Skip to content

[Feature Request] Add MITRE ATT&CK support #1766

Closed
@nadouani

Description

@nadouani

Request Type

Feature Request

Problem Description

The goal of this feature is to add MITRE ATT&CK support in TheHive. The main objective is to allow users to enrich their incidents by assigning discovered attack patterns.

Features

BE

  • Add API to import attack-pattern catalog
    • include revoke=true
    • import x_mitre_detection
    • import x_mitre_platforms
    • import x_mitre_data_sources
    • import x_mitre_system_requirements
    • import x_mitre_permissions_required
    • import x_mitre_defense_bypassed
    • import x_mitre_remote_support
    • Add capecId & capecUrl properties to Pattern model
  • Add API to fetch an attack pattern details
    • add a getPattern query
      • including a children extra data (for techniques to load sub techniques)
      • including a parent extra data (for sub-techniques to load parent technique)
  • Add API to list/filter attack-patterns
    • add a parent property to allow filtering by parent technique
  • Add API to create a procedure within a case
  • Add API to list case procedures
    • procedures query to be used on case objects and return lists of case procedures
    • update /api/v1/pattern/case/{case_id} to return the list of patterns instead of list of pattern ids
  • Add API to update a case procedure (description & occurence)
  • Add API to delete a case procedure
  • Filter imported patterns (keep only attack-pattern)
  • Importing a new pattern file should also update existing patterns
  • Rename procedure.occurence to procedure.occurDate
  • Add patternId property to procedure in /api/v1/describe to allow filtering procedures by pattern
  • Add a tactic field to procedure model + its corresponding property for filtering
  • Make procedure.description optional
  • Add a patternParent extraData to the listProcedure query

FE

  • Add administration UI
    • List + filters patterns
    • Pattern details dialog
  • Add case procedures section
    • Add a procedure to a case
    • List + filter case procedures
    • Allow update procedure.occurDate
    • Display procedure dates
  • Add procedure display directive in the flow section

QA

  • check handling of revoked patterns

Metadata

Metadata

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions