This Component creates a uniform structure for ATT&CK tags which can then be leveraged to create TQL queries, dashboards, or even newer Playbooks. And, since this is a Component, it can be added to any Playbook.
- This component can be used with any 3rd party intel which brings in ATT&CK data
- It only requires a Technique ID input. If there are multiple Tactics associated with the Technique ID, the component relies on Tactic information provided as input. But if no Tactic is provided it will default to NDT (not determined)
- Users can leverage the ATT&CK Framework designed by ThreatConnect’s Research and Product Management teams
The main benefit is the automated approach to adding ATT&CK tags which conforms with the ATT&CK Framework within the Platform. This creates a uniform structure for ATT&CK tags which can then be leveraged to create TQL queries, Dashboards or even newer Playbooks.
- The component will accept Technique ID (required) and Tactic Name (optional) and will run a search against the tags within the MITRE ATT&CK source.
- Once it finds a match against the Technique ID, the appropriate tag matching the technique ID is returned.
- If there are multiple tags it will check if a Tactic name is provided in input.
- It will use this Tactic name to generate a partial tag and match against the results obtained in Step 2 to identify the fully matched tag.
- If no Tactic name was provided, the component assumes Not Determined Tag and will use this to generate the tag for the given Technique ID
- Output is a tag which matches the ATT&CK framework used in ThreatConnect
ATT&CK Tag Component
The Component appears under App->Component within your Playbook designer page. Click on the Component name to add it to your Playbooks. Enable this component by flipping the toggle button on the top right corner of the screen to Active.
Playbook leveraging Component
This Component can be downloaded from: https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/components/TCPBC-ATT-CK-Tag-Framework. Import this component into your ThreatConnect instance. It does not require credentials/variables/source or any other details.