It would help if there was a node for:
My use case:
I’d like a node that:
- Accepts an event/indicator/description as input (for example, a suspicious domain, file hash, login anomaly, or other behavioural signal)
- Looks up the corresponding technique(s) from the MITRE ATT&CK taxonomy (Tactics, Techniques, Procedures)
- Returns metadata such as Technique ID, name, tactic, description, mitigation/detection guidance
- Enables workflow branches or actions based on the technique (for example: if Technique = “Execution”, then trigger one kind of workflow; if “Exfiltration”, trigger another)
- Supports periodic lookups or event-driven enrichment, enabling automation of classification, tagging, reporting, and onward actions
Any resources to support this?
- MITRE ATT&CK Github repo: MITRE ATT&CK · GitHub
- MITRE ATT&CK STIX 2.1 JSON dataset on GitHub: GitHub - mitre-attack/attack-stix-data: STIX data representing MITRE ATT&CK
- MITRE ATT&CK Data Model (TypeScript library) for interacting with that dataset: GitHub - mitre-attack/attack-data-model: ATT&CK Data Model (ADM): A TypeScript library for structured interaction with MITRE ATT&CK datasets. Uses Zod schemas, TypeScript types, and ES6 classes to provide a type-safe, object-oriented interface for STIX 2.1 formatted ATT&CK data. Features parsing, validation, and serialization capabilities.
- GitHub repository of ATT&CK STIX 2.0 content: GitHub - mitre/cti: Cyber Threat Intelligence Repository expressed in STIX 2.0
Are you willing to work on this?
Yes, I am happy to help where I can.