User Guide

Synapse-MITRE ATT&CK User Guide

Synapse-MITRE ATT&CK adds Storm commands to automatically populate MITRE ATT&CK definitions and allow users to match and link references to MITRE ATT&CK forms.

Getting Started

Check with your Admin to enable permissions.

Before enriching data with this Power-Up, use the mitre.attack.sync command to populate the MITRE ATT&CK nodes in the desired view.

Examples

Syncing MITRE ATT&CK definitions

To sync all MITRE ATT&CK definitions into your Cortex:

> mitre.attack.sync
Syncing MITRE ATT&CK definitions.
Done syncing definitions.

Scraping references from text fields

Any text field may be scraped for references to MITRE ATT&CK elements.

Scrape all media:news nodes :summary property for MITRE ATT&CK elements:

> media:news | mitre.attack.scrape :summary
media:news=89b2947fbbc6bd84f8ed8575aa3c8956
        .created = 2024/03/28 14:49:13.725
        :summary = G0006 is at it again

Review media:news nodes that reference it:mitre:attack:group nodes:

> it:mitre:attack:group <(refs)- media:news
media:news=89b2947fbbc6bd84f8ed8575aa3c8956
        .created = 2024/03/28 14:49:13.725
        :summary = G0006 is at it again

You may also yield the scraped nodes inline to subsequently modify them:

> media:news | mitre.attack.scrape --yield :summary | [ +#cool.tag.lift ]
it:mitre:attack:group=G0006
        .created = 2024/03/28 14:48:23.491
        :desc = [APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)
        :name = g0006
        :names = ['apt1', 'comment crew', 'comment group', 'comment panda']
        :references = ['https://attack.mitre.org/groups/G0006', 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf', 'http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf']
        :url = https://attack.mitre.org/groups/G0006
        #cool.tag.lift

Setting a trigger to scrape media:news:summary

You can configure a trigger to automatically scrape references to MITRE ATT&CK elements from any text based field.

Here is an example which adds a trigger to scrape newly set :summary properties on media:news nodes:

> trigger.add prop:set --prop media:news:summary --query { mitre.attack.scrape :summary }
Added trigger: 8d3bcf43a1479cdccb5e49d32d84b57e

On a subsequent query that sets media:news:summary the trigger is evaluated:

> [ media:news=$news :summary="G0006 is at it again" ]
media:news=89b2947fbbc6bd84f8ed8575aa3c8956
        .created = 2024/03/28 14:49:14.020
        :summary = G0006 is at it again

We can see that the trigger linked our newly created media:news node to the it:mitre:attack:group=G0006:

> media:news=$news -(refs)> *
it:mitre:attack:group=G0006
        .created = 2024/03/28 14:48:23.491
        :desc = [APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)
        :name = g0006
        :names = ['apt1', 'comment crew', 'comment group', 'comment panda']
        :references = ['https://attack.mitre.org/groups/G0006', 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf', 'http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf']
        :url = https://attack.mitre.org/groups/G0006
        #cool.tag.lift

Enriching nodes automatically

The mitre.attack.enrich command knows how to scrape some common text fields from known forms automatically. These include media:news and inet:web:post forms.

> inet:web:post | mitre.attack.enrich
inet:web:post=3a4481210b11e44fd6658e411cdc29b6
        .created = 2024/03/28 14:49:14.143
        :acct = vertex.link/user
        :acct:site = vertex.link
        :acct:user = user
        :text = This report details new G0006 activity

Review inet:web:post nodes that reference it:mitre:attack:group nodes:

> it:mitre:attack:group <(refs)- inet:web:post
inet:web:post=3a4481210b11e44fd6658e411cdc29b6
        .created = 2024/03/28 14:49:14.143
        :acct = vertex.link/user
        :acct:site = vertex.link
        :acct:user = user
        :text = This report details new G0006 activity

You may also yield the scraped nodes inline to subsequently modify them:

> inet:web:post | mitre.attack.enrich --yield | [ +#cool.tag.lift ]
it:mitre:attack:group=G0006
        .created = 2024/03/28 14:48:23.491
        :desc = [APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)
        :name = g0006
        :names = ['apt1', 'comment crew', 'comment group', 'comment panda']
        :references = ['https://attack.mitre.org/groups/G0006', 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf', 'http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf']
        :url = https://attack.mitre.org/groups/G0006
        #cool.tag.lift

Use of meta:source nodes

Synapse-MITRE ATT&CK uses a meta:source node and -(seen)> light weight edges to track nodes created by the mitre.attack.sync command.

> meta:source=62514c09c3dfcf750fd8b36576d36a42
meta:source=62514c09c3dfcf750fd8b36576d36a42
        .created = 2024/03/28 14:48:23.447
        :name = mitre att&ck api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MITRE ATT&CK. The following example shows how to filter the results of a query to include only results observed by Synapse-MITRE ATT&CK:

> #cool.tag.lift +{ <(seen)- meta:source=62514c09c3dfcf750fd8b36576d36a42 }
it:mitre:attack:group=G0006
        .created = 2024/03/28 14:48:23.491
        :desc = [APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)
        :name = g0006
        :names = ['apt1', 'comment crew', 'comment group', 'comment panda']
        :references = ['https://attack.mitre.org/groups/G0006', 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf', 'http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf']
        :url = https://attack.mitre.org/groups/G0006
        #cool.tag.lift