translate


Usage: mitre.attack.translate [options]

Options:

  --help                      : Display the command usage.
  --yield                     : Yield the newly created nodes.
  --debug                     : Show verbose debug output.

Inputs:

  it:mitre:attack:campaign    : Create a corresponding ou:campaign node.
  it:mitre:attack:group       : Create a corresponding risk:threat node.
  it:mitre:attack:mitigation  : Create a corresponding risk:mitigation node.
  it:mitre:attack:software    : Create a corresponding risk:tool:software node.
  it:mitre:attack:technique   : Create a corresponding ou:technique node.

The command is accessible to users with one or more of the following permissions:

  • power-ups.mitre-attack.user

Storm Modules

This package does not export any Storm APIs.