- 23 Jan 2024
- 3 Minutes to read
-
Print
-
DarkLight
Enriching Data With Tags From the MITRE ATT&CK Source
- Updated on 23 Jan 2024
- 3 Minutes to read
-
Print
-
DarkLight
System-generated ATT&CK Tags that represent techniques and sub-techniques in the MITRE ATT&CK Enterprise Matrix were added to ThreatConnect starting with version 7.2, and support for ATT&CK Tags was added to the MITRE ATT&CK App starting with version 2.0.3.
If you are on a ThreatConnect instance with version 7.2 or newer installed and use the MITRE ATT&CK App version 2.0.3 or newer, use system-generated ATT&CK Tags to enrich ThreatConnect objects with MITRE ATT&CK data instead of copying Tags from the MITRE ATT&CK Source to your Organization for enrichment purposes.
To enrich ThreatConnect® objects in your Organization with metadata created by the MITRE ATT&CK® App, you must copy Tags in the MITRE ATT&CK Source to your Organization. This process makes the Tags available for association with other objects in the Organization, allowing those objects essentially to be labeled with ATT&CK® techniques, sub-techniques, and tactics.
The MITRE ATT&CK Source contains a Document Group named MITRE ATT&CK that is associated to all Tags in the Source. Copying this Group to your Organization will also copy all Tags in the MITRE ATT&CK Source, as long as you choose to create Tags that do not exist during the copying process. It is the easiest way to move ATT&CK data in ThreatConnect to your Organization for immediate use in data enrichment.
Copying Tags From the MITRE ATT&CK Source to Your Organization
- On the top navigation bar, hover over Browse and select Document. All Document Groups in the owners selected in the My Intel Sources selector will be displayed on the Browse screen.
- Click the My Intel Sources selector at the upper-left corner of the Browse screen, locate the MITRE ATT&CK Source in the Intel Sources section, hover over it, and clickonly (Figure 1). Only the one Document Group in the MITRE ATT&CK Source will be displayed on the screen.NoteYou can also use the Filter sources bar in the My Intel Sources selector to filter the list of Sources to display only the MITRE ATT&CK Source.
- Hover over the MITRE ATT&CK Document Group’s entry on the Browse screen and click on one of the following icons displayed in its Summary cell to navigate to its Details screen:
- View full details: Click this icon to open the Group’s Details screen in the current browser tab.
- View full details in new tab: Click this icon to open the Group’s Details screen in a new browser tab
- Click the Revert to Legacy View button on the Document Group’s Details screen to navigate to its legacy Details screen.
- The Document Group contains a .txt file that is a placeholder document with no contents of value, but it is associated with all of the MITRE ATT&CK Tags. To copy the Group and its associations to your Organization, click the Copy To My Org button in the header of the legacy Details screen. The Initial tab of the Copy Data window will be displayed (Figure 2).
- Select NEW GROUP to copy the Document Group to your Organization as a new Group.
- Group Name: The name of the Document Group (MITRE ATT&CK) will be displayed automatically after you select NEW GROUP.
- Click the Next button.
- The Data tab of the Copy Data window will be displayed (Figure 3).
- Copy Attributes?: Keep the selection of Yes to copy all information in the Document’s Group's Attributes.
- Include Tags?: Keep the selection of Yes to include all Tags associated with the Document Group.
- Create Tags that Don’t Exist?: Select Yes to create all Tags that do not already exist in your Organization.
- Copy Associated Groups?: Keep the selection of No.
- Click the Next button.
- The Security Labels tab of the Copy Data window will be displayed (Figure 4).
- There are no Security Labels associated with data in the MITRE ATT&CK Source, so you can keep all default selections on this tab.
- Click the Next button.
- The Save tab of the Copy Data window will be displayed (Figure 5). This tab lists all objects to be copied to your Organization—that is, the MITRE ATT&CK Document Group.
- Merge Hashes: Leave this checkbox cleared.
- Click the SAVE button to complete the copying process.
To view the Document Group or any of the Tags copied to your Organization, return to the Browse screen, toggle on the View <Organization name> slider and clear the checkbox for MITRE ATT&CK Source in the My Intel Sources selector, and use the object filters to display only Document Groups or Tags in your Organization.
Using Tags to Enrich Data
After you copy Tags from the MITRE ATT&CK Source to your Organization, you can enrich Groups and Indicators in your Organization by applying the Tags to them, which also creates associations to the Tags. When applying Tags copied from the MITRE ATT&CK Source, utilize the auto-complete feature to ensure that you use the proper syntax and select the correct Tag, as shown in Figure 6.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20119-10 v.04.A