infosecn1nja
/
DeTTECT
mirror of https://github.com/infosecn1nja/DeTTECT.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- Fixed a bug that could result in an invalid message in the Excel for a missing ATT&CK data sources 

- Added a health check for when the data source YAML file is missing an ATT&CK data source
master
Marcus Bakker 2019-12-05 10:45:24 +01:00
parent 93dea65bbf
commit c6ad00331a
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
data_source_mapping.py
View File

@ -55,11 +55,12 @@ def plot_data_sources_graph(filename):
print("File written: " + output_filename) print("File written: " + output_filename)
def export_data_source_list_to_excel(filename): def export_data_source_list_to_excel(filename, eql_search=False):
""" """
Makes an overview of all MITRE ATT&CK data sources (via techniques) and lists which data sources are present Makes an overview of all MITRE ATT&CK data sources (via techniques) and lists which data sources are present
in the YAML administration including all properties and data quality score. in the YAML administration including all properties and data quality score.
:param filename: the filename of the YAML file containing the data sources administration :param filename: the filename of the YAML file containing the data sources administration
:param eql_search: specify if an EQL search was performed which may have resulted in missing ATT&CK data sources
:return: :return:
""" """
my_data_sources, name, platform, exceptions = _load_data_sources(filename, filter_empty_scores=False) my_data_sources, name, platform, exceptions = _load_data_sources(filename, filter_empty_scores=False)
@ -111,12 +112,16 @@ def export_data_source_list_to_excel(filename):
y = 3 y = 3
# check if an ATT&CK data source is missing from the data source YAML administration file # check if an ATT&CK data source is missing from the data source YAML administration file
my_ds_list = my_data_sources.keys() if eql_search:
ds_miss_text = 'ATT&CK data source is missing from the YAML file or was excluded by an EQL search'
else:
ds_miss_text = 'ATT&CK data source is missing from the YAML file'
my_ds_list = [ds.lower() for ds in my_data_sources.keys()]
for ds in get_all_mitre_data_sources(): for ds in get_all_mitre_data_sources():
if ds not in my_ds_list: if ds.lower() not in my_ds_list:
ds_obj = deepcopy(YAML_OBJ_DATA_SOURCE) ds_obj = deepcopy(YAML_OBJ_DATA_SOURCE)
ds_obj['data_source_name'] = ds ds_obj['data_source_name'] = ds
ds_obj['comment'] = 'ATT&CK data source is missing from the YAML file' ds_obj['comment'] = ds_miss_text
my_data_sources[ds] = ds_obj my_data_sources[ds] = ds_obj
for d in sorted(my_data_sources.keys()): for d in sorted(my_data_sources.keys()):
@ -536,7 +541,7 @@ def generate_technique_administration_file(filename, write_file=True):
# remove the single quotes from the date # remove the single quotes from the date
yaml_file_lines = fix_date_and_remove_null(file_lines, today, input_type='list') yaml_file_lines = fix_date_and_remove_null(file_lines, today, input_type='list')
output_filename = get_non_existing_filename('output/techniques-administration-' + normalize_name_to_filename(name +'-' +platform_to_filename(platform)), 'yaml') output_filename = get_non_existing_filename('output/techniques-administration-' + normalize_name_to_filename(name + '-' + platform_to_filename(platform)), 'yaml')
with open(output_filename, 'w') as f: with open(output_filename, 'w') as f:
f.writelines(yaml_file_lines) f.writelines(yaml_file_lines)
print("File written: " + output_filename) print("File written: " + output_filename)