Using ATT&CK Tags to Enrich ThreatConnect Data

To enrich ThreatConnect objects in your Organization with ATT&CK™ metadata, you must copy Tags in the MITRE ATT&CK™ Source to your Organization. This process makes the Tags available for association with other objects in the Organization, allowing those objects essentially to be labeled with ATT&CK Techniques, Sub-Techniques, and Tactics. The MITRE ATT&CK Source contains a Document Group called MITRE ATT&CK to facilitate this operation. The Document is associated to all Tags in the Source. Copying this Document into your Organization will bring in all Tags (including Tactics and Technique–Tactic combinations) from the MITRE ATT&CK Source.

Copying All ATT&CK Tags into Your Organization

Copying the MITRE ATT&CK Document from the MITRE ATT&CK Source into your Organization will copy all associated Tags from the Source into your Organization, as long as the COPY TO MY ORG process is configured to create Tags that do not exist. It is the easiest way to move ATT&CK data in ThreatConnect into your Organization for immediate use in data enrichment.

1. On the top navigation bar, hover the cursor over Browse and select Document to display a results table with all Document Groups on the Browse screen.
2. Click the My Intel Sources selector at the upper-left corner of the screen.
3. Click the My Intel Sources selector at the upper-left corner of the screen, locate the MITRE ATT&CK Source in the Intel Sources section, hover the cursor over it, and click only so that the Browse screen displays only the one Document in the MITRE ATT&CK Source (Figure 1).
   Note

   You can also use the Filter sources bar in the My Intel Sources selector to filter the list of Sources to display only the MITRE ATT&CK Source.

   

    

4. Click on the MITRE ATT&CK Document to display its Details drawer (Figure 2).

   

    

5. Click the Details icon at the upper-right corner of the drawer, or hover over the Document’s entry in the table in Figure 1 and click the Details icon on the right side of its Summary cell, to access the Overview tab of the Details screen (Figure 3).

   

    

6. The Document itself is a .txt file that is just a placeholder document with no contents of value, but it is associated with all of the MITRE ATT&CK Tags. To copy the Document and its associations into your Organization, click the COPY TO MY ORG button at the upper-left corner of the screen. The Initial tab of the Copy Data window will be displayed (Figure 4).

   

    

   • Select NEW GROUP to copy the Document into the Organization as a new Group.
   • Group Name: The name of the Document will be displayed automatically after you select NEW GROUP.
   • Click the Next button.
7. The Data tab of the Copy Data window will be displayed (Figure 5).

   

    

   • Copy Attributes?: Keep the selection of Yes to copy all information in the Document’s Attributes.
   • Include Tags?: Keep the selection of Yes to include all Tags associated with the Document.
   • Create Tags that Don’t Exist?: Select Yes to create all MITRE ATT&CK Tags that do not already exist in your Organization.
   • Copy Associated Groups?: Keep the selection of No.
   • Click the Next button.
8. The Security Labels tab of the Copy Data window will be displayed (Figure 6).

   

    

   • There are no Security Labels associated with data in the MITRE ATT&CK Source, so you can keep all default selections on this tab.
   • Click the Next button.
9. The Save tab of the Copy Data window will be displayed (Figure 7). This tab lists all objects to be copied—that is, the MITRE ATT&CK Document.

   

    

   • Click the SAVE button to save the data to your Organization.
10. To view the Document or any of the Tags in your Organization, return to the Browse screen, ensure that the View <Organization Name> slider is toggled on in the My Intel Sources selector at the upper-left corner of the screen (and deselect the MITRE ATT&CK Source to isolate the results to your Organization), and display all Documents or Tags. If desired, use the Browse screen filters to further filter the results.
11. All Tags from the MITRE ATT&CK Source will be available for use with objects in your Organization. When entering them for a Group or Indicator, utilize the autofill feature to ensure that you use the proper syntax and select the correct Tag (Figure 8).

    

     

Using Tags to Enrich Data

After copying Tags from the MITRE ATT&CK Source into your Organization, you can enrich Groups and Indicators in your Organization by applying Tags to them, which also creates associations with the Tags.

1. Navigate to the Overview tab of the Details screen for an object you want to enrich. This example uses a Host Indicator badguys.com (Figure 9).

   

    

2. Scroll down to the Tags card (Figure 10).

   

    

3. Start to enter a Tag and utilize the autofill feature to ensure that you use the proper syntax and select the correct Tag, as shown in Figure 8.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK™ and ATT&CK™ are trademarks of The MITRE Corporation.

20119-10 v.03.A