Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Capability to Pull New ATT&CK Version and Update Existing Rule Threat Maps #2130

Closed
terrancedejesus opened this issue Jul 20, 2022 · 3 comments · Fixed by #2343
Closed

[FR] Capability to Pull New ATT&CK Version and Update Existing Rule Threat Maps #2130

terrancedejesus opened this issue Jul 20, 2022 · 3 comments · Fixed by #2343
Assignees
@brokensound77
Labels
enhancement New feature or request python Internal python for the repository v8.5.0

Comments

@terrancedejesus
Copy link
Contributor

Description

From time to time we will need to update MITRE ATT&CK data locally and then update any potential name changes to techniques and subtechniques. When using pytests, these are checked with the updates data to confirm names match but we should be able to programmatically update the local ATT&CK data and current mappings with a single command.

This was found during efforts to update all mappings.

While the following code is not perfect, it does give a good starting point for being able to do this.

devtools.py

@dev_group.group('attack')
def attack_group():
    """Commands for dev attack methods"""

@attack_group.command('update')
@click.option('--update_existing', '-u', is_flag=True, help="Update outdated technique names")
def update(update_existing: bool):
    """Updates current MITRE ATT&CK mappings"""
    refresh_attack_data()

    if update_existing:
        click.echo("Updating incorrect mappings\n")
        rules = RuleCollection.default()
        for rule in rules:
            threat_mapping = rule.contents.data.threat or []
            if threat_mapping:
                changes = False
                for entry in threat_mapping:
                    techniques = entry.technique or []

                    if rule.contents.data.threat[0].technique:
                        new_technique_list = []
                        for technique in techniques:
                            expected_technique = technique_lookup[technique.id]['name']
                            if expected_technique != technique.name:
                                click.echo(rule.contents.data.name)
                                click.echo(f"\t Technique Name: {technique.name} -> {expected_technique}")
                                new_technique_data = dataclasses.replace(rule.contents.data.threat[0].technique[0], name=expected_technique)
                                changes = True
                            else:
                                new_technique_data = rule.contents.data.threat[0].technique[0]

                            sub_techniques = technique.subtechnique or []
                            updated_technique_data = None
                            if sub_techniques:
                                for sub_technique in sub_techniques:
                                    new_subtechnique_list = []
                                    expected_sub_technique = technique_lookup[sub_technique.id]['name']
                                    if expected_sub_technique not in [st.name for st in  technique.subtechnique]:
                                        click.echo(rule.contents.data.name)
                                        click.echo(f"\t Sub-Technique Name: {technique.subtechnique[0].name} -> {expected_sub_technique}")
                                        new_subtechnique_data = dataclasses.replace(rule.contents.data.threat[0].technique[0].subtechnique[0], name=expected_sub_technique)
                                        new_subtechnique_list.append(new_subtechnique_data)
                                        changes = True
                                    else:
                                        new_subtechnique_list.append(sub_technique)

                                updated_technique_data = dataclasses.replace(new_technique_data, subtechnique=new_subtechnique_list)
                            new_technique_list.append(updated_technique_data or new_technique_data)

                        #if changes:
                            #new_metadata = dataclasses.replace(rule.contents.metadata, updated_date=str(date.today()).replace("-","/"))
                            #updated_contents= dataclasses.replace(rule.contents.data, threat=new_technique_list)
                            #new_rule = TOMLRule(path=rule.path, contents=updated_contents)
                            #new_rule.save_toml()
@terrancedejesus terrancedejesus added enhancement New feature or request python Internal python for the repository labels Jul 20, 2022
@terrancedejesus terrancedejesus self-assigned this Jul 20, 2022
@Mikaayenson Mikaayenson changed the title [FR] Capability to Pull New ATT&CK Version and Update Existing [FR] Capability to Pull New ATT&CK Version and Update Existing Threat Maps Sep 15, 2022
@Mikaayenson Mikaayenson changed the title [FR] Capability to Pull New ATT&CK Version and Update Existing Threat Maps [FR] Capability to Pull New ATT&CK Version and Update Existing Rule Threat Maps Sep 15, 2022
@Mikaayenson
Copy link
Contributor

I came across update_threat_map and build_threat_map_entry as well. They look useful.

@shashank-elastic
Copy link
Contributor

shashank-elastic commented Oct 5, 2022
edited by Mikaayenson
Loading

During the study came across a file artifact that is already being generated named attack-crosswalk.json with all the mapping changes in a single consolidated mapping!

@Mikaayenson
Copy link
Contributor

I think @brokensound77 started working on this as well.

@brokensound77 brokensound77 mentioned this issue Oct 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brokensound77 brokensound77

Labels
enhancement New feature or request python Internal python for the repository v8.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adds commands to manage ATT&CK mappings brokensound77/detection-rules
4 participants
@Mikaayenson @brokensound77 @shashank-elastic @terrancedejesus