Skip to main content

AttackIQ Integration Guide

Overview

The AttackIQ integration connects NINA workflows to the AttackIQ FireDrill breach and attack simulation (BAS) platform. It allows you to orchestrate security control validation — running assessments, tracking results, browsing attack scenarios, and managing assets — directly from your workflows.

Supported resources:

  • Assessment — Create, run, stop, delete, and monitor assessments; retrieve results and schedules
  • Assessment Template — Browse and search available assessment templates by name, category, or TTP
  • Asset — List and search machines registered as test targets by hostname or IP
  • Asset Group — Query asset groups used to organize machines under test
  • Scenario — Browse individual attack scenarios (MITRE ATT&CK techniques and custom scenarios)
  • Scenario Tag — Query tags associated with scenarios (MITRE ATT&CK technique IDs, custom labels)
  • Test — Run, stop, and query individual tests within an assessment; retrieve per-test results
  • Test Scenario — Query test-scenario associations (which scenarios are linked to which tests)
  • User — List and look up platform users
  • Validation Result — Query historical execution results per scenario or per asset

Authentication uses an Account Token (Private Token) passed with the Token prefix in the Authorization header (Authorization: Token <value>). The Account Token does not expire, making it the only supported method for integrations. All resources share the same credential.


Credential Configuration

Authentication

FieldDescriptionDefault
API TokenYour AttackIQ Account Token (Authorization: Token <value>)
Base URLAPI endpointhttps://firedrill.attackiq.com/api/v1

How to Get Your AttackIQ Account Token

  1. Log in to your AttackIQ FireDrill instance (e.g., https://firedrill.attackiq.com)
  2. Navigate to UserAccount
  3. Copy the Private Token value displayed on that page
  4. Keep it secure — the token grants full API access under your user account and does not expire unless manually revoked

Note: The base URL varies by tenant. If your organization uses a custom FireDrill domain, override the Base URL field in the credential with your instance's API endpoint (e.g., https://yourcompany.firedrill.attackiq.com/api/v1). Do not use a JWT token — JWTs expire and are not supported by this integration.

Creating a Credential in NINA

  1. Navigate to CredentialsAdd New Credential
  2. Select integration service: AttackIQ
  3. Auth type: API Key
  4. Fill in your API Token and optionally override the Base URL
  5. Click Test Connection then Save

Supported Resources and Operations

Assessment

Create, manage, and execute AttackIQ assessments. An assessment groups a set of tests targeting specific assets and is the primary unit of work in the BAS workflow.

OperationNameHTTPDescription
listList AssessmentsGET /assessmentsList all assessments with optional search filter and pagination
getGet AssessmentGET /assessments/{assessment_id}Retrieve a specific assessment by ID
createCreate AssessmentPOST /assessmentsCreate a new assessment, optionally from a template
deleteDelete AssessmentDELETE /assessments/{assessment_id}Delete an assessment
runRun AssessmentPOST /assessments/{assessment_id}/run_all_testsTrigger all tests in the assessment
stopStop AssessmentPOST /assessments/{assessment_id}/stop_all_testsStop all running tests in the assessment
getStatusGet Assessment StatusGET /assessments/{assessment_id}/statusCheck the current execution status and progress
getResultsGet Assessment ResultsGET /results?assessment=...Retrieve test results for an assessment with filtering
getScheduleListGet Schedule ListGET /assessments/schedule_listRetrieve all periodic tasks for scheduled assessment runs

Key parameters:

list:

  • search — filter by name or description
  • page / page_size — pagination

create:

  • name (required) — name for the new assessment
  • template_id — base the assessment on an existing template (use assessment_template.list to browse)

getResults:

  • assessment — assessment ID to filter results by
  • scenario — filter results by scenario ID
  • outcome_filter — filter by outcome: Passed, Failed, Errored
  • show_last_result — boolean; return only the most recent result per test
  • page / page_size — pagination

Assessment Template

Browse available assessment templates. Templates are pre-configured test plans provided by AttackIQ or your organization.

OperationNameHTTPDescription
listList Assessment TemplatesGET /assessment_templatesList all assessment templates with optional search and filtering
getGet Assessment TemplateGET /assessment_templates/{template_id}Retrieve a specific template by ID

Key parameters for list:

  • search — search by template name (supports TTP IDs like T1059)
  • category — filter by category (e.g. MITRE)
  • template_name — filter by exact template name
  • page / page_size — pagination

Asset

Assets are the machines registered in AttackIQ as test targets — servers, workstations, or cloud instances where the FireDrill agent is installed.

OperationNameHTTPDescription
listList AssetsGET /assetsList all registered assets with search, hostname, and IP filtering
getGet AssetGET /assets/{asset_id}Retrieve a specific asset by ID

Key parameters for list:

  • search — search assets by hostname or IP
  • hostname — filter by exact hostname
  • ipv4_address — filter by IPv4 address
  • page / page_size — pagination

Asset Group

Asset groups organize assets (machines under test) into logical collections for easier management and targeted assessments.

OperationNameHTTPDescription
listList Asset GroupsGET /asset_groupsList all asset groups with optional search and name filtering
getGet Asset GroupGET /asset_groups/{asset_group_id}Retrieve a specific asset group by ID

Key parameters for list:

  • search — search groups by name or description
  • name — filter by exact group name
  • page / page_size — pagination

Scenario

Attack scenarios represent individual attack techniques — typically mapped to MITRE ATT&CK. Browse them to understand what is available in your AttackIQ library before building assessments.

OperationNameHTTPDescription
listList ScenariosGET /scenariosList all available attack scenarios with optional search
getGet ScenarioGET /scenarios/{scenario_id}Retrieve a specific scenario by ID

Key parameters for list:

  • search — filter by name, description, or tag names (e.g., "lateral movement", "T1059")
  • page / page_size — pagination

Scenario Tag

Scenario tags categorize attack scenarios — typically MITRE ATT&CK technique IDs (e.g., T1059), tactic names (e.g., Execution), or custom labels. Use them to resolve tag names to UUIDs for filtering.

OperationNameHTTPDescription
listList Scenario TagsGET /scenario_tagsList all scenario tags with optional search
getGet Scenario TagGET /scenario_tags/{scenario_tag_id}Retrieve a specific tag by ID

Key parameters for list:

  • search — search by tag name (e.g., T1059, APT29)
  • scenario — filter tags by scenario ID
  • tag — filter by tag UUID
  • page / page_size — pagination

Test

Tests are the individual attack scenario executions within an assessment. You can run, stop, and query them independently.

OperationNameHTTPDescription
listList TestsGET /testsList all tests with optional search, pagination, and assessment filtering
getGet TestGET /tests/{test_id}Retrieve a specific test by ID
runRun TestPOST /tests/{test_id}/run_testExecute a specific test
stopStop TestPOST /tests/{test_id}/stop_testStop a running test
getStatusGet Test StatusGET /tests/{test_id}/get_statusCheck the execution status of a test
getResultsGet Test ResultsGET /results?test=...Retrieve results for a specific test

Key parameters:

list:

  • search — filter by name or description
  • assessment — filter tests by assessment ID
  • page / page_size — pagination

getResults:

  • test — test ID to filter results by
  • scenario — filter results by scenario ID
  • outcome_filter — filter by outcome: Passed, Failed, Errored
  • show_last_result — boolean; return only the most recent result
  • page / page_size — pagination

Test Scenario

Test-scenario associations link tests to their underlying attack scenarios. Query them to discover which scenarios are included in which tests.

OperationNameHTTPDescription
listList Test ScenariosGET /test_scenariosList all test-scenario associations
getGet Test ScenarioGET /test_scenarios/{test_scenario_id}Retrieve a specific test-scenario association by ID

Key parameters for list:

  • page / page_size — pagination

User

Look up users registered on the AttackIQ platform. Useful for auditing or resolving user references in other responses.

OperationNameHTTPDescription
listList UsersGET /usersList all platform users with pagination
getGet UserGET /users/{user_id}Retrieve a specific user by ID

Validation Result

Query historical execution results and validation data. Useful for checking whether scenarios have been executed and reviewing per-asset or per-scenario summaries over a configurable lookback window.

OperationNameHTTPDescription
listList Validation ResultsGET /validation_resultsPer-scenario summary of execution results within a lookback window
getScenarioExecutionsGet Scenario ExecutionsGET /validation_results/scenario/{scenario_id}/executionsPer-asset execution history for a specific scenario
getByAssetGet By AssetGET /validation_results/by_assetPer-asset summary of validation results
getAssetExecutionsGet Asset ExecutionsGET /validation_results/asset/{asset_id}/executionsPer-scenario execution history for a specific asset

Key parameters:

list:

  • days — lookback window in days (1–90)
  • project_ids — comma-separated assessment UUIDs
  • page / page_size — pagination (0-indexed, max 200)

getScenarioExecutions:

  • scenario_id (required) — the scenario ID
  • days — lookback window in days (1–90)

getByAsset:

  • days — lookback window in days (1–90)
  • page / page_size — pagination (0-indexed, max 200)

getAssetExecutions:

  • asset_id (required) — the asset ID
  • days — lookback window in days (1–90)
  • project_ids — comma-separated assessment UUIDs

Examples

List Assessments

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "list",
"parameters": {
"page": 1,
"page_size": 25
}
}

Search Assessments by Name

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "list",
"parameters": {
"search": "quarterly validation",
"page_size": 10
}
}

Create an Assessment from a Template

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "create",
"parameters": {
"name": "Q2 2026 – Endpoint Validation",
"template_id": "tmpl-abc-123"
}
}

Run an Assessment

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "run",
"parameters": {
"assessment_id": "assess-abc-123"
}
}

Check Assessment Status

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "getStatus",
"parameters": {
"assessment_id": "assess-abc-123"
}
}

Get Assessment Results (Failed Only)

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "getResults",
"parameters": {
"assessment": "assess-abc-123",
"outcome_filter": "Failed",
"show_last_result": true,
"page_size": 50
}
}

Stop an Assessment

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "stop",
"parameters": {
"assessment_id": "assess-abc-123"
}
}

Search Templates by TTP

{
"integration_service": "attack-iq",
"resource": "assessment_template",
"operation": "list",
"parameters": {
"search": "T1059",
"page_size": 10
}
}

Search Templates by Category

{
"integration_service": "attack-iq",
"resource": "assessment_template",
"operation": "list",
"parameters": {
"category": "MITRE",
"page_size": 20
}
}

List Assessment Templates

{
"integration_service": "attack-iq",
"resource": "assessment_template",
"operation": "list",
"parameters": {}
}

Search for Attack Scenarios

{
"integration_service": "attack-iq",
"resource": "scenario",
"operation": "list",
"parameters": {
"search": "credential dumping",
"page_size": 20
}
}

Run a Specific Test

{
"integration_service": "attack-iq",
"resource": "test",
"operation": "run",
"parameters": {
"test_id": "test-xyz-456"
}
}

Get Test Results

{
"integration_service": "attack-iq",
"resource": "test",
"operation": "getResults",
"parameters": {
"test": "test-xyz-456",
"show_last_result": true
}
}

Find Assets by Hostname

{
"integration_service": "attack-iq",
"resource": "asset",
"operation": "list",
"parameters": {
"hostname": "CXB0054576"
}
}

Find Assets by IP

{
"integration_service": "attack-iq",
"resource": "asset",
"operation": "list",
"parameters": {
"ipv4_address": "10.122.208.149"
}
}

List Assets

{
"integration_service": "attack-iq",
"resource": "asset",
"operation": "list",
"parameters": {
"page_size": 100
}
}

Get Validation Results (Last 30 Days)

{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "list",
"parameters": {
"days": 30,
"page_size": 50
}
}

Get Scenario Execution History

{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "getScenarioExecutions",
"parameters": {
"scenario_id": "scen-abc-123",
"days": 30
}
}

Get Validation Results by Asset

{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "getByAsset",
"parameters": {
"days": 30,
"page_size": 50
}
}

Get Asset Execution History

{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "getAssetExecutions",
"parameters": {
"asset_id": "asset-abc-123",
"days": 30
}
}

List Assessment Schedules

{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "getScheduleList",
"parameters": {}
}

List Asset Groups

{
"integration_service": "attack-iq",
"resource": "asset_group",
"operation": "list",
"parameters": {
"search": "production",
"page_size": 50
}
}

Search Scenario Tags by TTP

{
"integration_service": "attack-iq",
"resource": "scenario_tag",
"operation": "list",
"parameters": {
"search": "T1059",
"page_size": 20
}
}

List Test Scenarios

{
"integration_service": "attack-iq",
"resource": "test_scenario",
"operation": "list",
"parameters": {
"page_size": 50
}
}

Common Workflow Patterns

Run an Assessment and Collect Failures

  1. assessment.run — trigger the assessment
  2. assessment.getStatus — poll until status is complete (loop with delay node)
  3. assessment.getResults — fetch results with outcome_filter: "Failed" and show_last_result: true
  4. Branch on result count — trigger alerting or ticketing if failures exist

Build and Run a New Assessment

  1. assessment_template.list — browse available templates
  2. assessment.create — create a new assessment with the chosen template ID and a descriptive name
  3. assessment.run — start the assessment
  4. assessment.getStatus — wait for completion
  5. assessment.getResults — retrieve results

Investigate a Specific Control Failure

  1. assessment.getResults — get failed results for an assessment
  2. test.get — retrieve full details for a specific failing test (extract test_id from results)
  3. scenario.get — look up the scenario associated with the test for MITRE technique context
  4. asset.get — inspect the asset where the failure occurred

Search for Scenarios by Technique

  1. scenario.list with search: "T1059" — find scenarios mapped to a MITRE ATT&CK technique
  2. Use the scenario IDs to identify which tests in your assessments cover that technique
  3. test.getResults — check whether those tests are passing or failing

Troubleshooting

IssueResolution
401 UnauthorizedVerify your token is an Account Token (Private Token from User → Account), not a JWT. If the error persists, regenerate the token in the AttackIQ UI and update the NINA credential
403 ForbiddenYour user account lacks permission for this operation — check role assignments in AttackIQ
404 Not FoundThe assessment_id, test_id, asset_id, or scenario_id does not exist — verify with a list operation first
Empty results on getResultsAssessment may still be running — check status with getStatus and wait for completion
run returns no error but tests don't startAssessment may have no assets assigned or no enabled tests — verify assessment configuration in the UI
Missing path parameter errorEnsure assessment_id, test_id, asset_id, etc. are included in the parameters object
Wrong base URLIf your tenant uses a custom domain, override the Base URL in the credential to match your FireDrill instance
429 Too Many RequestsRate limit hit — reduce request frequency and add delays between polling calls

Security Considerations

  1. Protect API Tokens: Store exclusively through NINA credential management — never in workflow parameters or logs
  2. Destructive Operations: assessment.run, test.run, and assessment.delete cause immediate action on production assets — gate these behind approval steps in workflows intended for production environments
  3. Scope API Access: Where possible, use a dedicated service account with the minimum role needed; avoid using personal admin tokens
  4. Token Management: Account Tokens do not expire automatically. Revoke and regenerate them periodically per your organization's policy; revoke immediately if compromised
  5. Result Data Sensitivity: Assessment results may contain information about security control gaps — treat them as sensitive and restrict workflow output accordingly

Additional Resources

Updated: 2026-06-01