Merge pull request #82 from Yamato-Security/add-rule-title-to-ttp-vis…

…ualize-output feat: add `RuleTitle` to`mitre-attack-navigator.json`
Yamato-Security · Dec 30, 2023 · a9067ce · a9067ce
2 parents 668de06 + d54ec17
commit a9067ce
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -1,5 +1,11 @@
 # 変更点
 
+## 2.x.x [xxxx/xx/xx]
+
+**改善:**
+
+- `ttp-visualize` コマンドで、MITRE ATT&CK Navigator上のテクニックをマウスオーバーしたときに、検知ルール名が表示されるようした。(#82) (@fukusuket)
+
 ## 2.3.0 [2023/12/23] - SECCON Christmas Release
 
 **新機能:**

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changes
 
+## 2.x.x [xxxx/xx/xx]
+
+**Enhancements:**
+
+- In the `ttp-visualize` command, the name of the rule that detected the technique will now be shown in the comment when hovering over the technique in MITRE ATT&CK Navigator. (#82) (@fukusuket)
+
 ## 2.3.0 [2023/12/23] - SECCON Christmas Release
 
 **New Features:**

diff --git a/src/takajopkg/ttpVisualize.nim b/src/takajopkg/ttpVisualize.nim
@@ -21,7 +21,8 @@ proc ttpVisualize(output: string = "mitre-attack-navigator.json", quiet: bool =
 
     var
         bar: SuruBar = initSuruBar()
-        stackedMitreTags = newSeq[TableRef[string, string]]()
+        stackedMitreTags = initTable[string, string]()
+
 
     bar[0].total = totalLines
     bar.setup()
@@ -32,7 +33,12 @@ proc ttpVisualize(output: string = "mitre-attack-navigator.json", quiet: bool =
         let jsonLine = parseJson(line)
         try:
             for tag in jsonLine["MitreTags"]:
-              stackedMitreTags.add({"techniqueID":  tag.getStr(), "color": "#fd8d3c"}.newTable)
+                let techniqueID = tag.getStr()
+                let ruleTitle = strip(jsonLine["RuleTitle"].getStr())
+                if stackedMitreTags.hasKey(techniqueID) and ruleTitle notin stackedMitreTags[techniqueID]:
+                    stackedMitreTags[techniqueID] = stackedMitreTags[techniqueID] & "," & ruleTitle
+                else:
+                    stackedMitreTags[techniqueID] = ruleTitle
         except CatchableError:
             continue
 
@@ -42,6 +48,9 @@ proc ttpVisualize(output: string = "mitre-attack-navigator.json", quiet: bool =
         echo "No MITRE ATT&CK tags were found in the Hayabusa results."
         echo "Please run your Hayabusa scan with a profile that includes the %MitreTags% field. (ex: -p verbose)"
     else:
+        var mitreTags = newSeq[TableRef[string, string]]()
+        for techniqueID, ruleTitle in stackedMitreTags:
+            mitreTags.add({"techniqueID":  techniqueID, "comment": ruleTitle, "color": "#fd8d3c"}.newTable)
         let jsonObj = %* {
                             "name": "Hayabusa detection result heatmap",
                             "versions": {
@@ -51,7 +60,7 @@ proc ttpVisualize(output: string = "mitre-attack-navigator.json", quiet: bool =
                             },
                             "domain": "enterprise-attack",
                             "description": "Hayabusa detection result heatmap",
-                            "techniques": stackedMitreTags
+                            "techniques": mitreTags
                         }
 
         let outputFile = open(output, FileMode.fmWrite)