Mitre Attack
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The MITRE ATT&CK Connector fetches and synchronizes offensive security data from the MITRE ATT&CK framework. It reads the official MITRE ATT&CK data published in STIX 2.1 format from the public attack-stix-data repository, discovers the available collections (Enterprise, Mobile, ICS) from the repository index, and processes the STIX objects into Brinqa Data Model objects. STIX relationship objects are loaded into an in-memory relationship store and used to enrich each object with correlation attributes (parent/child techniques, mitigations, threat groups, malware, tools, and campaigns).
Data retrieved from Mitre Attack
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Attack Pattern | Yes | Mitre Attack Pattern |
| Attack Tactic | Yes | Attack Tactic |
| Attack Threat Group | Yes | Attack Threat Group |
| Attack Malware | Yes | Attack Malware |
| Attack Tool | Yes | Attack Tool |
| Attack Campaign | Yes | Attack Campaign |
| Attack Mitigation | Yes | Attack Mitigation |
Model relationships
For detailed steps on how to view the data retrieved from Mitre Attack in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Mitre Attack from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master | Mitre Attack API URL |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
Authentication
The MITRE ATT&CK STIX data repository is publicly hosted and served over anonymous HTTPS. The connector does not send any credential, API key, bearer token, or basic-auth header. No authentication configuration is required.
| Method | URL |
|---|---|
GET | {url}/index.json |
Connectivity is verified by fetching the repository index (/index.json). All subsequent requests are plain anonymous GET requests against the same base URL.
How to obtain Mitre Attack credentials
Obtain the required credentials (url) from your Mitre Attack administrator or the Mitre Attack admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Attack Pattern
| Source Field Name | SDM Attribute |
|---|---|
AttackResource.created | CREATED |
AttackResource.createdByRef | CREATED_BY_REF |
AttackResource.description | DESCRIPTION |
AttackResource.id | UID |
AttackResource.killChainPhases | KILL_CHAIN_PHASES |
AttackResource.modified | MODIFIED |
AttackResource.name | NAME |
AttackResource.objectMarkingRefs | OBJECT_MARKING_REFS |
AttackResource.revoked | REVOKED |
AttackResource.specVersion | SPEC_VERSION |
AttackResource.xMitreAttackSpecVersion | X_MITRE_ATTACK_SPEC_VERSION |
AttackResource.xMitreDeprecated | X_MITRE_DEPRECATED |
AttackResource.xMitreDetection | X_MITRE_DETECTION |
AttackResource.xMitreDomains | X_MITRE_DOMAINS |
AttackResource.xMitreIsSubtechnique | X_MITRE_IS_SUBTECHNIQUE |
AttackResource.xMitreModifiedByRef | X_MITRE_MODIFIED_BY_REF |
AttackResource.xMitrePlatforms | X_MITRE_PLATFORMS |
AttackResource.xMitreVersion | X_MITRE_VERSION |
| collection name | CATEGORIES |
ExternalReference.externalId (source mitre-attack) | EXTERNAL_ID |
mitigates relationship (reverse) | MITIGATIONS |
| subtechnique-of relationship | PARENT_TECHNIQUE |
subtechnique-of relationship (reverse) | SUB_TECHNIQUES |
subtechnique-of relationship (reverse) | TECHNIQUES |
uses relationship (reverse) | THREAT_GROUPS |
uses relationship (reverse) | MALWARE |
uses relationship (reverse) | TOOLS |
uses relationship (reverse) | CAMPAIGNS |
Attack Tactic
| Source Field Name | SDM Attribute |
|---|---|
(schema only) | X_MITRE_SHORTNAME |
AttackResource.created | CREATED |
AttackResource.createdByRef | CREATED_BY_REF |
AttackResource.description | DESCRIPTION |
AttackResource.id | UID |
AttackResource.modified | MODIFIED |
AttackResource.name | NAME |
AttackResource.objectMarkingRefs | OBJECT_MARKING_REFS |
AttackResource.revoked | REVOKED |
AttackResource.specVersion | SPEC_VERSION |
AttackResource.xMitreAttackSpecVersion | X_MITRE_ATTACK_SPEC_VERSION |
AttackResource.xMitreDeprecated | X_MITRE_DEPRECATED |
AttackResource.xMitreDomains | X_MITRE_DOMAINS |
AttackResource.xMitreModifiedByRef | X_MITRE_MODIFIED_BY_REF |
AttackResource.xMitreVersion | X_MITRE_VERSION |
| collection name | CATEGORIES |
ExternalReference.externalId | EXTERNAL_ID |
Attack Threat Group
| Source Field Name | SDM Attribute |
|---|---|
attributed-to relationship (reverse) | CAMPAIGNS |
| collection name | CATEGORIES |
ExternalReference.externalId | EXTERNAL_ID |
IntrusionSetResource.aliases | ALIASES |
IntrusionSetResource.created | CREATED |
IntrusionSetResource.createdByRef | CREATED_BY_REF |
IntrusionSetResource.description | DESCRIPTION |
IntrusionSetResource.id | UID |
IntrusionSetResource.modified | MODIFIED |
IntrusionSetResource.name | NAME |
IntrusionSetResource.objectMarkingRefs | OBJECT_MARKING_REFS |
IntrusionSetResource.revoked | REVOKED |
IntrusionSetResource.specVersion | SPEC_VERSION |
IntrusionSetResource.xMitreAttackSpecVersion | X_MITRE_ATTACK_SPEC_VERSION |
IntrusionSetResource.xMitreContributors | X_MITRE_CONTRIBUTORS |
IntrusionSetResource.xMitreDeprecated | X_MITRE_DEPRECATED |
IntrusionSetResource.xMitreDomains | X_MITRE_DOMAINS |
IntrusionSetResource.xMitreModifiedByRef | X_MITRE_MODIFIED_BY_REF |
IntrusionSetResource.xMitreVersion | X_MITRE_VERSION |
uses relationship (to attack-pattern) | TECHNIQUES |
uses relationship (to malware) | MALWARE |
uses relationship (to tool) | TOOLS |
Attack Malware
| Source Field Name | SDM Attribute |
|---|---|
| collection name | CATEGORIES |
ExternalReference.externalId | EXTERNAL_ID |
MalwareResource.created | CREATED |
MalwareResource.createdByRef | CREATED_BY_REF |
MalwareResource.description | DESCRIPTION |
MalwareResource.id | UID |
MalwareResource.isFamily | IS_FAMILY |
MalwareResource.modified | MODIFIED |
MalwareResource.name | NAME |
MalwareResource.objectMarkingRefs | OBJECT_MARKING_REFS |
MalwareResource.revoked | REVOKED |
MalwareResource.specVersion | SPEC_VERSION |
MalwareResource.xMitreAliases | ALIASES |
MalwareResource.xMitreAttackSpecVersion | X_MITRE_ATTACK_SPEC_VERSION |
MalwareResource.xMitreContributors | X_MITRE_CONTRIBUTORS |
MalwareResource.xMitreDeprecated | X_MITRE_DEPRECATED |
MalwareResource.xMitreDomains | X_MITRE_DOMAINS |
MalwareResource.xMitreModifiedByRef | X_MITRE_MODIFIED_BY_REF |
MalwareResource.xMitrePlatforms | PLATFORMS |
MalwareResource.xMitreVersion | X_MITRE_VERSION |
uses relationship (reverse) | THREAT_GROUPS |
uses relationship (to attack-pattern) | TECHNIQUES |
Attack Tool
| Source Field Name | SDM Attribute |
|---|---|
| collection name | CATEGORIES |
ExternalReference.externalId | EXTERNAL_ID |
ToolResource.created | CREATED |
ToolResource.createdByRef | CREATED_BY_REF |
ToolResource.description | DESCRIPTION |
ToolResource.id | UID |
ToolResource.modified | MODIFIED |
ToolResource.name | NAME |
ToolResource.objectMarkingRefs | OBJECT_MARKING_REFS |
ToolResource.revoked | REVOKED |
ToolResource.specVersion | SPEC_VERSION |
ToolResource.xMitreAliases | ALIASES |
ToolResource.xMitreAttackSpecVersion | X_MITRE_ATTACK_SPEC_VERSION |
ToolResource.xMitreContributors | X_MITRE_CONTRIBUTORS |
ToolResource.xMitreDeprecated | X_MITRE_DEPRECATED |
ToolResource.xMitreDomains | X_MITRE_DOMAINS |
ToolResource.xMitreModifiedByRef | X_MITRE_MODIFIED_BY_REF |
ToolResource.xMitrePlatforms | PLATFORMS |
ToolResource.xMitreVersion | X_MITRE_VERSION |
uses relationship (reverse) | THREAT_GROUPS |
uses relationship (to attack-pattern) | TECHNIQUES |
Attack Campaign
| Source Field Name | SDM Attribute |
|---|---|
attributed-to relationship (to intrusion-set) | THREAT_GROUP |
CampaignResource.aliases | ALIASES |
CampaignResource.created | CREATED |
CampaignResource.createdByRef | CREATED_BY_REF |
CampaignResource.description | DESCRIPTION |
CampaignResource.firstSeen | FIRST_SEEN |
CampaignResource.id | UID |
CampaignResource.lastSeen | LAST_SEEN |
CampaignResource.modified | MODIFIED |
CampaignResource.name | NAME |
CampaignResource.objectMarkingRefs | OBJECT_MARKING_REFS |
CampaignResource.revoked | REVOKED |
CampaignResource.specVersion | SPEC_VERSION |
CampaignResource.xMitreAttackSpecVersion | X_MITRE_ATTACK_SPEC_VERSION |
CampaignResource.xMitreDeprecated | X_MITRE_DEPRECATED |
CampaignResource.xMitreDomains | X_MITRE_DOMAINS |
CampaignResource.xMitreModifiedByRef | X_MITRE_MODIFIED_BY_REF |
CampaignResource.xMitreVersion | X_MITRE_VERSION |
| collection name | CATEGORIES |
ExternalReference.externalId | EXTERNAL_ID |
uses relationship (to attack-pattern) | TECHNIQUES |
uses relationship (to malware) | MALWARE |
uses relationship (to tool) | TOOLS |
Attack Mitigation
| Source Field Name | SDM Attribute |
|---|---|
| collection name | CATEGORIES |
CourseOfActionResource.created | CREATED |
CourseOfActionResource.createdByRef | CREATED_BY_REF |
CourseOfActionResource.description | DESCRIPTION |
CourseOfActionResource.id | UID |
CourseOfActionResource.modified | MODIFIED |
CourseOfActionResource.name | NAME |
CourseOfActionResource.objectMarkingRefs | OBJECT_MARKING_REFS |
CourseOfActionResource.revoked | REVOKED |
CourseOfActionResource.specVersion | SPEC_VERSION |
CourseOfActionResource.xMitreAttackSpecVersion | X_MITRE_ATTACK_SPEC_VERSION |
CourseOfActionResource.xMitreDeprecated | X_MITRE_DEPRECATED |
CourseOfActionResource.xMitreDomains | X_MITRE_DOMAINS |
CourseOfActionResource.xMitreModifiedByRef | X_MITRE_MODIFIED_BY_REF |
CourseOfActionResource.xMitreVersion | X_MITRE_VERSION |
ExternalReference.externalId | EXTERNAL_ID |
mitigates relationship (to attack-pattern) | TECHNIQUES |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Attack Pattern
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; static STIX 2.1 JSON) · Endpoint:
GET {url}/index.json
Attack Tactic
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; static STIX 2.1 JSON) · Endpoint:
GET {url}/index.json
Attack Threat Group
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; static STIX 2.1 JSON) · Endpoint:
GET {url}/index.json
Attack Malware
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; static STIX 2.1 JSON) · Endpoint:
GET {url}/index.json
Attack Tool
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; static STIX 2.1 JSON) · Endpoint:
GET {url}/index.json
Attack Campaign
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; static STIX 2.1 JSON) · Endpoint:
GET {url}/index.json
Attack Mitigation
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; static STIX 2.1 JSON) · Endpoint:
GET {url}/index.json
Changelog
The Mitre Attack connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.2 | Bug Fixes - Corrected the display name shown for the Mitre Attack connector. Previously the connector name did not resolve correctly in the interface; it now displays properly. | N/A |
| 3.0.1 | Improvements - Updated the connector display names to the clearer "Mitre Attack" and "Mitre Defend", and aligned the configuration labels and help text to match. - Added connector icons for both Mitre Attack and Mitre Defend for easier identification in the interface. | N/A |
| 3.0.0 | Overview The Mitre Connectors package integrates with the MITRE ATT&CK and MITRE D3FEND knowledge bases to synchronize threat intelligence reference data, including offensive techniques, tactics, threat groups, malware, tools, campaigns, and defensive countermeasures. Category: Threat Intelligence Models | N/A |