AdversaryKnowledgeBase-API-Service

This implementation serves as a Model Context Protocol (MCP) endpoint dedicated to querying the MITRE ATT&CK knowledge repository, encompassing both adversarial tactics and specific techniques.

Available Utility Functions

The server exposes the following operational methods:

• fetch_engagement_tactic: Retrieves information pertaining to specific ATT&CK elements using either a unique identifier or descriptive keywords.

  • Parameters:
    • identifier (string, optional): The canonical ID of the technique (e.g., T1059.001).
    • nomenclature_pattern (string, optional): A keyword or partial string for searching technique titles. Fuzzy matching is enabled.

  • **Usage Examples:

    • Lookup via ID:

    { "identifier": "T1059.001" }

    • Fuzzy search by name:

    { "nomenclature_pattern": "social engineering" }

• get_complete_tactic_profile: Fetches the exhaustive details for an attack vector, identified either by its ID or name. The resultant data structure encompasses the ID, designation, functional description, target platforms, Kill Chain stage mapping, reference artifacts, sub-techniques, and recommended countermeasures.

  • Arguments:
    • identifier (string, optional): The technique's assigned identifier.
    • nomenclature_pattern (string, optional): Search term for technique names, supporting inexact matches.
  • Output Format Note: Name-based searches yield a dictionary structured as { "matches": [...], "total_found": N }, where matches contains the full record sets.
• obtain_defensive_measures: Queries the specific mitigation strategies associated with a given technique.
  • Arguments:
    • identifier (string, required): The technique identifier.
• obtain_detection_signatures: Retrieves known detection methodologies relevant to a specified technique.
  • Arguments:
    • identifier (string, required): The technique identifier.
• enumerate_tactics: Provides a complete inventory list of all defined ATT&CK high-level tactics.
  • Arguments: None
• service_diagnostics: Returns metadata regarding the service instance, including framework versioning, dataset provenance, maintainer contact, and repository linkage.
  • Arguments: None

Operational Context

Utilizing this MCP backend requires an appropriately configured client instance capable of establishing a communication channel. Upon connection, the client can invoke the enumerated utility functions to interrogate the ATT&CK knowledge base.

Connection Protocols

1. Local Inter-Process Communication (IPC) via Standard Streams (Recommended for Local/Smithery Integration)

Initiate execution directly: bash python entrypoint.py

The system defaults to stdio mode (or when $FRAMEWORK_TRANSPORT_MODE=stdio is set), suitable for environments like Smithery or local IDE agents. Client configuration should specify "local/stdio" transport type, bypassing port configuration.

2. Networked HTTP/Streamable Transport (Remote Access/Debugging)

Override transport via CLI arguments: bash python entrypoint.py --transport http --listen-interface 0.0.0.0 --port 8081 --verbosity debug

Alternatively, use environment variables for persistent configuration: bash export FRAMEWORK_TRANSPORT_MODE=http export LISTEN_INTERFACE=0.0.0.0 export LISTEN_PORT=8081 python entrypoint.py

When hosted, the service exposes a streamable HTTP endpoint. The client should configure transport as "http" pointing to the service address (e.g., http://localhost:8081/mcp). Platform orchestrators (like Smithery containers) automatically map external ports to the internal $PORT variable (defaulting to 8081), which the service binds to automatically.

Tool Mapping Reference: fetch_engagement_tactic, get_complete_tactic_profile, obtain_defensive_measures, obtain_detection_signatures, enumerate_tactics, service_diagnostics

Deployment Guide

Prerequisites

1. Clone the source repository.
2. Install dependencies: pip install -r requirements.txt.
3. Configure the endpoint details within your chosen MCP client.

ATT&CK Framework Context

ATT&CK represents a rigorously vetted model describing adversary methods across the attack lifecycle, detailing techniques employed against various operational environments. It serves as a foundational component for contextualizing cyber security threats against specific technological estates or organizational postures.

Initial Setup Procedures

Method A: Direct Python Execution (Development/Testing)

1. Dependency installation (Virtual environment recommended): bash pip install -r requirements.txt

2. Ensure the enterprise-attack.json data asset resides in the root directory.

3. Start the service (defaulting to local stdio): bash python entrypoint.py

4. For network exposure: bash python entrypoint.py --transport http --listen-interface 127.0.0.1 --port 8081

Method B: Containerized Deployment (Production Recommended)

Docker

1. Build the image: bash docker build -t adversary-knowledge-service .

2. Execute the container: bash docker run -p 8081:8081 adversary-knowledge-service

Endpoint Specifications (HTTP Path Equivalents)

• /fetch_engagement_tactic: Retrieves technique details (ID or name, fuzzy name search supported).
• /get_complete_tactic_profile: Retrieves the full, rich profile for a technique (ID or name; name search returns a list).
• /obtain_defensive_measures: Fetches mitigation data for a specified ID.
• /obtain_detection_signatures: Fetches detection artifacts for a specified ID.
• /enumerate_tactics: Lists all top-level ATT&CK groupings.
• /service_diagnostics: Reports service build, dataset version, and repository information.

Consult your MCP client documentation to map these function names and utilize the provided JSON payload structures for data retrieval.