Closed
Description
Request Type
Feature Request
Problem Description
The goal of this feature is to add MITRE ATT&CK support in TheHive. The main objective is to allow users to enrich their incidents by assigning discovered attack patterns.
Features
BE
- Add API to import attack-pattern catalog
- include
revoke=true
- import x_mitre_detection
- import x_mitre_platforms
- import x_mitre_data_sources
- import x_mitre_system_requirements
- import x_mitre_permissions_required
- import x_mitre_defense_bypassed
- import x_mitre_remote_support
- Add capecId & capecUrl properties to Pattern model
- include
- Add API to fetch an attack pattern details
- add a
getPattern
query- including a
children
extra data (for techniques to load sub techniques) - including a
parent
extra data (for sub-techniques to load parent technique)
- including a
- add a
- Add API to list/filter attack-patterns
- add a
parent
property to allow filtering by parent technique
- add a
- Add API to create a procedure within a case
- Add API to list case procedures
-
procedures
query to be used on case objects and return lists of case procedures - update
/api/v1/pattern/case/{case_id}
to return the list of patterns instead of list of pattern ids
-
- Add API to update a case procedure (description & occurence)
- Add API to delete a case procedure
- Filter imported patterns (keep only attack-pattern)
- Importing a new pattern file should also update existing patterns
- Rename
procedure.occurence
toprocedure.occurDate
- Add
patternId
property toprocedure
in/api/v1/describe
to allow filtering procedures by pattern - Add a
tactic
field toprocedure
model + its corresponding property for filtering - Make
procedure.description
optional - Add a
patternParent
extraData to thelistProcedure
query
FE
- Add administration UI
- List + filters patterns
- Pattern details dialog
- Add case procedures section
- Add a procedure to a case
- List + filter case procedures
- Allow update
procedure.occurDate
- Display procedure dates
- Add procedure display directive in the flow section
QA
- check handling of revoked patterns