AttackIQ Integration Guide

Overview

The AttackIQ integration connects NINA workflows to the AttackIQ FireDrill breach and attack simulation (BAS) platform. It allows you to orchestrate security control validation — running assessments, tracking results, browsing attack scenarios, and managing assets — directly from your workflows.

Supported resources:

• Assessment — Create, run, stop, delete, and monitor assessments; retrieve results
• Assessment Template — Browse available assessment templates
• Asset — List and inspect machines registered as test targets
• Scenario — Browse individual attack scenarios (MITRE ATT&CK techniques and custom scenarios)
• Test — Run, stop, and query individual tests within an assessment; retrieve per-test results
• User — List and look up platform users

Authentication uses a single API token passed as a Bearer token. All resources share the same credential.

---

Credential Configuration

Authentication

Field	Description	Default
API Token	Your AttackIQ API token (Authorization: Bearer)	—
Base URL	API endpoint	https://firedrill.attackiq.com/api/v1

How to Get Your AttackIQ API Token

1. Log in to your AttackIQ FireDrill instance (e.g., https://firedrill.attackiq.com)
2. Navigate to Settings → API Access (or your user profile menu)
3. Generate a new token or copy your existing one
4. Keep it secure — the token grants full API access under your user account

Note: The base URL varies by tenant. If your organization uses a custom FireDrill domain, override the Base URL field in the credential with your instance's API endpoint (e.g., https://yourcompany.firedrill.attackiq.com/api/v1).

Creating a Credential in NINA

1. Navigate to Credentials → Add New Credential
2. Select integration service: AttackIQ
3. Auth type: API Key
4. Fill in your API Token and optionally override the Base URL
5. Click Test Connection then Save

---

Supported Resources and Operations

Assessment

Create, manage, and execute AttackIQ assessments. An assessment groups a set of tests targeting specific assets and is the primary unit of work in the BAS workflow.

Operation	Name	HTTP	Description
list	List Assessments	GET /assessments/	List all assessments with optional search filter and pagination
get	Get Assessment	GET /assessments/{assessment_id}/	Retrieve a specific assessment by ID
create	Create Assessment	POST /assessments/	Create a new assessment, optionally from a template
delete	Delete Assessment	DELETE /assessments/{assessment_id}/	Delete an assessment
run	Run Assessment	POST /assessments/{assessment_id}/run_all_tests/	Trigger all tests in the assessment
stop	Stop Assessment	POST /assessments/{assessment_id}/stop_all_tests/	Stop all running tests in the assessment
getStatus	Get Assessment Status	GET /assessments/{assessment_id}/status/	Check the current execution status and progress
getResults	Get Assessment Results	GET /results/?assessment=...	Retrieve test results for an assessment with filtering

Key parameters:

list:

• search — filter by name or description
• page / page_size — pagination

create:

• name (required) — name for the new assessment
• template_id — base the assessment on an existing template (use assessment_template.list to browse)

getResults:

• assessment (required) — assessment ID to filter results by
• outcome_filter — filter by outcome: Passed, Failed, Errored
• show_last_result — boolean; return only the most recent result per test
• page / page_size — pagination

---

Assessment Template

Browse available assessment templates. Templates are pre-configured test plans provided by AttackIQ or your organization.

Operation	Name	HTTP	Description
list	List Assessment Templates	GET /assessment_templates/	List all assessment templates
get	Get Assessment Template	GET /assessment_templates/{template_id}/	Retrieve a specific template by ID

Parameters: page / page_size for pagination on list. template_id (required) for get.

---

Asset

Assets are the machines registered in AttackIQ as test targets — servers, workstations, or cloud instances where the FireDrill agent is installed.

Operation	Name	HTTP	Description
list	List Assets	GET /assets/	List all registered assets with pagination
get	Get Asset	GET /assets/{asset_id}/	Retrieve a specific asset by ID

Parameters: page / page_size for pagination on list. asset_id (required) for get.

---

Scenario

Attack scenarios represent individual attack techniques — typically mapped to MITRE ATT&CK. Browse them to understand what is available in your AttackIQ library before building assessments.

Operation	Name	HTTP	Description
list	List Scenarios	GET /scenarios/	List all available attack scenarios with optional search
get	Get Scenario	GET /scenarios/{scenario_id}/	Retrieve a specific scenario by ID

Key parameters for list:

• search — filter by name or description (e.g., "lateral movement", "T1059")
• page / page_size — pagination

---

Test

Tests are the individual attack scenario executions within an assessment. You can run, stop, and query them independently.

Operation	Name	HTTP	Description
list	List Tests	GET /tests/	List all tests with optional search and pagination
get	Get Test	GET /tests/{test_id}/	Retrieve a specific test by ID
run	Run Test	POST /tests/{test_id}/run_test/	Execute a specific test
stop	Stop Test	POST /tests/{test_id}/stop_test/	Stop a running test
getStatus	Get Test Status	GET /tests/{test_id}/get_status/	Check the execution status of a test
getResults	Get Test Results	GET /results/?test=...	Retrieve results for a specific test

Key parameters:

list:

• search — filter by name or description
• page / page_size — pagination

getResults:

• test (required) — test ID to filter results by
• outcome_filter — filter by outcome: Passed, Failed, Errored
• show_last_result — boolean; return only the most recent result
• page / page_size — pagination

---

User

Look up users registered on the AttackIQ platform. Useful for auditing or resolving user references in other responses.

Operation	Name	HTTP	Description
list	List Users	GET /users/	List all platform users with pagination
get	Get User	GET /users/{user_id}/	Retrieve a specific user by ID

---

Examples

List Assessments

{
  "integration_service": "attack-iq",
  "resource": "assessment",
  "operation": "list",
  "parameters": {
    "page": 1,
    "page_size": 25
  }
}

Search Assessments by Name

{
  "integration_service": "attack-iq",
  "resource": "assessment",
  "operation": "list",
  "parameters": {
    "search": "quarterly validation",
    "page_size": 10
  }
}

Create an Assessment from a Template

{
  "integration_service": "attack-iq",
  "resource": "assessment",
  "operation": "create",
  "parameters": {
    "name": "Q2 2026 – Endpoint Validation",
    "template_id": "tmpl-abc-123"
  }
}

Run an Assessment

{
  "integration_service": "attack-iq",
  "resource": "assessment",
  "operation": "run",
  "parameters": {
    "assessment_id": "assess-abc-123"
  }
}

Check Assessment Status

{
  "integration_service": "attack-iq",
  "resource": "assessment",
  "operation": "getStatus",
  "parameters": {
    "assessment_id": "assess-abc-123"
  }
}

Get Assessment Results (Failed Only)

{
  "integration_service": "attack-iq",
  "resource": "assessment",
  "operation": "getResults",
  "parameters": {
    "assessment": "assess-abc-123",
    "outcome_filter": "Failed",
    "show_last_result": true,
    "page_size": 50
  }
}

Stop an Assessment

{
  "integration_service": "attack-iq",
  "resource": "assessment",
  "operation": "stop",
  "parameters": {
    "assessment_id": "assess-abc-123"
  }
}

Search for Attack Scenarios

{
  "integration_service": "attack-iq",
  "resource": "scenario",
  "operation": "list",
  "parameters": {
    "search": "credential dumping",
    "page_size": 20
  }
}

Run a Specific Test

{
  "integration_service": "attack-iq",
  "resource": "test",
  "operation": "run",
  "parameters": {
    "test_id": "test-xyz-456"
  }
}

Get Test Results

{
  "integration_service": "attack-iq",
  "resource": "test",
  "operation": "getResults",
  "parameters": {
    "test": "test-xyz-456",
    "show_last_result": true
  }
}

List Assets

{
  "integration_service": "attack-iq",
  "resource": "asset",
  "operation": "list",
  "parameters": {
    "page_size": 100
  }
}

List Assessment Templates

{
  "integration_service": "attack-iq",
  "resource": "assessment_template",
  "operation": "list",
  "parameters": {}
}

---

Common Workflow Patterns

Run an Assessment and Collect Failures

1. assessment.run — trigger the assessment
2. assessment.getStatus — poll until status is complete (loop with delay node)
3. assessment.getResults — fetch results with outcome_filter: "Failed" and show_last_result: true
4. Branch on result count — trigger alerting or ticketing if failures exist

Build and Run a New Assessment

1. assessment_template.list — browse available templates
2. assessment.create — create a new assessment with the chosen template ID and a descriptive name
3. assessment.run — start the assessment
4. assessment.getStatus — wait for completion
5. assessment.getResults — retrieve results

Investigate a Specific Control Failure

1. assessment.getResults — get failed results for an assessment
2. test.get — retrieve full details for a specific failing test (extract test_id from results)
3. scenario.get — look up the scenario associated with the test for MITRE technique context
4. asset.get — inspect the asset where the failure occurred

Search for Scenarios by Technique

1. scenario.list with search: "T1059" — find scenarios mapped to a MITRE ATT&CK technique
2. Use the scenario IDs to identify which tests in your assessments cover that technique
3. test.getResults — check whether those tests are passing or failing

---

Troubleshooting

Issue	Resolution
401 Unauthorized	API token is invalid or expired — regenerate in AttackIQ Settings → API Access and update the credential
403 Forbidden	Your user account lacks permission for this operation — check role assignments in AttackIQ
404 Not Found	The assessment_id, test_id, asset_id, or scenario_id does not exist — verify with a list operation first
Empty results on getResults	Assessment may still be running — check status with getStatus and wait for completion
run returns no error but tests don't start	Assessment may have no assets assigned or no enabled tests — verify assessment configuration in the UI
Missing path parameter error	Ensure assessment_id, test_id, asset_id, etc. are included in the parameters object
Wrong base URL	If your tenant uses a custom domain, override the Base URL in the credential to match your FireDrill instance
429 Too Many Requests	Rate limit hit — reduce request frequency and add delays between polling calls

---

Security Considerations

1. Protect API Tokens: Store exclusively through NINA credential management — never in workflow parameters or logs
2. Destructive Operations: assessment.run, test.run, and assessment.delete cause immediate action on production assets — gate these behind approval steps in workflows intended for production environments
3. Scope API Access: Where possible, use a dedicated service account with the minimum role needed; avoid using personal admin tokens
4. Rotate Tokens Regularly: Revoke and regenerate API tokens periodically; revoke immediately if compromised
5. Result Data Sensitivity: Assessment results may contain information about security control gaps — treat them as sensitive and restrict workflow output accordingly

---

Additional Resources

• AttackIQ FireDrill Platform
• AttackIQ API Documentation
• MITRE ATT&CK Framework — used to categorize AttackIQ scenarios
• AttackIQ Academy — free training on BAS concepts and platform usage

Updated: 2026-04-23