[feature] TTP / MITRE hunt

[righel]

🎯 Feature Request: TTP / MITRE ATT&CK Hunt

Summary

Add a TTP-driven hunting interface that allows analysts to search and correlate
ingested MISP data against MITRE ATT&CK techniques, tactics, and procedures —
enabling structured, hypothesis-driven threat hunting directly from the
misp-workbench UI.

Motivation

MISP events and attributes are often tagged with MITRE ATT&CK references
(e.g. misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"),
but there is currently no dedicated way to hunt across the OpenSearch index
using TTPs as the primary pivot point.

Analysts who think in terms of adversary behaviour (TTPs) rather than raw
indicators (IPs, hashes, domains) have no structured entry point today —
they must manually craft Lucene queries and know the exact galaxy tag format.
A TTP hunt view would bridge the gap between ATT&CK-centric tradecraft and
the indicator data already indexed in misp-workbench.

Proposed Behaviour

• A dedicated TTP Hunt section in the UI (alongside existing attribute
  search / hunts)
• Analysts can browse or search the MITRE ATT&CK framework (Tactics →
  Techniques → Sub-techniques) and select one or more TTPs to hunt for
• The selected TTPs are translated into an OpenSearch query targeting
  galaxy / tag fields that carry ATT&CK references
• Results show matching MISP events and attributes, with context (event info,
  timestamp, tags, source feed)
• Hunt results can be saved and revisited, consistent with the existing hunt
  mechanism

Suggested Implementation Approach

Backend

• Add a GET /api/v1/mitre/tactics and GET /api/v1/mitre/techniques
  endpoint (or a single tree endpoint) that returns the ATT&CK hierarchy,
  sourced from the bundled
  misp-galaxy ATT&CK cluster JSON
• Add a POST /api/v1/hunt/ttp endpoint that accepts a list of technique
  IDs (e.g. ["T1566", "T1078.003"]) and returns matching events/attributes
  from OpenSearch, querying against indexed galaxy tags

Frontend

• Add a TTP Hunt view with:
  • A searchable / filterable ATT&CK technique picker (tactic column →
    technique list, with sub-technique expand)
  • A selected techniques panel showing the active hunt scope
  • A results table consistent with the existing attribute search results UI
• Reuse the existing hunt save/load infrastructure so TTP hunts can be
  persisted and re-run

Data / indexing

• Ensure ATT&CK galaxy tags (misp-galaxy:mitre-attack-pattern=...) are
  indexed and queryable in OpenSearch; add mappings if missing

Example

Analyst selects:

• T1566 — Phishing
  • T1566.001 — Spearphishing Attachment
• T1078 — Valid Accounts

Generated OpenSearch query (simplified):

{
  "query": {
    "bool": {
      "should": [
        { "match": { "tags": "T1566.001" }},
        { "match": { "tags": "T1566" }},
        { "match": { "tags": "T1078" }}
      ]
    }
  }
}

Results: all indexed MISP events and attributes tagged with any of the
selected techniques, ranked by recency.

Acceptance Criteria

• Analyst can browse/search MITRE ATT&CK tactics and techniques in the UI
• Selecting one or more techniques triggers a hunt across indexed data
• Results surface matching events and attributes with relevant context
• TTP hunts can be saved and re-run like existing attribute hunts
• ATT&CK data is kept reasonably up to date (loaded from misp-galaxy or
  MITRE STIX bundle)
• The feature degrades gracefully when no ATT&CK-tagged data exists in
  the index

Notes

• The MITRE ATT&CK data can be bootstrapped from the existing
  misp-galaxy submodule already present in the MISP ecosystem — no
  external API dependency required for a hackathon prototype
• A future iteration could overlay hunt results onto an ATT&CK Navigator-style
  heatmap to visualise technique coverage across ingested feeds