the dogesec blog

Take the list of recognised countries and regions. Create STIX objects for them. Make them available to everyone so that the CTI world has a single way of representing them.

CTI Butler links many common knowledge bases, for example linking MITRE ATT&CK to CAPEC objects, to improve the context of our research. This post describes the logic CTI Butler employs behind the scenes to do this.

Here is a quick-start guide to CTI Butler showing you how much easier it makes working with these frameworks.

The MITRE ATT&CK Navigator is a very useful tool to explore the MITRE ATT&CK (and other similar frameworks). In this post I take a look what you can do with Navigator and how it works under the hood so that you can use it to model your own ATT&CK-like frameworks.

A practical Workbench guide: extend ATT&CK, link objects to techniques, and publish collections other teams and tools can consume.

Learn how to translate STIX detection patterns into SIEM queries using STIX Shifter, and convert detections back into STIX Observed Data for evidence and correlation.

Learn how to turn threat intelligence into actionable detection rules. Learn how to build behavioral detection using STIX Patterns, and link sightings to evidence.

A practical guide to storing and querying STIX 2.1 data using MemoryStore, FileSystemStore, and ArangoDB — with Python examples.

How to design and ship STIX 2.1 extensions — new objects, nested props, and bundles — that your consumers will love.

All I wanted was EPSS and CVSS to show up in OpenCTI. Instead, I ended up reverse-engineering half its schema and building new STIX Extensions from scratch. Here’s the mildly painful but oddly satisfying journey.