DeTTECT/constants.py

import re

APP_NAME = 'DeTT&CT'
APP_DESC = 'Detect Tactics, Techniques & Combat Threats'
VERSION = '1.4.1'

EXPIRE_TIME = 60 * 60 * 24

# MITRE ATT&CK data types for custom schema and STIX
DATA_TYPE_CUSTOM_TECH_BY_GROUP = 'mitre_techniques_used_by_group'
DATA_TYPE_CUSTOM_TECH_BY_SOFTWARE = 'mitre_techniques_used_by_software'
DATA_TYPE_CUSTOM_SOFTWARE_BY_GROUP = 'mitre_software_used_by_group'
DATA_TYPE_STIX_ALL_TECH = 'mitre_all_techniques'
DATA_TYPE_STIX_ALL_TECH_ENTERPRISE = 'mitre_all_techniques_enterprise'
DATA_TYPE_STIX_ALL_GROUPS = 'mitre_all_groups'
DATA_TYPE_STIX_ALL_SOFTWARE = 'mitre_all_software'
DATA_TYPE_STIX_ALL_RELATIONSHIPS = 'mitre_all_relationships'
DATA_TYPE_STIX_ALL_ENTERPRISE_MITIGATIONS = 'mitre_all_mitigations_enterprise'
DATA_TYPE_STIX_ALL_MOBILE_MITIGATIONS = 'mitre_all_mitigations_mobile'

# Group colors
COLOR_GROUP_OVERLAY_MATCH = '#f9a825'            # orange
COLOR_GROUP_OVERLAY_NO_MATCH = '#ffee58'         # yellow
COLOR_SOFTWARE = '#0d47a1 '                      # dark blue
COLOR_GROUP_AND_SOFTWARE = '#64b5f6 '            # light blue
COLOR_GRADIENT_MIN = '#ffcece'                   # light red
COLOR_GRADIENT_MAX = '#ff0000'                   # red
COLOR_TACTIC_ROW_BACKGRND = '#dddddd'            # light grey
COLOR_GROUP_OVERLAY_ONLY_DETECTION = '#8BC34A'   # green
COLOR_GROUP_OVERLAY_ONLY_VISIBILITY = '#1976D2'  # blue

# data source colors (purple range)
COLOR_DS_25p = '#E1BEE7'
COLOR_DS_50p = '#CE93D8'
COLOR_DS_75p = '#AB47BC'
COLOR_DS_99p = '#7B1FA2'
COLOR_DS_100p = '#4A148C'

# data source colors HAPPY (green range)
COLOR_DS_25p_HAPPY = '#DCEDC8'
COLOR_DS_50p_HAPPY = '#AED581'
COLOR_DS_75p_HAPPY = '#8BC34A'
COLOR_DS_99p_HAPPY = '#689F38'
COLOR_DS_100p_HAPPY = '#33691E'

# Detection colors (green range)
COLOR_D_0 = '#9C27B0'  # Purple: Forensics/Context
COLOR_D_1 = '#DCEDC8'
COLOR_D_2 = '#AED581'
COLOR_D_3 = '#8BC34A'
COLOR_D_4 = '#689F38'
COLOR_D_5 = '#33691E'

# Visibility colors (blue range)
COLOR_V_1 = '#BBDEFB'
COLOR_V_2 = '#64B5F6'
COLOR_V_3 = '#1976D2'
COLOR_V_4 = '#0D47A1'

# Orange overlay colors
COLOR_O_0 = '#FFECB7'
COLOR_O_1 = '#FFE07A'
COLOR_O_2 = '#FFCA28'
COLOR_O_3 = '#FFAE00'
COLOR_O_4 = '#FF8F00'
COLOR_O_5 = '#FF6F00'

COLOR_WHITE = '#FFFFFF'

# Detection and visibility overlay color:
COLOR_OVERLAY_VISIBILITY = COLOR_V_3
COLOR_OVERLAY_DETECTION = COLOR_D_3
COLOR_OVERLAY_BOTH = COLOR_GROUP_OVERLAY_MATCH

# Overlay types as used within the group functionality
OVERLAY_TYPE_GROUP = 'group'
OVERLAY_TYPE_VISIBILITY = 'visibility'
OVERLAY_TYPE_DETECTION = 'detection'

FILE_TYPE_DATA_SOURCE_ADMINISTRATION = 'data-source-administration'
FILE_TYPE_TECHNIQUE_ADMINISTRATION = 'technique-administration'
FILE_TYPE_GROUP_ADMINISTRATION = 'group-administration'

# YAML administration file versions
FILE_TYPE_DATA_SOURCE_ADMINISTRATION_VERSION = 1.0
FILE_TYPE_TECHNIQUE_ADMINISTRATION_VERSION = 1.2
FILE_TYPE_GROUP_ADMINISTRATION_VERSION = 1.0

# YAML file upgrade text
FILE_TYPE_TECHNIQUE_ADMINISTRATION_UPGRADE_TEXT = {
    1.1: "   * Adding new key 'technique_name' containing the ATT&CK technique name.\n"
         "   * Adding new key 'applicable_to' for both detection and visibility. Default value is ['all'].",
    1.2: "   * Detection: removing the key-value pair 'date_registered'.\n"
         "     You will be asked if you still want to keep this key-value pair even though DeTT&CT no longer makes use of it.\n"
         "   * Detection: the key-value pair 'date_implemented' will be renamed to 'date'.\n"
         "   * Visibility: adding a new key-value pair 'date'. You will be asked on what date to fill in for the visibility scores already present.\n"
         "   * Detection and visibility: the key-value pairs 'score' and 'date' are moved into a 'score_logbook'.\n"
         "     The primary purpose of doing this is to allow you to keep track of changes in the score."}

# visibility update questions and answers
V_UPDATE_Q_ALL_MANUAL = 'For all most recent visibility score objects that are eligible for an update, the key-value pair \'auto-generated\' is set to \'false\' or is not present.\n' \
                        'This implies that these scores are manually assigned. How do you want to proceed?:'
V_UPDATE_Q_ALL_AUTO = 'For all most recent visibility score objects that are eligible for an update, the key-value pair \'auto-generated\' is set to \'true\'. \n' \
                      'This implies that these scores are auto-generated. How do you want to proceed?:'
V_UPDATE_Q_MIXED = 'You have visibility scores that are eligible for an update, which are manually assigned and which are calculated based on the nr. of data sources (i.e. auto-generated = true)\n' \
                   'How do you want to proceed?'
V_UPDATE_ANSWER_1 = 'Update all visibility scores that have changed.'
V_UPDATE_ANSWER_2 = 'Decide per visibility score, that has changed if you want to update or not.\n' \
                    'Both the current and new visibility score will be printed.'
V_UPDATE_ANSWER_3 = 'Only auto-update the visibility scores, that have changed, which have \'auto-generated = true\''
V_UPDATE_ANSWER_4 = '- Auto-update the visibility scores, that have changed, which have \'auto-generated = true\'.\n' \
                    '- And decide per manually assigned visibility score, that has changed, if you want to update or not.\n' \
                    '  Both the current and new visibility score will be printed.'
V_UPDATE_ANSWER_CANCEL = 'Cancel.'

# update actions for visibility scores
V_UPDATE_ACTION_AUTO = 'auto update'
V_UPDATE_ACTION_DIFF = 'the user decides to update or not'

# YAML regex
REGEX_YAML_VERSION_10 = re.compile(r'^\s*version:\s+1\.0\s*$', re.IGNORECASE)
REGEX_YAML_TECHNIQUE_ID = re.compile(r'^-\s+technique_id:\s+T\d{4}(\.\d{3}|)\s*$', re.IGNORECASE)
REGEX_YAML_TECHNIQUE_ID_FORMAT = re.compile(r'T\d{4}(\.\d{3}|)', re.IGNORECASE)
REGEX_YAML_DETECTION = re.compile(r'^\s+detection:\s*$', re.IGNORECASE)
REGEX_YAML_VISIBILITY = re.compile(r'^\s+visibility:\s*$', re.IGNORECASE)
REGEX_YAML_INDENT_CHARS = re.compile(r'(^[\s-]+).*', re.IGNORECASE)
REGEX_YAML_VALID_DATE = re.compile(r'([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))', re.IGNORECASE)
REGEX_YAML_DATE = re.compile(r'^[\s-]+date:.*$', re.IGNORECASE)
REGEX_YAML_TECHNIQUE_ID_GROUP = re.compile(r'^-\s+technique_id:\s+(T\d{4})\s*$', re.IGNORECASE)

# YAML objects
YAML_OBJ_VISIBILITY = {'applicable_to': ['all'],
                       'comment': '',
                       'score_logbook':
                           [
                               {'date': None,
                                'score': 0,
                                'comment': '',
                                'auto_generated': True}
                           ]
                       }

YAML_OBJ_DETECTION = {'applicable_to': ['all'],
                      'location': [''],
                      'comment': '',
                      'score_logbook':
                          [
                              {'date': None,
                               'score': -1,
                               'comment': ''}
                      ]}

YAML_OBJ_TECHNIQUE = {'technique_id': '',
                      'technique_name': '',
                      'detection': YAML_OBJ_DETECTION,
                      'visibility': YAML_OBJ_VISIBILITY}

YAML_OBJ_DATA_SOURCE = {'data_source_name': '',
                        'date_registered': None,
                        'date_connected': None,
                        'products': [''],
                        'available_for_data_analytics': False,
                        'comment': '',
                        'data_quality': {
                            'device_completeness': 0,
                            'data_field_completeness': 0,
                            'timeliness': 0,
                            'consistency': 0,
                            'retention': 0}}

# Interactive menu
MENU_NAME_DATA_SOURCE_MAPPING = 'Data source mapping'
MENU_NAME_VISIBILITY_MAPPING = 'Visibility coverage mapping'
MENU_NAME_DETECTION_COVERAGE_MAPPING = 'Detection coverage mapping'
MENU_NAME_THREAT_ACTOR_GROUP_MAPPING = 'Threat actor group mapping'

# EQL
EQL_INVALID_RESULT_DS = '[!] Invalid data source administration content. Check your EQL query to return data_sources object(s):'
EQL_INVALID_RESULT_TECH = '[!] Invalid technique administration content. Check your EQL query to return '

# Health text
HEALTH_ERROR_TXT = '[!] The below YAML file contains possible errors. It\'s recommended to check via the ' \
                   '\'--health\' argument or using the option in the interactive menu: \n    - '

PLATFORMS = {'windows': 'Windows', 'linux': 'Linux', 'macos': 'macOS', 'aws': 'AWS', 'gcp': 'GCP', 'azure': 'Azure',
             'azure ad': 'Azure AD', 'office 365': 'Office 365', 'saas': 'SaaS'}

# Data sources applicable per platform
DATA_SOURCES = {'Windows': ['Access tokens', 'Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'BIOS', 'Browser extensions',
                            'Component firmware', 'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DLL monitoring', 'DNS records', 'EFI', 'Email gateway',
                            'Environment variable', 'File monitoring', 'Host network interface', 'Kernel drivers', 'Loaded DLLs', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes',
                            'Netflow/Enclave netflow', 'Network device logs', 'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'PowerShell logs',
                            'Process command-line parameters', 'Process monitoring', 'Process use of network', 'Sensor health and status', 'Services', 'SSL/TLS inspection', 'System calls',
                            'Third-party application logs', 'User interface', 'VBR', 'Web application firewall logs', 'Web logs', 'Web proxy', 'Windows Error Reporting', 'Windows event logs',
                            'Windows Registry', 'WMI Objects'],
                'Linux': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'BIOS', 'Browser extensions', 'Component firmware',
                          'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DNS records', 'EFI', 'Email gateway', 'Environment variable', 'File monitoring',
                          'Host network interface', 'Kernel drivers', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes', 'Netflow/Enclave netflow', 'Network device logs',
                          'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'PowerShell logs', 'Process command-line parameters', 'Process monitoring',
                          'Process use of network', 'Sensor health and status', 'Services', 'SSL/TLS inspection', 'System calls', 'Third-party application logs', 'User interface', 'VBR',
                          'Web application firewall logs', 'Web logs', 'Web proxy'],
                'macOS': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'BIOS', 'Browser extensions', 'Component firmware',
                          'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DNS records', 'EFI', 'Email gateway', 'Environment variable', 'File monitoring',
                          'Host network interface', 'Kernel drivers', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes', 'Netflow/Enclave netflow', 'Network device logs',
                          'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'PowerShell logs', 'Process command-line parameters', 'Process monitoring',
                          'Process use of network', 'Sensor health and status', 'Services', 'SSL/TLS inspection', 'System calls', 'Third-party application logs', 'User interface', 'VBR',
                          'Web application firewall logs', 'Web logs', 'Web proxy'],
                'AWS': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'AWS CloudTrail logs', 'AWS OS logs', 'Binary file metadata', 'Data loss prevention',
                        'Detonation chamber', 'DNS records', 'Email gateway', 'File monitoring', 'Mail server', 'Malware reverse engineering', 'Netflow/Enclave netflow', 'Network device logs',
                        'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'Sensor health and status', 'SSL/TLS inspection', 'Third-party application logs',
                        'Web application firewall logs', 'Web logs', 'Web proxy'],
                'GCP': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'Data loss prevention', 'Detonation chamber',
                        'DNS records', 'Email gateway', 'File monitoring', 'Mail server', 'Malware reverse engineering', 'Netflow/Enclave netflow', 'Network device logs',
                        'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'Sensor health and status', 'SSL/TLS inspection', 'Stackdriver logs',
                        'Third-party application logs', 'Web application firewall logs', 'Web logs', 'Web proxy'],
                'Azure': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Azure activity logs', 'Azure OS logs', 'Binary file metadata',
                          'Data loss prevention', 'DNS records', 'File monitoring', 'Malware reverse engineering', 'Netflow/Enclave netflow', 'Network device logs', 'Network intrusion detection system',
                          'Network protocol analysis', 'Packet capture', 'Sensor health and status', 'SSL/TLS inspection', 'Third-party application logs', 'Web application firewall logs',
                          'Web logs', 'Web proxy'],
                'Azure AD': ['API monitoring', 'Authentication logs', 'Azure activity logs', 'Malware reverse engineering', 'Sensor health and status'],
                'Office 365': ['Anti-virus', 'API monitoring', 'Authentication logs', 'Azure activity logs', 'Data loss prevention', 'Detonation chamber', 'Email gateway', 'Mail server',
                               'Malware reverse engineering', 'Office 365 account logs', 'Office 365 audit logs', 'Office 365 trace logs', 'Sensor health and status'],
                'SaaS': ['Anti-virus', 'API monitoring', 'Application logs', 'Authentication logs', 'Data loss prevention', 'Detonation chamber', 'Email gateway', 'Mail server',
                         'Malware reverse engineering', 'OAuth audit logs', 'Sensor health and status', 'Third-party application logs', 'Web application firewall logs', 'Web logs']
                }
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00			`import re`

Moved all constants to its own file 2019-04-23 11:13:07 +00:00			`APP_NAME = 'DeTT&CT'`
			`APP_DESC = 'Detect Tactics, Techniques & Combat Threats'`
bumped the version to 1.4.1 2020-10-16 09:35:49 +00:00			`VERSION = '1.4.1'`
Moved all constants to its own file 2019-04-23 11:13:07 +00:00
Added several new constants. 2019-08-08 09:49:12 +00:00			`EXPIRE_TIME = 60 * 60 * 24`
Moved all constants to its own file 2019-04-23 11:13:07 +00:00
Increased performance by caching ATT&CK STIX objects were possible. 2019-07-15 12:55:39 +00:00			`# MITRE ATT&CK data types for custom schema and STIX`
			`DATA_TYPE_CUSTOM_TECH_BY_GROUP = 'mitre_techniques_used_by_group'`
			`DATA_TYPE_CUSTOM_TECH_BY_SOFTWARE = 'mitre_techniques_used_by_software'`
			`DATA_TYPE_CUSTOM_SOFTWARE_BY_GROUP = 'mitre_software_used_by_group'`
			`DATA_TYPE_STIX_ALL_TECH = 'mitre_all_techniques'`
			`DATA_TYPE_STIX_ALL_TECH_ENTERPRISE = 'mitre_all_techniques_enterprise'`
			`DATA_TYPE_STIX_ALL_GROUPS = 'mitre_all_groups'`
			`DATA_TYPE_STIX_ALL_SOFTWARE = 'mitre_all_software'`
			`DATA_TYPE_STIX_ALL_RELATIONSHIPS = 'mitre_all_relationships'`
Added new constants for STIX 2019-08-01 13:00:09 +00:00			`DATA_TYPE_STIX_ALL_ENTERPRISE_MITIGATIONS = 'mitre_all_mitigations_enterprise'`
			`DATA_TYPE_STIX_ALL_MOBILE_MITIGATIONS = 'mitre_all_mitigations_mobile'`
Moved all constants to its own file 2019-04-23 11:13:07 +00:00
			`# Group colors`
			`COLOR_GROUP_OVERLAY_MATCH = '#f9a825' # orange`
			`COLOR_GROUP_OVERLAY_NO_MATCH = '#ffee58' # yellow`
			`COLOR_SOFTWARE = '#0d47a1 ' # dark blue`
			`COLOR_GROUP_AND_SOFTWARE = '#64b5f6 ' # light blue`
			`COLOR_GRADIENT_MIN = '#ffcece' # light red`
			`COLOR_GRADIENT_MAX = '#ff0000' # red`
			`COLOR_TACTIC_ROW_BACKGRND = '#dddddd' # light grey`
			`COLOR_GROUP_OVERLAY_ONLY_DETECTION = '#8BC34A' # green`
			`COLOR_GROUP_OVERLAY_ONLY_VISIBILITY = '#1976D2' # blue`

			`# data source colors (purple range)`
			`COLOR_DS_25p = '#E1BEE7'`
			`COLOR_DS_50p = '#CE93D8'`
			`COLOR_DS_75p = '#AB47BC'`
			`COLOR_DS_99p = '#7B1FA2'`
			`COLOR_DS_100p = '#4A148C'`

			`# data source colors HAPPY (green range)`
			`COLOR_DS_25p_HAPPY = '#DCEDC8'`
			`COLOR_DS_50p_HAPPY = '#AED581'`
			`COLOR_DS_75p_HAPPY = '#8BC34A'`
			`COLOR_DS_99p_HAPPY = '#689F38'`
			`COLOR_DS_100p_HAPPY = '#33691E'`

			`# Detection colors (green range)`
Color shading for overlay files. 2020-06-18 15:01:16 +00:00			`COLOR_D_0 = '#9C27B0' # Purple: Forensics/Context`
Moved all constants to its own file 2019-04-23 11:13:07 +00:00			`COLOR_D_1 = '#DCEDC8'`
			`COLOR_D_2 = '#AED581'`
			`COLOR_D_3 = '#8BC34A'`
			`COLOR_D_4 = '#689F38'`
			`COLOR_D_5 = '#33691E'`

			`# Visibility colors (blue range)`
			`COLOR_V_1 = '#BBDEFB'`
			`COLOR_V_2 = '#64B5F6'`
			`COLOR_V_3 = '#1976D2'`
			`COLOR_V_4 = '#0D47A1'`

Color shading for overlay files. 2020-06-18 15:01:16 +00:00			`# Orange overlay colors`
Changed the colours 2020-06-22 12:13:53 +00:00			`COLOR_O_0 = '#FFECB7'`
			`COLOR_O_1 = '#FFE07A'`
			`COLOR_O_2 = '#FFCA28'`
			`COLOR_O_3 = '#FFAE00'`
			`COLOR_O_4 = '#FF8F00'`
			`COLOR_O_5 = '#FF6F00'`
Color shading for overlay files. 2020-06-18 15:01:16 +00:00
Fixed a bug that resulted (within specific circumstance) in a wrong colour for visibility, when detection coverage is overlaid with visibility. Reported by @Sreeman. 2019-12-04 09:39:11 +00:00			`COLOR_WHITE = '#FFFFFF'`

Moved all constants to its own file 2019-04-23 11:13:07 +00:00			`# Detection and visibility overlay color:`
			`COLOR_OVERLAY_VISIBILITY = COLOR_V_3`
			`COLOR_OVERLAY_DETECTION = COLOR_D_3`
			`COLOR_OVERLAY_BOTH = COLOR_GROUP_OVERLAY_MATCH`

Created 3 constants for overlay_type 2019-05-02 18:15:43 +00:00			`# Overlay types as used within the group functionality`
			`OVERLAY_TYPE_GROUP = 'group'`
			`OVERLAY_TYPE_VISIBILITY = 'visibility'`
			`OVERLAY_TYPE_DETECTION = 'detection'`

Moved all constants to its own file 2019-04-23 11:13:07 +00:00			`FILE_TYPE_DATA_SOURCE_ADMINISTRATION = 'data-source-administration'`
			`FILE_TYPE_TECHNIQUE_ADMINISTRATION = 'technique-administration'`
			`FILE_TYPE_GROUP_ADMINISTRATION = 'group-administration'`

			`# YAML administration file versions`
			`FILE_TYPE_DATA_SOURCE_ADMINISTRATION_VERSION = 1.0`
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00			`FILE_TYPE_TECHNIQUE_ADMINISTRATION_VERSION = 1.2`
Moved all constants to its own file 2019-04-23 11:13:07 +00:00			`FILE_TYPE_GROUP_ADMINISTRATION_VERSION = 1.0`

			`# YAML file upgrade text`
Added several new constants. 2019-08-08 09:49:12 +00:00			`FILE_TYPE_TECHNIQUE_ADMINISTRATION_UPGRADE_TEXT = {`
			`1.1: " * Adding new key 'technique_name' containing the ATT&CK technique name.\n"`
			`" * Adding new key 'applicable_to' for both detection and visibility. Default value is ['all'].",`
			`1.2: " * Detection: removing the key-value pair 'date_registered'.\n"`
			`" You will be asked if you still want to keep this key-value pair even though DeTT&CT no longer makes use of it.\n"`
			`" * Detection: the key-value pair 'date_implemented' will be renamed to 'date'.\n"`
			`" * Visibility: adding a new key-value pair 'date'. You will be asked on what date to fill in for the visibility scores already present.\n"`
			`" * Detection and visibility: the key-value pairs 'score' and 'date' are moved into a 'score_logbook'.\n"`
			`" The primary purpose of doing this is to allow you to keep track of changes in the score."}`
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00
			`# visibility update questions and answers`
Fixed a bug within the YAML visibility update functionality. 2019-09-19 13:49:59 +00:00			`V_UPDATE_Q_ALL_MANUAL = 'For all most recent visibility score objects that are eligible for an update, the key-value pair \'auto-generated\' is set to \'false\' or is not present.\n' \`
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00			`'This implies that these scores are manually assigned. How do you want to proceed?:'`
Fixed a bug within the YAML visibility update functionality. 2019-09-19 13:49:59 +00:00			`V_UPDATE_Q_ALL_AUTO = 'For all most recent visibility score objects that are eligible for an update, the key-value pair \'auto-generated\' is set to \'true\'. \n' \`
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00			`'This implies that these scores are auto-generated. How do you want to proceed?:'`
			`V_UPDATE_Q_MIXED = 'You have visibility scores that are eligible for an update, which are manually assigned and which are calculated based on the nr. of data sources (i.e. auto-generated = true)\n' \`
			`'How do you want to proceed?'`
			`V_UPDATE_ANSWER_1 = 'Update all visibility scores that have changed.'`
			`V_UPDATE_ANSWER_2 = 'Decide per visibility score, that has changed if you want to update or not.\n' \`
			`'Both the current and new visibility score will be printed.'`
			`V_UPDATE_ANSWER_3 = 'Only auto-update the visibility scores, that have changed, which have \'auto-generated = true\''`
			`V_UPDATE_ANSWER_4 = '- Auto-update the visibility scores, that have changed, which have \'auto-generated = true\'.\n' \`
			`'- And decide per manually assigned visibility score, that has changed, if you want to update or not.\n' \`
			`' Both the current and new visibility score will be printed.'`
			`V_UPDATE_ANSWER_CANCEL = 'Cancel.'`

			`# update actions for visibility scores`
			`V_UPDATE_ACTION_AUTO = 'auto update'`
			`V_UPDATE_ACTION_DIFF = 'the user decides to update or not'`

			`# YAML regex`
			`REGEX_YAML_VERSION_10 = re.compile(r'^\sversion:\s+1\.0\s$', re.IGNORECASE)`
Modified some regexes to support sub-techniques and bumped the version to 1.4 2020-06-25 18:48:51 +00:00			`REGEX_YAML_TECHNIQUE_ID = re.compile(r'^-\s+technique_id:\s+T\d{4}(\.\d{3}\|)\s*$', re.IGNORECASE)`
			`REGEX_YAML_TECHNIQUE_ID_FORMAT = re.compile(r'T\d{4}(\.\d{3}\|)', re.IGNORECASE)`
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00			`REGEX_YAML_DETECTION = re.compile(r'^\s+detection:\s*$', re.IGNORECASE)`
			`REGEX_YAML_VISIBILITY = re.compile(r'^\s+visibility:\s*$', re.IGNORECASE)`
			`REGEX_YAML_INDENT_CHARS = re.compile(r'(^[\s-]+).*', re.IGNORECASE)`
			`REGEX_YAML_VALID_DATE = re.compile(r'([12]\d{3}-(0[1-9]\|1[0-2])-(0[1-9]\|[12]\d\|3[01]))', re.IGNORECASE)`
			`REGEX_YAML_DATE = re.compile(r'^[\s-]+date:.*$', re.IGNORECASE)`
Modified some regexes to support sub-techniques and bumped the version to 1.4 2020-06-25 18:48:51 +00:00			`REGEX_YAML_TECHNIQUE_ID_GROUP = re.compile(r'^-\s+technique_id:\s+(T\d{4})\s*$', re.IGNORECASE)`
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00
Added several new constants. 2019-08-08 09:49:12 +00:00			`# YAML objects`
			`YAML_OBJ_VISIBILITY = {'applicable_to': ['all'],`
			`'comment': '',`
			`'score_logbook':`
			`[`
			`{'date': None,`
			`'score': 0,`
			`'comment': '',`
			`'auto_generated': True}`
			`]`
			`}`
Mapped data sources to platforms 2020-02-10 11:17:00 +00:00
Added several new constants. 2019-08-08 09:49:12 +00:00			`YAML_OBJ_DETECTION = {'applicable_to': ['all'],`
			`'location': [''],`
			`'comment': '',`
			`'score_logbook':`
			`[`
			`{'date': None,`
			`'score': -1,`
			`'comment': ''}`
Mapped data sources to platforms 2020-02-10 11:17:00 +00:00			`]}`
Added several new constants. 2019-08-08 09:49:12 +00:00
			`YAML_OBJ_TECHNIQUE = {'technique_id': '',`
			`'technique_name': '',`
			`'detection': YAML_OBJ_DETECTION,`
			`'visibility': YAML_OBJ_VISIBILITY}`
- Updated the version to 1.2.0 - Added new constants for the tech v1.1 to v1.2 upgrade - Added new constants for the auto-update visibility scores functionality 2019-07-31 08:09:06 +00:00
- Non-MITRE ATT&CK data sources are now also exported to Excel. - Any ATT&CK data sources that are missing within the YAML file are added to the Excel with a comment stating it is missing. 2019-08-15 18:31:20 +00:00			`YAML_OBJ_DATA_SOURCE = {'data_source_name': '',`
			`'date_registered': None,`
			`'date_connected': None,`
			`'products': [''],`
			`'available_for_data_analytics': False,`
			`'comment': '',`
			`'data_quality': {`
			`'device_completeness': 0,`
			`'data_field_completeness': 0,`
			`'timeliness': 0,`
			`'consistency': 0,`
			`'retention': 0}}`

Moved all constants to its own file 2019-04-23 11:13:07 +00:00			`# Interactive menu`
			`MENU_NAME_DATA_SOURCE_MAPPING = 'Data source mapping'`
			`MENU_NAME_VISIBILITY_MAPPING = 'Visibility coverage mapping'`
			`MENU_NAME_DETECTION_COVERAGE_MAPPING = 'Detection coverage mapping'`
			`MENU_NAME_THREAT_ACTOR_GROUP_MAPPING = 'Threat actor group mapping'`
Added several new constants. 2019-08-08 09:49:12 +00:00
			`# EQL`
			`EQL_INVALID_RESULT_DS = '[!] Invalid data source administration content. Check your EQL query to return data_sources object(s):'`
			`EQL_INVALID_RESULT_TECH = '[!] Invalid technique administration content. Check your EQL query to return '`

			`# Health text`
Changed variable name. 2019-08-20 09:14:51 +00:00			`HEALTH_ERROR_TXT = '[!] The below YAML file contains possible errors. It\'s recommended to check via the ' \`
Added several new constants. 2019-08-08 09:49:12 +00:00			`'\'--health\' argument or using the option in the interactive menu: \n - '`
Added support for new platforms of ATT&CK October update: AWS, GCP, Azure, Azure AD, Office 365, SaaS. Added support for using multiple values in platform attribute in data sources administration and techniques administration files. Added health check on platform attribute in techniques administration file. Updated support for ATT&CK Navigator layer version 2.2. 2019-11-04 13:48:58 +00:00
			`PLATFORMS = {'windows': 'Windows', 'linux': 'Linux', 'macos': 'macOS', 'aws': 'AWS', 'gcp': 'GCP', 'azure': 'Azure',`
			`'azure ad': 'Azure AD', 'office 365': 'Office 365', 'saas': 'SaaS'}`
Mapped data sources to platforms 2020-02-10 11:17:00 +00:00
			`# Data sources applicable per platform`
			`DATA_SOURCES = {'Windows': ['Access tokens', 'Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'BIOS', 'Browser extensions',`
			`'Component firmware', 'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DLL monitoring', 'DNS records', 'EFI', 'Email gateway',`
			`'Environment variable', 'File monitoring', 'Host network interface', 'Kernel drivers', 'Loaded DLLs', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes',`
			`'Netflow/Enclave netflow', 'Network device logs', 'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'PowerShell logs',`
			`'Process command-line parameters', 'Process monitoring', 'Process use of network', 'Sensor health and status', 'Services', 'SSL/TLS inspection', 'System calls',`
			`'Third-party application logs', 'User interface', 'VBR', 'Web application firewall logs', 'Web logs', 'Web proxy', 'Windows Error Reporting', 'Windows event logs',`
			`'Windows Registry', 'WMI Objects'],`
			`'Linux': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'BIOS', 'Browser extensions', 'Component firmware',`
			`'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DNS records', 'EFI', 'Email gateway', 'Environment variable', 'File monitoring',`
			`'Host network interface', 'Kernel drivers', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes', 'Netflow/Enclave netflow', 'Network device logs',`
			`'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'PowerShell logs', 'Process command-line parameters', 'Process monitoring',`
			`'Process use of network', 'Sensor health and status', 'Services', 'SSL/TLS inspection', 'System calls', 'Third-party application logs', 'User interface', 'VBR',`
			`'Web application firewall logs', 'Web logs', 'Web proxy'],`
			`'macOS': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'BIOS', 'Browser extensions', 'Component firmware',`
			`'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DNS records', 'EFI', 'Email gateway', 'Environment variable', 'File monitoring',`
			`'Host network interface', 'Kernel drivers', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes', 'Netflow/Enclave netflow', 'Network device logs',`
			`'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'PowerShell logs', 'Process command-line parameters', 'Process monitoring',`
			`'Process use of network', 'Sensor health and status', 'Services', 'SSL/TLS inspection', 'System calls', 'Third-party application logs', 'User interface', 'VBR',`
			`'Web application firewall logs', 'Web logs', 'Web proxy'],`
			`'AWS': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'AWS CloudTrail logs', 'AWS OS logs', 'Binary file metadata', 'Data loss prevention',`
			`'Detonation chamber', 'DNS records', 'Email gateway', 'File monitoring', 'Mail server', 'Malware reverse engineering', 'Netflow/Enclave netflow', 'Network device logs',`
			`'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'Sensor health and status', 'SSL/TLS inspection', 'Third-party application logs',`
			`'Web application firewall logs', 'Web logs', 'Web proxy'],`
			`'GCP': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Binary file metadata', 'Data loss prevention', 'Detonation chamber',`
			`'DNS records', 'Email gateway', 'File monitoring', 'Mail server', 'Malware reverse engineering', 'Netflow/Enclave netflow', 'Network device logs',`
			`'Network intrusion detection system', 'Network protocol analysis', 'Packet capture', 'Sensor health and status', 'SSL/TLS inspection', 'Stackdriver logs',`
			`'Third-party application logs', 'Web application firewall logs', 'Web logs', 'Web proxy'],`
			`'Azure': ['Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'Azure activity logs', 'Azure OS logs', 'Binary file metadata',`
			`'Data loss prevention', 'DNS records', 'File monitoring', 'Malware reverse engineering', 'Netflow/Enclave netflow', 'Network device logs', 'Network intrusion detection system',`
			`'Network protocol analysis', 'Packet capture', 'Sensor health and status', 'SSL/TLS inspection', 'Third-party application logs', 'Web application firewall logs',`
			`'Web logs', 'Web proxy'],`
			`'Azure AD': ['API monitoring', 'Authentication logs', 'Azure activity logs', 'Malware reverse engineering', 'Sensor health and status'],`
			`'Office 365': ['Anti-virus', 'API monitoring', 'Authentication logs', 'Azure activity logs', 'Data loss prevention', 'Detonation chamber', 'Email gateway', 'Mail server',`
			`'Malware reverse engineering', 'Office 365 account logs', 'Office 365 audit logs', 'Office 365 trace logs', 'Sensor health and status'],`
Bug fix: invalid capatlisation 2020-10-15 08:59:18 +00:00			`'SaaS': ['Anti-virus', 'API monitoring', 'Application logs', 'Authentication logs', 'Data loss prevention', 'Detonation chamber', 'Email gateway', 'Mail server',`
Mapped data sources to platforms 2020-02-10 11:17:00 +00:00			`'Malware reverse engineering', 'OAuth audit logs', 'Sensor health and status', 'Third-party application logs', 'Web application firewall logs', 'Web logs']`
			`}`