MITRE D3FEND Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 5.12.0 |
| Support Tier | ThreatQ Supported |
Introduction
The MITRE D3FEND operation integrates MITRE ATT&CK techniques with the MITRE D3FEND knowledge base to enhance defensive context and remediation guidance. The operation submits an ATT&CK technique ID to MITRE D3FEND and ingests the associated remediation URI as an attribute, along with relevant properties captured as the attack pattern description.
The integration provides the following operation action:
- Get Mitre Defend Remediation - enriches Attack Patterns with Mitre D3FEND remediation properties.
The integration is compatible with Attack Pattern type objects.
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the integration file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the integration file using one of the following methods:
- Drag and drop the file into the dialog box
- Select Click to Browse to locate the integration file on your local machine
ThreatQ will inform you if the operation already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the operation contains changes to the user configuration. The new user configurations will overwrite the existing ones for the operation and will require user confirmation before proceeding.
The operation is now installed and will be displayed in the ThreatQ UI. You will still need to configure and then enable the operation.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Enable SSL Certificate Verification Enable this parameter if the operation should validate the host-provided SSL certificate. Bypass System Proxy Configuration for this Operation Enable this parameter if the operation should not honor proxies set in the ThreatQ UI.
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Get Mitre Defend Remediation | Enriches Attack Patterns with Mitre D3FEND remediation properties. | Attack Pattern | N/A |
Get Mitre Defend Remediation
The Get Mitre Defend Remediation action sends an ATT&CK technique ID to MITRE D3FEND and ingests remediation URI as attribute and properties as attack pattern description.
GET https://d3fend.mitre.org/api/offensive-technique/attack/{technique_id}.json
Sample Response:
{ "off_to_def": { "head": { "vars": [ "def_tactic_label", "def_tactic_rel_label", "def_tech_parent_is_toplevel", "def_tech_parent_label", "def_tech_label", "def_tech_id", "def_artifact_rel_label", "def_artifact_label", "sc", "off_artifact_label", "off_artifact_rel_label", "off_tech_label", "off_tactic_rel_label", "off_tactic_label", "def_tactic", "def_tactic_rel", "def_tech", "def_artifact_rel", "def_artifact", "off_artifact", "off_artifact_rel", "off_tech", "off_tech_id", "off_tactic_rel", "off_tactic" ] }, "results": { "bindings": [] } }, "description": { "@context": { "rdfs": "http://www.w3.org/2000/01/rdf-schema#", "owl": "http://www.w3.org/2002/07/owl#", "d3f": "http://d3fend.mitre.org/ontologies/d3fend.owl#", "skos": "http://www.w3.org/2004/02/skos/core#" }, "@graph": [ { "@id": "d3f:T1590.006", "@type": "owl:Class", "d3f:attack-id": "T1590.006", "d3f:definition": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.", "rdfs:label": "Network Security Appliances", "rdfs:subClassOf": { "@id": "d3f:T1590" } } ] }, "subtechniques": { "@context": { "rdfs": "http://www.w3.org/2000/01/rdf-schema#", "owl": "http://www.w3.org/2002/07/owl#", "d3f": "http://d3fend.mitre.org/ontologies/d3fend.owl#", "skos": "http://www.w3.org/2004/02/skos/core#" }, "@graph": [] } }
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| N/A | Attack Pattern Attribute | D3FEND ID (URI) | N/A | https://d3fend.mitre.org/offensive-technique/attack/T1590.006/ | URI to Mitre D3FEND matrix |
.description.@graph[].d3f:definition |
Attack Pattern Description | N/A | N/A | Adversaries may gather information about the victim's network ... |
N/A |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| MITRE D3FEND Operation Guide v1.0.0 | 5.12.0 or Greater |