Merge branch 'master' of https://github.com/marcusbakker/DeTTECT-private
commit
400495ca03
|
@ -1,6 +1,6 @@
|
|||
FROM python:3.7-alpine
|
||||
|
||||
LABEL version="1.2.4"
|
||||
LABEL version="1.2.5"
|
||||
|
||||
# update repository and install Linux packages
|
||||
RUN apk update && \
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<img src="https://github.com/rabobank-cdc/DeTTECT/wiki/images/logo.png" alt="DeTT&CT" width=30% height=30%>
|
||||
|
||||
#### Detect Tactics, Techniques & Combat Threats
|
||||
Latest version: [1.2.4](https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-124)
|
||||
Latest version: [1.2.5](https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-125)
|
||||
|
||||
To get started with DeTT&CT, check out this [page](https://github.com/rabobank-cdc/DeTTECT/wiki/Getting-started), our [talk](https://www.youtube.com/watch?v=_kWpekkhomU) at hack.lu 2019 and our blog on:
|
||||
- [mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack](https://www.mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack) or
|
||||
|
|
|
@ -2,7 +2,7 @@ import re
|
|||
|
||||
APP_NAME = 'DeTT&CT'
|
||||
APP_DESC = 'Detect Tactics, Techniques & Combat Threats'
|
||||
VERSION = '1.2.4'
|
||||
VERSION = '1.2.5'
|
||||
|
||||
EXPIRE_TIME = 60 * 60 * 24
|
||||
|
||||
|
|
|
@ -185,7 +185,7 @@ def _menu(menu_parser):
|
|||
file_ds = args.file_ds
|
||||
|
||||
if args.search:
|
||||
file_ds = data_source_search(args.file_ds, FILE_TYPE_DATA_SOURCE_ADMINISTRATION, args.search)
|
||||
file_ds = data_source_search(args.file_ds, args.search)
|
||||
if not file_ds:
|
||||
quit() # something went wrong in executing the search or 0 results where returned
|
||||
if args.update and check_file(args.file_tech, FILE_TYPE_TECHNIQUE_ADMINISTRATION, args.health):
|
||||
|
|
20
eql_yaml.py
20
eql_yaml.py
|
@ -427,34 +427,26 @@ def techniques_search(filename, query_visibility=None, query_detection=None, inc
|
|||
return yaml_content
|
||||
|
||||
|
||||
def data_source_search(filename, file_type, query=''):
|
||||
def data_source_search(filename, query=''):
|
||||
"""
|
||||
Perform an EQL search on a data source administration file
|
||||
:param filename: file location of the YAML file on disk
|
||||
:param file_type: data source administration file
|
||||
:param query: EQL query
|
||||
:return: a filtered YAML 'file' (i.e. dict) or None when the query was not successful
|
||||
"""
|
||||
|
||||
if file_type == FILE_TYPE_DATA_SOURCE_ADMINISTRATION:
|
||||
obj_type = 'data_sources'
|
||||
else:
|
||||
return filename
|
||||
|
||||
yaml_content_eql, yaml_content_org = _prepare_yaml_file(filename, obj_type,
|
||||
yaml_content_eql, yaml_content_org = _prepare_yaml_file(filename, 'data_sources',
|
||||
include_all_score_objs=False)
|
||||
query_results = _execute_eql_query(yaml_content_eql, query)
|
||||
|
||||
if not _check_query_results(query_results, obj_type):
|
||||
return # the EQL query was not compatible with the schema
|
||||
if not _check_query_results(query_results, 'data_sources'):
|
||||
return None # the EQL query was not compatible with the schema
|
||||
|
||||
query_results_yaml = _events_to_yaml(query_results, obj_type)
|
||||
query_results_yaml_final = yaml_content_org
|
||||
query_results_yaml_final['data_sources'] = query_results_yaml
|
||||
query_results_yaml = _events_to_yaml(query_results, 'data_sources')
|
||||
|
||||
if query_results_yaml:
|
||||
yaml_content = yaml_content_org
|
||||
yaml_content[obj_type] = query_results_yaml
|
||||
yaml_content['data_sources'] = query_results_yaml
|
||||
|
||||
return yaml_content
|
||||
else:
|
||||
|
|
|
@ -262,7 +262,7 @@ def _menu_data_source(filename_ds):
|
|||
file_ds = filename_ds
|
||||
|
||||
if eql_query_data_sources:
|
||||
file_ds = data_source_search(filename_ds, FILE_TYPE_DATA_SOURCE_ADMINISTRATION, eql_query_data_sources)
|
||||
file_ds = data_source_search(filename_ds, eql_query_data_sources)
|
||||
if not file_ds:
|
||||
_wait() # something went wrong in executing the search or 0 results where returned
|
||||
_menu_data_source(filename_ds)
|
||||
|
|
Loading…
Reference in New Issue