Copilot for Security Plugin: MITRE ATT&CK Reference
Generate a MITRE ATT&CK reference file from MITRE and then use it with Copilot for Security.
This Copilot for Security plugin provides access to the MITRE ATT&CK knowledge of adversary tactics and techniques.
Copilot for Security already provides some of the MITRE information, but this plugin provides a way to understand how to create plugins using external data to make it immediately more intelligent. Additionally, because we’re pulling actual MITRE data that is current, the information will be more timely and more complete, including links to MITRE’s website.
There are two parts to this plugin.
Creating/Updating the reference file.
Installing/using the plugin.
Update the reference file
First, to keep up to date with the latest MITRE ATT&CK updates, the data source has to be updated periodically. There’s a handy Python tool that pulls the latest revision from the MITRE GitHub repo (https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json) and then converts it to a .csv file.
You can locate the Python tool here: https://github.com/sduff/mitre_attack_csv
Once the file is retrieved and converted, you’ll need to upload it somewhere. For this plugin, so you can test it, I’ve uploaded a subset of the MITRE ATT&CK update to my own GitHub repo here: https://github.com/rod-trent/Copilot-for-Security/tree/main/Plugins/Data
Big Note: Because this plugin uses the externaldata KQL operator and externaldata doesn’t support spaces in column names, you’ll need to adjust the .csv file output. As you can see in my subset in the image, I simply removed the spaces.
You’ll also want to consider a method to run the Python file periodically through some automated means.
EXTRA: If you’re interested in a KQL parser for the originating json file, check out the following: https://github.com/rod-trent/SentinelKQL/blob/master/MITRE_JSON_Parser.kql. The unfortunate thing with the externaldata operator is that it is severely limited on larger datasets like this json tends to be. So, the KQL query will time out.
The Plugin
Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/MITRE_ATTACK.yaml
What’s inside the yaml file:
Descriptor:
Name: MITRE_Attack
DisplayName: MITRE ATT&CK Reference
Description: The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
SkillGroups:
- Format: KQL
Skills:
- Name: MITRE_Attack
DisplayName: MITRE ATT&CK Reference
Description: The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Settings:
Target: Sentinel
TenantId: <your_tenant_ID>
SubscriptionId: <your_subscription_ID>
ResourceGroupName: <your_RG_name>
WorkspaceName: <your_WS_name>
Template: |-
let MITRE = externaldata (name:string,id:string,url:string,platforms:string,killchainphases:string,description:string,datasources:string,detection:string) [@"https://raw.githubusercontent.com/rod-trent/Copilot-for-Security/main/Plugins/Data/enterprise-attack.csv"] with (ignoreFirstRecord=true, format="csv"); MITRENote that you’ll need to adjust the items in BOLD with your own environment details.
Examples prompts:
Give me information about T1001.001 of the MITRE ATT&CK tactics and techniques.
Does this incident reference any of the MITRE ATT&CK tactics and techniques?
The KQL query that is being utilized by the plugin:
let MITRE = externaldata (name:string,id:string,url:string,platforms:string,killchainphases:string,description:string,datasources:string,detection:string) [@"https://raw.githubusercontent.com/rod-trent/Copilot-for-Security/main/Plugins/Data/enterprise-attack.csv"] with (ignoreFirstRecord=true, format="csv"); MITRETo install this in your own Copilot for Security instance, see: Add custom plugins
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]