Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

Playbook Fridays: ATT&CK Tag Framework

This Component creates a uniform structure for ATT&CK tags which can then be leveraged to create TQL queries, dashboards, or even newer Playbooks. And, since this is a Component, it can be added to any Playbook.

  • This component can be used with any 3rd party intel which brings in ATT&CK data
  • It only requires a Technique ID input. If there are multiple Tactics associated with the Technique ID, the component relies on Tactic information provided as input. But if no Tactic is provided it will default to NDT (not determined)
  • Users can leverage the ATT&CK Framework designed by ThreatConnect’s Research and Product Management teams

The main benefit is the automated approach to adding ATT&CK tags which conforms with the ATT&CK Framework within the Platform. This creates a uniform structure for ATT&CK tags which can then be leveraged to create TQL queries, Dashboards or even newer Playbooks.

  1. The component will accept Technique ID (required) and Tactic Name (optional) and will run a search against the tags within the MITRE ATT&CK source.
  2. Once it finds a match against the Technique ID, the appropriate tag matching the technique ID is returned.
  3. If there are multiple tags it will check if a Tactic name is provided in input.
  4. It will use this Tactic name to generate a partial tag and match against the results obtained in Step 2 to identify the fully matched tag.
  5. If no Tactic name was provided, the component assumes Not Determined Tag and will use this to generate the tag for the given Technique ID
  6. Output is a tag which matches the ATT&CK framework used in ThreatConnect

ATT&CK Tag Component

 

The Component appears under App->Component within your Playbook designer page. Click on the Component name to add it to your Playbooks. Enable this component by flipping the toggle button on the top right corner of the screen to Active.

Playbook leveraging Component

This Component can be downloaded from: https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/components/TCPBC-ATT-CK-Tag-Framework. Import this component into your ThreatConnect instance. It does not require credentials/variables/source or any other details.

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.