MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-23 07:17:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #820 from tomking2/bug/mitre-attack-external-id-parsing

Browse source 
[fix] Mitre ATT&CK parsing to pull correct external_id value and update cluster
This commit is contained in:
Alexandre Dulaunoy 2023-02-21 11:45:20 +01:00 committed by GitHub
commit aad2e33b80
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 239 additions and 232 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

462
clusters/mitre-attack-pattern.json
View file

File diff suppressed because it is too large Load diff

9
tools/gen_mitre.py
View file

@ -15,6 +15,8 @@ misp_dir = '../'
domains = ['enterprise-attack', 'mobile-attack', 'pre-attack'] domains = ['enterprise-attack', 'mobile-attack', 'pre-attack']
types = ['attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'tool'] types = ['attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'tool']
mitre_sources = ['mitre-attack', 'mitre-ics-attack', 'mitre-pre-attack', 'mitre-mobile-attack']
all_data = {} # variable that will contain everything all_data = {} # variable that will contain everything
# read in the non-MITRE data # read in the non-MITRE data
@ -105,8 +107,13 @@ for domain in domains:
for reference in item['external_references']: for reference in item['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']: if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url']) value['meta']['refs'].append(reference['url'])
if 'external_id' in reference: # Find Mitre external IDs from allowed sources
if 'external_id' in reference and reference.get("source_name", None) in mitre_sources:
value['meta']['external_id'] = reference['external_id'] value['meta']['external_id'] = reference['external_id']
if not value['meta'].get('external_id', None):
exit("Entry is missing an external ID, please update mitre_sources. Available references: {}".format(
json.dumps(item['external_references'])
))
if 'kill_chain_phases' in item: # many (but not all) attack-patterns have this if 'kill_chain_phases' in item: # many (but not all) attack-patterns have this
value['meta']['kill_chain'] = [] value['meta']['kill_chain'] = []