# MCP + RAG for MITRE ATT&CK Threat Detection (Notebook Demo)

This notebook demonstrates mapping an alert or detection rule to MITRE ATT&CK techniques, detection context, and CISA advisories—using the MCP server and your CSVs as knowledge sources.


In [None]:
PENAI_API_KEY = "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"

In [12]:
import requests
import openai

MCP_URL = "http://localhost:8003/mcp"
OPENAI_API_KEY = "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"  # ← Replace with your OpenAI key!

MEMORY_SERVER_URL = "http://localhost:8001/mcp"  # or your actual memory server address

def log_to_memory(session_id, text):
    payload = {
        "jsonrpc": "2.0",
        "method": "insert_memory",
        "params": {"session_id": session_id, "text": text},
        "id": 1
    }
    r = requests.post(MEMORY_SERVER_URL, json=payload)
    r.raise_for_status()
    return r.json()["result"]


def mcp_query(method, query, k=2):
    payload = {
        "jsonrpc": "2.0",
        "method": method,
        "params": {"query": query, "k": k},
        "id": 1
    }
    r = requests.post(MCP_URL, json=payload)
    r.raise_for_status()
    return r.json()["result"]

def pretty_print(label, results):
    print(f"\n--- {label} ---")
    if not results:
        print("No results found.")
        return
    for idx, r in enumerate(results[:2], 1):
        meta = r.get("meta", {})
        # For MITRE, use Subject or the first line of text; for detections, use title or description.
        title = meta.get("title") or meta.get("Subject") or r['text'][:80]
        level = meta.get("level", "")
        tags = meta.get("tags", "")
        author = meta.get("author", "")
        print(f"{idx}. {title}")
        if level:
            print(f"   Level: {level}")
        if tags:
            print(f"   Tags: {tags}")
        if author:
            print(f"   Author: {author}")
        desc = meta.get("description", "")
        if desc:
            print(f"   Description: {desc[:120]}...")
        print()

alert_text = "EventLog EVTX File Deleted"

mitre_results = mcp_query("search_mitre", alert_text)
detections_results = mcp_query("search_detections", alert_text)
cisa_results = mcp_query("search_cisa", alert_text)

pretty_print("MITRE Techniques", mitre_results)
pretty_print("Detection Rules", detections_results)
pretty_print("CISA Advisories", cisa_results)

# Build OpenAI prompt using only MITRE, Detections, and CISA (no "Enterprise")
context_chunks = []
for label, res in [
    ("MITRE", mitre_results),
    ("Detection", detections_results),
    ("CISA", cisa_results)
]:
    for r in res[:2]:
        meta = r.get("meta", {})
        short_title = meta.get("title") or meta.get("Subject", "") or r['text'][:80]
        level = meta.get("level", "")
        tags = meta.get("tags", "")
        author = meta.get("author", "")
        desc = meta.get("description", "")
        context = f"[{label}] {short_title}\n"
        if level:
            context += f"Level: {level}\n"
        if tags:
            context += f"Tags: {tags}\n"
        if author:
            context += f"Author: {author}\n"
        if desc:
            context += f"Description: {desc[:200]}...\n"
        else:
            context += r["text"][:200] + "\n"
        context_chunks.append(context.strip())

prompt = f"""
You are a cybersecurity SOC assistant. Given the following alert: "{alert_text}"
and the following context from MITRE techniques, detections, and CISA advisories, explain:
- Which MITRE techniques are involved (cite IDs if available)
- Why this is critical
- Recommended SOC actions

Context:
{chr(10).join(context_chunks)}
"""

client = openai.OpenAI(api_key=OPENAI_API_KEY)
response = client.chat.completions.create(
    model="gpt-4o",
    messages=[
        {"role": "system", "content": "You are a cybersecurity SOC assistant."},
        {"role": "user", "content": prompt}
    ],
    temperature=0
)
print("\nOpenAI Response:\n", response.choices[0].message.content)

session_id = "analyst-session-1"  # or generate one per user/session
log_to_memory(session_id, f"Q: {alert_text}\nA: {response.choices[0].message.content}")




--- MITRE Techniques ---
1. Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](T1059.001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: "The audit log was cleared").

2. File system monitoring may be used to detect improper deletion or modification of indicator files.  Events not stored on the file system may require different detection mechanisms.


--- Detection Rules ---
1. EventLog EVTX File Deleted
   Level: medium
   Tags: ['attack.defense_evasion', 'attack.t1070']
   Author: Nasreddine Bencherchali (Nextron Systems)
   Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence...

2. Application Uninstalled
   Level: low
   Tags: ['attack.impact', 'attack.t1489']
   Author: frack113
   Description: An application has been removed. Check if it is critical....


--- CISA Adv

'Memory inserted'