TISC MITRE Threat Intel Feeds - How to Enable?

mgroversigital · ‎08-15-2024

I have installed the Threat Intelligence Security Center app, and am working in the integrations view to get threat feeds from MITRE. In the docs, it looks like you need the sn_sec_tisc.admin role, which I have granted myself. From the docs, it also looks like once you have that role, you should be able to enable/edit the threat intel feeds. However, all of the ones in the catalog are disabled and I don't have any kind of edit button to enable them:

Is there another requirement that I'm missing in the documentation somewhere? This seems to be happening in my dev instance as well as a PDI, but when I had a lab instance through nowlearning, this wasn't an issue.

mgroversigital · ‎10-03-2024

I did, actually. It was somewhat silly, but not easy to troubleshoot. After installing the application, I had changed scopes to work on something else. When I came back to edit the integrations to enable, the edit button was hidden because the scope wasn't Threat Intelligence Support Common

View solution in original post

Martin Dewit · ‎04-04-2025

Within the MITRE ATT&CK TAXII Profile, under Collections the Enterprise ATT&CK is active = true? and has ran?

SN Arch Guy · ‎04-04-2025

Yes, it was active. But your suggestion made me look deeper into the TAXII Profile in the core UI, at Threat Intelligence>Sources>TAXII Profiles and I had not yet scheduled/run the collection. Now that I have done that, I am able to associate a technique to an SI or to an observable.

But it does raise a follow-up question. In the Threat Intelligence Security Center workspace, under Integrations, the STIX HTTPS feed for MITRE - Enterprise ATT&CK had been showing as active with successful runs. But MITRE is not even listed in the STIX TAXII feeds section. Any idea why MITRE is not listed in that STIX TAXII section, and why the STIX HTTPS runs don't do the job?