Skip to content

vinayakcyber/TTP-Mapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github
.github
 
 
src
src
 
 
test
test
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

TTP Mapper: Bridging CTI and MDR

TTP Mapper is a tool designed to integrate Tactics, Techniques, and Procedures (TTPs) from Cyber Threat Intelligence (CTI) with incident data from Managed Detection and Response (MDR) solutions. It pulls TTPs associated with malware or threat actors from a CTI Threat Intelligence Platform (TIP)—in this case, OpenCTI—and maps them to TTPs derived from true positive incidents in an MDR system. This enables security teams to correlate threat intelligence with real-world incident data for enhanced threat hunting, response, and mitigation.

keyword-mapping: entity = [malware, vulnerability, threat actor]

Features

  • CTI Integration: Extracts TTPs from OpenCTI for specified malware or threat actors.
  • MDR TTP Mapping: Aligns CTI TTPs with TTPs identified in true positive MDR incidents.
  • Customizable: Supports configuration for different MDR platforms and TTP frameworks (e.g., MITRE ATT&CK).
  • Output: Generates structured mappings in formats like JSON for analysis or integration with other tools.
  • Other Output files: BarChart for most active Entity(s).

Use Case

  • Threat Hunting: Identify overlaps between known threat actor behaviors and active incidents.
  • Incident Enrichment: Augment MDR incidents with contextual CTI data.
  • Reporting: Provide actionable insights for security analysts and leadership.

Future Works

  1. Weekly Risk-rating generation

How It Works

part 1

graph LR
A[Start Part 1] --> B[Get OpenCTI Reports for a specific Duration]
    B --> C[Extract Active Threats]
    C --> D{Threats Found?}
    D -->|No| E[No Threats]
    D -->|Yes| F[Fetch CTI TTPs]
    F --> G[End Part 1]
    E --> G
Loading

part 2

graph LR
    H[Start Part 2] --> I[Connect to MDR]
    I --> J[Filter NOT False Positives]
    J --> K[Fetch MDR TTPs]
    K --> L[End Part 2]
Loading

part 3

graph LR
    M[Start Part 3] --> N[Load CTI TTPs]
    N --> O[Load MDR TTPs]
    O --> P[Map TTPs]
    P --> Q[Export Results]
    Q --> R[End]
Loading
  1. CTI Data Retrieval: When a new report/feed gets added to the TIP and once it has TTPs and Entities mapped to it. Basically it queries OpenCTI for TTPs linked to the specified malware/threat actor.
  2. MDR Data Ingestion: Pulls TTPs from NOT false positive incidents in the MDR system. NOTE: Thing to consider, when getting data from MDR, their can be PRE-EMPTIVE or POST blocks or Preventions, so it depends on the data that is fed into, through the (mdr_handler)[mdr_handler.py] file.
  3. TTP Mapping: Matches CTI TTPs to MDR TTPs based on MITRE ATT&CK or custom frameworks.
  4. Result: When Mapping is done, if a technique is more active, its score will be higher(MITRE ATTACK scoring), and can help to find the holes in the environment.
  5. Output Generation: Produces a report of mapped TTPs with incident references.

Prerequisites

  • Python 3.9+
  • Access to an OpenCTI instance (API token required)
  • MDR solution with accessible TTP data (e.g., via API or export)
  • Dependencies listed in requirements.txt

Installation

  1. Clone the repository:
git clone https://github.com/vinayakcyber/TTP-Mapper.git
cd ./TTP-Mapper/src
  1. Install dependencies(Preferrably in Virtualenv):
pip install -r requirements.txt
  1. Configure environment variables (see ). Configuration Create a .env file in the root directory with the following variables:
OPENCTI_URL=https://your-opencti-instance.com
OPENCTI_TOKEN=your-api-token
MDR_API_URL=https://your-mdr-api-endpoint.com
MDR_API_KEY=your-mdr-api-key
OUTPUT_FORMAT=xml

Usage

Run the tool with the following command:

python ttp_mapper.py <entity-type> <duration> <duration-length> <top-entities>
  • <entity-type>: (provide integer value) :> 1 : "Vulnerability", 2 : "Malware", 3 : "Threat Actors.
  • <duration>: (provide string value) :> "day", "week", "month", "quarter", "year"
  • <duration-length>: (provide integer value) :> Example: 1, 2, 3... for quarter: 1 quarter = past 3 months
  • <top-entities>: How many top Entities to consider for correlation? (provide integer value)

Example output:

{
  "malware": "Emotet",
  "mapped_ttps": [
    {
      "cti_ttp": "T1566.001",
      "mdr_ttp": "T1566.001",
      "description": "Phishing: Spearphishing Attachment",
      "incidents": ["INC-2025-001"]
    }
  ]
}

Contributing

Contributions are welcome! Please:

  1. Fork the repository.
  2. Create a feature branch (git checkout -b feature/your-feature).
  3. Commit your changes (git commit -m "Add your feature").
  4. Push to the branch (git push origin feature/your-feature).
  5. Open a pull request.

License

This project is licensed under the Apache License 2.0 License. See the file for details.

Acknowledgments

  • Built with support from the OpenCTI community.
  • Inspired by the need to bridge CTI and MDR workflows.
This README assumes a Python-based tool and provides a clear structure for users to understand, install, and use your code. Feel free to adjust the specifics (e.g., repo URL, additional flags, or framework details) based on your actual implementation!

About

No description or website provided.

Topics

graphql xdr cti wazuh mdr opencti

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages