Skip to content

Cleanup mitre actors and techniques #363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Feb 12, 2025
Merged

Cleanup mitre actors and techniques #363

merged 16 commits into from
Feb 12, 2025

Conversation

pyth0n1c
Copy link
Contributor

@pyth0n1c pyth0n1c commented Feb 5, 2025
edited
Loading

Add a property to detection tags called
detection.tags.unique_mitre_attack_groups which can be used to deduplicate all the groups that occur across all the MitreEnrichments which are loaded dynamically from the list of Mitre Attack IDs.

Secondly, we add validation so that a MITRE ID and Subtype cannot exist and throw a descriptive exception. For example, the following is no longer allowed:

mitre_attack_id:
  - T1560.001
  - T1560

But all of the following options are acceptable

  mitre_attack_id:
  - T1560.001

  mitre_attack_id:
  - T1560

  mitre_attack_id:
  - T1560.001
  - T1560.002

  mitre_attack_id:
  - T1560.001
  - T1561

See the following PR which updates around 1000 pieces of content to conform to this new restriction:
splunk/security_content#3323

pyth0n1c and others added 16 commits February 4, 2025 12:36
@pyth0n1c
initial progress of group
ff372fb 
cleanup
@pyth0n1c
Initial support for vetter validation
07a92c1 
and uniqueness enforcement
for groups and mitre tactics.
The errors still are not
high quality and will take some
time to fix.
@pyth0n1c
Merge branch 'main' into cleanup_mitre_actors_and_techniques
b09fc94
@pyth0n1c
Merge branch 'main' into cleanup_mitre_actors_and_techniques
b778778
@pyth0n1c
add function to check for
421c2ea 
overlapping mitre id
type and subtypes
@pyth0n1c
Remove redundant code
8e92fd8
@pyth0n1c
add a property to get sorted, deduped groups for a detection. this is…
458861d 
… particularly useful in site gen.
@pyth0n1c
fix typing issue and add property decorator
0745169 
so that new field is not serialized
@pyth0n1c
error into message for now
4216c45
@pyth0n1c
fix error that was accidentially
bcdf2e2 
introduced in previous commit.
forgot to actually assign
mitre_attack_enrichments to self
after resolving them
@pyth0n1c
add hash function to MitreAttackGroup
1e4f1a8
@pyth0n1c
improve hash method for mitre group
f80842a
@pyth0n1c
turn printed message
9c8722a 
back into an error
@pyth0n1c
Fix naming of tactics to techniques
4e088f8
@pyth0n1c
update template detection to pass new validation
b5641ee
@pyth0n1c
Merge branch 'main' into cleanup_mitre_actors_and_techniques
570c9d2
@pyth0n1c pyth0n1c merged commit 4fe3742 into main Feb 12, 2025
10 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pyth0n1c @patel-bhavin