MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
IBM® QRadar® Security Information and Event Management (SIEM) helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.
We can find MITRE ATT&CK information located in QRadar by extracting this information from QRadar offenses (via an API call) in QRadar Advisor, however, there are certain conditions that must be meant before you can acquire this information:
- You will need to make sure that QRadar Advisor is already installed on your QRadar instance.
- With any offense that you want to investigate make sure that it has already been investigated.
- You want to focus your attention and look at the end points of the Advisor App.
Now, there are two QRadar Advisor API’s that you want to look at specifically:/api/offenses (gets you a list of offenses that have been investigated by Advisor) /api/offenses/<id>/insights (returns the following structure **see below**)
In this output (above) you want to focus your attention on "tactics" and from here you can look at the "tactic_id" which will give you the associated MITRE information (tactic_id). Now, the way MITRE tactics are mapped is that they are mapped from rules that have been fired to tactics. So, to know what tactics are associated with an offense, you would have to know each rule that is a part of that
offense. If there are tactics identified, it will be returned in that endpoint.
Now to get this information we want to do an API get call to QRadar Advisor’s RESTAPI which will look something like this:
So, by using the curl we will need to copy the current session and XSRF token from the cookies file and note these will only be good for some amount of time. Also, for this command you will need to get the value for “SEC” that can be found in QRadar accessing the GUI and going to Admin > Authorized Services > Advisor and getting the following output:
To get this information you will need to do the following:
1. You will need to get authorization token making a GET request to api/about that will save the cookies needed in `tmp/cookie.txt` then fill in the XSRF Token and QRAW Session from the cookie file (see below):
curl -k -s -c '/tmp/cookie.txt' -L -H "SEC: fc122377-def5-4222-9203-5762f25b424b" -H 'Accept: application/json' https://x.x.x.x/console/plugins/1205/app_proxy/api/about
2. Once you get that information you will store in the /tmp/cookie.txt file and then you can run the next curl command from the /api/offenses that will get you a list of offenses that have been investigated by QRadar advisor:
curl -k -X GET -H "X-XSRF-TOKEN: ***QRAW-XSRF-TOKEN HERE***" -b "QRAW-WebSession=***QRAW-WebSession HERE***; SEC=fc122377-def5-4222-9203-5762f25b424b" -H 'Content-Type: application/json' -H 'Accept: application/json' https://x.x.x.x/console/plugins/1205/app_proxy/api/offenses
Note: you will need to enter your ip where is it says “x.x.x.x”.
3. After you have gotten the list of the offenses that have been investigated by QRadar advisor you can then run the following API call that will show the id and insights from a particular offense (by the <id> that you will enter):
curl -k -X GET -H "X-XSRF-TOKEN: ***QRAW-XSRF-TOKEN HERE***" -b "QRAW-WebSession=***QRAW-WebSession HERE***; SEC=fc122377-def5-4222-9203-5762f25b424b" -H 'Content-Type: application/json' -H 'Accept: application/json' "https://x.x.x.x/console/plugins/1205/app_proxy/api/offense/<id>/insights"
Note: you will need to enter your ip where is it says “x.x.x.x” and the offense id where it says “<id>”.
The output of the script will look like this:
To see an enlarged view, click here: https://ibm.box.com/s/5re96w4dpetvmzur0neou71tf644jct5
Yellow = script that was ran
Red = MITRE ATT&CK information (associated with each offense id)
In the output of the script (highlighted) you can find the “tactics” section which will give you the MITRE ATT&CK information:
From here we can see that one of the “tactic_id” is “Initial Access” for offense id “47” and from here we can look at the MITRE ATT&CK Matrix for Enterprise ( https://attack.mitre.org/ ) and see what falls under that specifically:
**ATT&CK Matrix for Enterprise**
For example, clicking on “Initial Access
” would give you an output like this:
Note: Special shout to Cameron Will and Eric Wilson for their assistance and answering my questions.