Mitre Defend
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The MITRE D3FEND Connector fetches defensive cybersecurity countermeasures from the MITRE D3FEND knowledge base. It connects to the public D3FEND API to synchronize defensive techniques, defensive tactics, and the offensive (ATT&CK) techniques that D3FEND maps to. Defensive techniques are enriched with detail-level data (ATT&CK correlations, CWE weaknesses, digital artifacts, references, and sub-technique hierarchy) fetched per-technique using a configurable parallel thread pool.
Data retrieved from Mitre Defend
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Defend Technique | Yes | Defend Technique |
| Defend Tactic | Yes | Defend Tactic |
| Defend Offensive Technique | Yes | Attack Technique |
Model relationships
For detailed steps on how to view the data retrieved from Mitre Defend in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Mitre Defend from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://d3fend.mitre.org | Mitre Defend API URL |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
| Parallel requests | No | min(4, available processors) | Maximum number of parallel API requests |
Authentication
The MITRE D3FEND API is publicly hosted and served over anonymous HTTPS. The connector does not send any credential, API key, bearer token, or basic-auth header. No authentication configuration is required.
| Method | URL |
|---|---|
GET | {url}/api/technique/all.json |
Connectivity is verified by fetching the technique list (/api/technique/all.json). All subsequent requests are plain anonymous GET requests against the same base URL.
How to obtain Mitre Defend credentials
Obtain the required credentials (url) from your Mitre Defend administrator or the Mitre Defend admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Defend Technique
| Source Field Name | SDM Attribute |
|---|---|
computed | IS_TOP_LEVEL_TECHNIQUE |
DescriptionGraphResource.d3fendId | D3FEND_ID |
DescriptionGraphResource.definition | DESCRIPTION |
DescriptionGraphResource.kbArticle | KB_ARTICLE |
DescriptionGraphResource.subClassOf.id | PARENT_TECHNIQUE |
ReferenceGraphResource.title + link.value | REFERENCES |
SparqlBindingResource.defArtifactLabel (from digital_artifacts) | DIGITAL_ARTIFACTS |
SparqlBindingResource.defArtifactRelLabel + defArtifactLabel | ARTIFACT_RELATIONSHIPS |
SparqlBindingResource.defTactic (from def_to_off) | DEFENSIVE_TACTIC |
SparqlBindingResource.offTechId (from def_to_off) | ATTACK_TECHNIQUES |
SparqlBindingResource.topDefTechLabel (from def_to_off) | TOP_LEVEL_TECHNIQUE |
SparqlBindingResource.weakId (from weaknesses) | CWE_IDS |
SparqlBindingResource.weakId (from weaknesses) | WEAKNESSES |
subtechniques.@graph[].@id | SUB_TECHNIQUES |
TechniqueListResource.d3fendId | TAGS |
TechniqueListResource.id | UID |
TechniqueListResource.label | NAME |
TechniqueListResource.synonyms and DescriptionGraphResource.synonym | SYNONYMS |
Defend Tactic
| Source Field Name | SDM Attribute |
|---|---|
TacticListResource.definition | DESCRIPTION |
TacticListResource.id | UID |
TacticListResource.label | NAME |
TacticListResource.type | CATEGORIES |
Defend Offensive Technique
| Source Field Name | SDM Attribute |
|---|---|
OffensiveTechniqueListResource.attackId | UID |
OffensiveTechniqueListResource.attackId | ATTACK_ID |
OffensiveTechniqueListResource.definition | DESCRIPTION |
OffensiveTechniqueListResource.label | NAME |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Defend Technique
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; JSON) · Endpoint:
GET {url}/api/technique/all.json
Defend Tactic
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; JSON) · Endpoint:
GET {url}/api/tactic/all.json
Defend Offensive Technique
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (anonymous HTTPS; JSON) · Endpoint:
GET {url}/api/offensive-technique/all.json
Changelog
The Mitre Defend connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.2 | Bug Fixes - Corrected the display name shown for the Mitre Attack connector. Previously the connector name did not resolve correctly in the interface; it now displays properly. | N/A |
| 3.0.1 | Improvements - Updated the connector display names to the clearer "Mitre Attack" and "Mitre Defend", and aligned the configuration labels and help text to match. - Added connector icons for both Mitre Attack and Mitre Defend for easier identification in the interface. | N/A |
| 3.0.0 | Overview The Mitre Connectors package integrates with the MITRE ATT&CK and MITRE D3FEND knowledge bases to synchronize threat intelligence reference data, including offensive techniques, tactics, threat groups, malware, tools, campaigns, and defensive countermeasures. Category: Threat Intelligence Models | N/A |