def data_needed(self, dn_path):
        """Desc"""

        print("[*] Populating Data Needed...")
        if dn_path:
            dn_list = glob.glob(dn_path + '*.yml')
        else:
            dn_dir = ATCconfig.get('data_needed_dir')
            dn_list = glob.glob(dn_dir + '/*.yml')

        for dn_file in dn_list:
            try:
                dn = DataNeeded(dn_file, apipath=self.apipath, auth=self.auth,
                                space=self.space)
                dn.render_template("confluence")
                confluence_data = {
                    "title": dn.dn_fields["title"],
                    "spacekey": self.space,
                    "parentid": str(ATCutils.confluence_get_page_id(
                        self.apipath, self.auth, self.space, "Data Needed")),
                    "confluencecontent": dn.content,
                }

                res = ATCutils.push_to_confluence(confluence_data, self.apipath,
                                            self.auth)
                if res == 'Page updated':
            	    print("==> updated page: DN '" + dn.dn_fields['title'] + "'")
                # print("Done: ", dn.dn_fields['title'])
            except Exception as err:
                print(dn_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("[+] Data Needed populated!")
    def mitigation_policy(self, mp_path):
        """Populate Mitigation Policies"""

        print("[*] Populating Mitigation Policies...")
        if mp_path:
            mp_list = glob.glob(mp_path + '*.yml')
        else:
            mp_dir = ATCconfig.get('mitigation_policies_directory')
            mp_list = glob.glob(mp_dir + '/*.yml')

        for mp_file in mp_list:
            try:
                mp = MitigationPolicy(mp_file, apipath=self.apipath,
                               auth=self.auth, space=self.space)
                mp.render_template("confluence")
                confluence_data = {
                    "title": mp.mp_parsed_file["title"],
                    "spacekey": self.space,
                    "parentid": str(ATCutils.confluence_get_page_id(
                        self.apipath, self.auth, self.space,
                        "Mitigation Policies")),
                    "confluencecontent": mp.content,
                }

                res = ATCutils.push_to_confluence(confluence_data, self.apipath,
                                            self.auth)
                if res == 'Page updated':
            	    print("==> updated page: MP '" + mp.mp_parsed_file['title'] + "'")
            except Exception as err:
                print(mp_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("[+] Mitigation Policies populated!")
    def hardening_policy(self, hp_path):
        """Populate Hardening Policies"""

        print("[*] Populating Hardening Policies...")
        if hp_path:
            hp_list = glob.glob(hp_path + '*.yml')
        else:
            hp_dir = ATCconfig.get('hardening_policies_directory')
            hp_list = glob.glob(hp_dir + '/*.yml')

        for hp_file in hp_list:
            try:
                hp = HardeningPolicy(hp_file)
                hp.render_template("confluence")
                confluence_data = {
                    "title": hp.hp_parsed_file["title"],
                    "spacekey": self.space,
                    "parentid": str(ATCutils.confluence_get_page_id(
                        self.apipath, self.auth, self.space,
                        "Hardening Policies")),
                    "confluencecontent": hp.content,
                }

                res = ATCutils.push_to_confluence(confluence_data, self.apipath,
                                            self.auth)
                if res == 'Page updated':
            	    print("==> updated page: HP '" + hp.hp_parsed_file['title'] + "'")
            except Exception as err:
                print(hp_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("[+] Hardening Policies populated!")
    def logging_policy(self, lp_path):
        """Desc"""

        print("[*] Populating Logging Policies...")
        if lp_path:
            lp_list = glob.glob(lp_path + '*.yml')
        else:
            lp_dir = ATCconfig.get('logging_policies_dir')
            lp_list = glob.glob(lp_dir + '/*.yml')

        for lp_file in lp_list:
            try:
                lp = LoggingPolicy(lp_file)
                lp.render_template("confluence")
                confluence_data = {
                    "title": lp.fields["title"],
                    "spacekey": self.space,
                    "parentid": str(ATCutils.confluence_get_page_id(
                        self.apipath, self.auth, self.space,
                        "Logging Policies")),
                    "confluencecontent": lp.content,
                }

                res = ATCutils.push_to_confluence(confluence_data, self.apipath,
                                            self.auth)
                if res == 'Page updated':
            	    print("==> updated page: LP '" + lp.fields['title'] + "'")
                # print("Done: ", lp.fields['title'])
            except Exception as err:
                print(lp_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("[+] Logging Policies populated!")
Exemple #5
0
    def render_template(self, template_type):
        """Description
        template_type:
            - "confluence"
        """

        if template_type not in ["confluence"]:
            raise Exception("Bad template_type. Available value:" +
                            " \"confluence\"]")

        # Get proper template

        template = env.get_template(
            'confluence_responseaction_template.html.j2')

        new_title = self.ra_parsed_file.get('id')\
            + ": "\
            + ATCutils.normalize_react_title(self.ra_parsed_file.get('title'))

        self.ra_parsed_file.update({'title': new_title})

        self.ra_parsed_file.update({
            'confluence_viewpage_url':
            ATCconfig.get('confluence_viewpage_url')
        })

        ##
        ## Add link to a stage
        ##

        stage = self.ra_parsed_file.get('stage')
        rs_list = []
        for rs_id, rs_name in rs_mapping.items():
            if ATCutils.normalize_rs_name(stage) == rs_name:
                if self.apipath and self.auth and self.space:
                    rs_confluence_page_id = str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space, rs_name))
                    rs_list.append((rs_id, rs_name, rs_confluence_page_id))
                else:
                    rs_confluence_page_id = ""
                    rs_list.append((rs_id, rs_name, rs_confluence_page_id))
                break

        self.ra_parsed_file.update({'stage': rs_list})

        # Category
        self.ra_parsed_file.update({
            'category':
            ATCutils.get_ra_category(self.ra_parsed_file.get('id'))
        })

        self.ra_parsed_file.update(
            {'description': self.ra_parsed_file.get('description').strip()})

        self.ra_parsed_file.update(
            {'workflow': self.ra_parsed_file.get('workflow')})

        self.content = template.render(self.ra_parsed_file)
    def detection_rule(self, dr_path):
        """Desc"""

        print("Populating Detection Rules..")
        if dr_path:
            dr_list = glob.glob(dr_path + '*.yml')
        else:
            dr_dirs = ATCconfig.get('detection_rules_directories')
            # check if config provides multiple directories for detection rules
            if isinstance(dr_dirs, list):
                dr_list = []
                for directory in dr_dirs:
                    dr_list += glob.glob(directory + '/*.yml')
            elif isinstance(dr_dirs, str):
                dr_list = glob.glob(dr_dirs + '/*.yml')

        for dr_file in dr_list:
            try:
                dr = DetectionRule(dr_file,
                                   apipath=self.apipath,
                                   auth=self.auth,
                                   space=self.space)
                dr.render_template("confluence")

                confluence_data = {
                    "title":
                    dr.fields['title'],
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space,
                            "Detection Rules")),
                    "confluencecontent":
                    dr.content,
                }

                res = ATCutils.push_to_confluence(confluence_data,
                                                  self.apipath, self.auth)
                if res == 'Page updated':
                    print("==> updated page: DR '" + dr.fields['title'] +
                          "' (" + dr_file + ")")
                # print("Done: ", dr.fields['title'])
            except Exception as err:
                print(dr_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("Detection Rules populated!")
Exemple #7
0
def main():
    dr_dirs = ATCconfig.get('detection_rules_directories')
    dr_list = []
    for path in dr_dirs:
        dr_list.append(ATCutils.load_yamls(path))
    # flat dr_list
    dr_list = [dr for drs_from_path in dr_list for dr in drs_from_path]

    list_of_customers = get_customers()
    for customer in list_of_customers:
        rules = find_rules_per_customer(customer, dr_list)
        techniques = get_techniques(rules)

        tab_name = {"name": customer.get('customer_name')}
        NAVIGATOR_TEMPLATE.update(tab_name)
        NAVIGATOR_TEMPLATE['techniques'] = techniques

        filename = 'atc_attack_navigator_profile_' + \
            customer.get('title') + '.json'
        exported_analytics_directory = \
            ATCconfig.get('exported_analytics_directory') + \
            "/attack_navigator_profiles"

        with open(exported_analytics_directory + '/' + filename, 'w') as fp:
            json.dump(NAVIGATOR_TEMPLATE, fp)
        print(f'[+] Created {filename}')
    def triggers(self, tg_path):
        """Populate triggers"""

        if self.art_dir and self.atc_dir:
            r = ATCutils.populate_tg_markdown(art_dir=self.art_dir,
                                              atc_dir=self.atc_dir)

        elif self.art_dir:
            r = ATCutils.populate_tg_markdown(art_dir=self.art_dir)

        elif self.atc_dir:
            r = ATCutils.populate_tg_markdown(atc_dir=self.atc_dir)

        else:
            r = ATCutils.populate_tg_markdown()

        return r
    def response_playbook(self, rp_path):
        """Nothing here yet"""

        print("Populating Response Playbooks..")
        if rp_path:
            rp_list = glob.glob(rp_path + '*.yml')
        else:
            rp_dir = ATCconfig.get('response_playbooks_dir')
            rp_list = glob.glob(rp_dir + '/*.yml')

        for rp_file in rp_list:
            try:
                rp = ResponsePlaybook(rp_file,
                                      apipath=self.apipath,
                                      auth=self.auth,
                                      space=self.space)
                rp.render_template("confluence")

                base = os.path.basename(rp_file)

                confluence_data = {
                    "title":
                    rp.rp_parsed_file['title'],
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space,
                            "Response Playbooks")),
                    "confluencecontent":
                    rp.content,
                }

                res = ATCutils.push_to_confluence(confluence_data,
                                                  self.apipath, self.auth)
                if res == 'Page updated':
                    print("==> updated page: RP '" + base + "'")
                # print("Done: ", rp.rp_parsed_file['title'])
            except Exception as err:
                print(rp_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("Response Playbooks populated!")
Exemple #10
0
    def render_template(self, template_type):
        """Description
        template_type:
            - "markdown"
            - "confluence"
        """

        if template_type not in ["markdown", "confluence"]:
            raise Exception("Bad template_type. Available values:" +
                            " [\"markdown\", \"confluence\"]")

        # Point to the templates directory
        env = Environment(loader=FileSystemLoader('templates'))

        # Get proper template
        if template_type == "markdown":
            template = env.get_template(
                'markdown_responseaction_template.md.j2')

            self.ra_parsed_file.update({
                'description':
                self.ra_parsed_file.get('description').strip()
            })

        elif template_type == "confluence":
            template = env.get_template(
                'confluence_responseaction_template.html.j2')

            self.ra_parsed_file.update({
                'confluence_viewpage_url':
                ATCconfig.get('confluence_viewpage_url')
            })

            linked_ra = self.ra_parsed_file.get("linked_ra")

            if linked_ra:
                linked_ra_with_id = []
                for ra in linked_ra:
                    if self.apipath and self.auth and self.space:
                        linked_ra_id = str(
                            ATCutils.confluence_get_page_id(
                                self.apipath, self.auth, self.space, ra))
                    else:
                        linked_ra_id = ""
                    ra = (ra, linked_ra_id)
                    linked_ra_with_id.append(ra)

                self.ra_parsed_file.update({'linkedra': linked_ra_with_id})

            self.ra_parsed_file.update({
                'description':
                self.ra_parsed_file.get('description').strip()
            })

            self.ra_parsed_file.update(
                {'workflow': self.ra_parsed_file.get('workflow') + '  \n\n.'})

        self.content = template.render(self.ra_parsed_file)
    def enrichment(self, en_path):
        """Nothing here yet"""

        print("Populating Enrichments..")
        if en_path:
            en_list = glob.glob(en_path + '*.yml')
        else:
            en_dir = ATCconfig.get('enrichments_directory')
            en_list = glob.glob(en_dir + '/*.yml')

        for en_file in en_list:
            try:
                en = Enrichment(en_file,
                                apipath=self.apipath,
                                auth=self.auth,
                                space=self.space)
                en.render_template("confluence")

                confluence_data = {
                    "title":
                    en.en_parsed_file['title'],
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space,
                            "Enrichments")),
                    "confluencecontent":
                    en.content,
                }

                res = ATCutils.push_to_confluence(confluence_data,
                                                  self.apipath, self.auth)
                if res == 'Page updated':
                    print("==> updated page: EN '" +
                          en.en_parsed_file['title'] + "'")
                # print("Done: ", en.en_parsed_file['title'])
            except Exception as err:
                print(en_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("Enrichments populated!")
Exemple #12
0
    def save_markdown_file(self, atc_dir='../Atomic_Threat_Coverage/'):
        """Write content (md template filled with data) to a file"""
        base = os.path.basename(self.yaml_file)
        title = os.path.splitext(base)[0]

        file_path = atc_dir + self.parent_title + "/" + \
            title + ".md"

        return ATCutils.write_file(file_path, self.content)
    def customer(self, cu_path):
        """Nothing here yet"""

        print("Populating Customers..")
        if cu_path:
            cu_list = glob.glob(cu_path + '*.yml')
        else:
            cu_dir = ATCconfig.get('customers_directory')
            cu_list = glob.glob(cu_dir + '/*.yml')

        for cu_file in cu_list:
            try:
                cu = Customer(cu_file,
                              apipath=self.apipath,
                              auth=self.auth,
                              space=self.space)
                cu.render_template("confluence")

                confluence_data = {
                    "title":
                    cu.customer_name,
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space, "Customers")),
                    "confluencecontent":
                    cu.content,
                }

                res = ATCutils.push_to_confluence(confluence_data,
                                                  self.apipath, self.auth)
                if res == 'Page updated':
                    print("==> updated page: CU '" + cu.customer_name + "'")
                # print("Done: ", cu.title)
            except Exception as err:
                print(cu_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("Customers populated!")
def load_yamls(path):
    yamls = [join(path, f) for f in listdir(path) if isfile(
        join(path, f)) if f.endswith('.yaml') or f.endswith('.yml')]
    result = []
    for yaml in yamls:
        try:
            result.append(ATCutils.read_yaml_file(yaml))
        except ScannerError:
            raise ScannerError('yaml is bad! %s' % yaml)
    return result, yamls
Exemple #15
0
    def save_markdown_file(self, atc_dir='../' + ATCconfig.get('md_name_of_root_directory') + '/'):
        """Write content (md template filled with data) to a file"""
        base = os.path.basename(self.yaml_file)
        title = os.path.splitext(base)[0]

        file_path = atc_dir + self.parent_title + "/" + \
            title + ".md"

        # Should return True
        return ATCutils.write_file(file_path, self.content)
Exemple #16
0
    def triggers(self, tg_path):
        """Populate Triggers"""

        print("Populating Triggers..")
        if self.art_dir and self.atc_dir:
            r = ATCutils.populate_tg_markdown(art_dir=self.art_dir,
                                              atc_dir=self.atc_dir)

        elif self.art_dir:
            r = ATCutils.populate_tg_markdown(art_dir=self.art_dir)

        elif self.atc_dir:
            r = ATCutils.populate_tg_markdown(atc_dir=self.atc_dir)

        else:
            r = ATCutils.populate_tg_markdown()

        print("Triggers populated!")
        return r
Exemple #17
0
    def response_action(self, ra_path):
        """Nothing here yet"""

        print("Populating Response Actions..")
        if ra_path:
            ra_list = glob.glob(ra_path + '*.yml')
        else:
            ra_list = glob.glob('../response_actions/*.yml')

        for ra_file in ra_list:
            try:
                ra = ResponseAction(ra_file,
                                    apipath=self.apipath,
                                    auth=self.auth,
                                    space=self.space)
                ra.render_template("confluence")

                confluence_data = {
                    "title":
                    ra.ra_parsed_file['title'],
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space,
                            "Response Actions")),
                    "confluencecontent":
                    ra.content,
                }

                ATCutils.push_to_confluence(confluence_data, self.apipath,
                                            self.auth)
                # print("Done: ", ra.ra_parsed_file['title'])
            except Exception as err:
                print(ra_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)

        print("Response Actions populated!")
    def detection_rule(self, dr_path):
        """Desc"""

        print("Populating Detection Rules..")
        if dr_path:
            dr_list = glob.glob(dr_path + '*.yml')
        else:
            dr_list = glob.glob(
                ATCconfig.get('detection_rules_directory') + '/*.yml')

        for dr_file in dr_list:
            try:
                dr = DetectionRule(dr_file,
                                   apipath=self.apipath,
                                   auth=self.auth,
                                   space=self.space)
                dr.render_template("confluence")

                confluence_data = {
                    "title":
                    dr.fields['title'],
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space,
                            "Detection Rules")),
                    "confluencecontent":
                    dr.content,
                }

                ATCutils.push_to_confluence(confluence_data, self.apipath,
                                            self.auth)
                print("Done: ", dr.fields['title'])
            except Exception as err:
                print(dr_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("Detection Rules populated!")
    def triggers(self, tg_path):
        """Populate Triggers"""

        print("Populating Triggers..")
        if tg_path:
            tg_list = glob.glob(tg_path + '*.yml')
        else:
            tg_list = glob.glob(
                ATCconfig.get("triggers_directory") + '/T*/*.yaml')

        for tg_file in tg_list:
            try:
                tg = Triggers(tg_file)
                tg.render_template("confluence")
                title = tg.fields["attack_technique"] + ": " + \
                    te_mapping.get(tg.fields["attack_technique"])
                confluence_data = {
                    "title":
                    title,
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space, "Triggers")),
                    "confluencecontent":
                    tg.content,
                }

                res = ATCutils.push_to_confluence(confluence_data,
                                                  self.apipath, self.auth)
                if res == 'Page updated':
                    print("==> updated page: TR '" + title + "'")
                # print("Done: ", tg.fields["attack_technique"])
            except Exception as err:
                print(tg_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)

        print("Triggers populated!")
Exemple #20
0
def create_markdown_dirs():
    config = ATCutils.load_config('config.yml')
    base_dir = Path(
        config.get('md_name_of_root_directory', '../Atomic_Threat_Coverage'))

    target_dir_list = [
        'Detection_Rules', 'Logging_Policies', 'Data_Needed', 'Triggers',
        'Response_Actions', 'Response_Playbooks', 'Enrichments', 'Customers'
    ]

    for item in target_dir_list:
        (base_dir / item).mkdir(parents=True, exist_ok=True)
Exemple #21
0
    def parse_into_fields(self):
        """Description"""

        # self.fields contains parsed fields obtained from yaml file
        self.cu_fields = ATCutils.read_yaml_file(self.yaml_file)
        """Fill the fields with values. Put None if key not found"""
        self.title = self.cu_fields.get('title')
        self.customer_name = self.cu_fields.get('customer_name')
        self.description = self.cu_fields.get('description')
        self.data_needed = self.cu_fields.get('dataneeded')
        self.logging_policies = self.cu_fields.get('loggingpolicy')
        self.detection_rules = self.cu_fields.get('detectionrule')
Exemple #22
0
    def mitigation_system(self, ms_path):
        """Populate Mitigation Systems"""

        print("Populating Mitigation Systems..")
        if ms_path:
            ms_list = glob.glob(ms_path + '*.yml')
        else:
            ms_dir = ATCconfig.get('mitigation_systems_directory')
            ms_list = glob.glob(ms_dir + '/*.yml')

        for ms_file in ms_list:
            try:
                ms = MitigationSystem(ms_file)
                ms.render_template("confluence")
                confluence_data = {
                    "title":
                    ms.ms_parsed_file["title"],
                    "spacekey":
                    self.space,
                    "parentid":
                    str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space,
                            "Mitigation Systems")),
                    "confluencecontent":
                    ms.content,
                }

                ATCutils.push_to_confluence(confluence_data, self.apipath,
                                            self.auth)
            except Exception as err:
                print(ms_file + " failed")
                print("Err message: %s" % err)
                print('-' * 60)
                traceback.print_exc(file=sys.stdout)
                print('-' * 60)
        print("Mitigation Systems populated!")
Exemple #23
0
 def checkRA(self, stage):
     if self.rp_rule.get(stage):
         for rule in self.rp_rule.get(stage):
             try:
                 rtask = ATCutils.read_yaml_file(self.inputRA + rule +
                                                 ".yml")
             except OSError:
                 print("Response Action %s not existing\n" % rule)
                 continue
             self.task_prefix = int(self.task_prefix)
             self.task_prefix += 1
             task = THC.TheHiveTask(order=self.task_order)
             self.task_order += 1
             task.title = str(self.task_prefix) + " | " + \
                 str(rtask.get('title'))
             task.group = rtask.get('stage', 'Unknown stage')
             task.description = str(rtask.get('workflow'))
             self.case.tasks.append(task.return_dictionary())
             if rtask.get('linked_ra'):
                 self.task_prefix = float(self.task_prefix)
                 for linked_ra in rtask.get('linked_ra'):
                     try:
                         rtask = ATCutils.read_yaml_file(self.inputRA +
                                                         linked_ra + ".yml")
                     except OSError:
                         print("Response Action %s not existing\n" % rule)
                         continue
                     task = THC.TheHiveTask(order=self.task_order)
                     self.task_order += 1
                     self.task_prefix += 0.1
                     task.title = str(round(self.task_prefix, 1)) + \
                         " | " + str(rtask.get('title'))
                     task.title = str(round(self.task_prefix, 1)) + " | "\
                         + str(rtask.get("title"))
                     task.group = rtask.get('stage', 'Unknown stage')
                     task.description = str(rtask.get('workflow'))
                     self.case.tasks.append(task.return_dictionary())
Exemple #24
0
    def parse_into_fields(self, yaml_file):
        """Description"""

        # self.dn_fields contains parsed fields obtained from yaml file
        self.dn_fields = ATCutils.read_yaml_file(yaml_file)
        """Fill the fields with values. Put None if key not found"""
        self.title = self.dn_fields.get("title")
        self.description = self.dn_fields.get("description")
        self.loggingpolicy = self.dn_fields.get("loggingpolicy")
        self.platform = self.dn_fields.get("platform")
        self.type = self.dn_fields.get("type")
        self.channel = self.dn_fields.get("channel")
        self.provider = self.dn_fields.get("provider")
        self.fields = self.dn_fields.get("fields")
        self.sample = self.dn_fields.get("sample")
def main():
    dr_dirs = ATCconfig.get('detection_rules_directories')
    dr_list = []
    for path in dr_dirs:
        dr_list.append(ATCutils.load_yamls(path))
    # flat dr_list
    dr_list = [dr for drs_from_path in dr_list for dr in drs_from_path]
    techniques = get_techniques(dr_list)
    NAVIGATOR_TEMPLATE['techniques'] = techniques

    filename = 'atc_attack_navigator_profile.json'
    exported_analytics_directory = \
        ATCconfig.get('exported_analytics_directory') + "/attack_navigator_profiles"

    with open(exported_analytics_directory + '/' + filename, 'w') as fp:
        json.dump(NAVIGATOR_TEMPLATE, fp)
    print(f'[+] Created {filename}')
Exemple #26
0
    def convertRPToTemplate(self, file_input, output_file):

        self.rp_rule = ATCutils.read_yaml_file(file_input)

        self.case = THC.TheHiveCase()
        self.case.name = self.rp_rule.get('title')
        self.case.description = "Description:\n" + \
            str(self.rp_rule.get('description')) + \
            '\n\nWorkflow:\n' + str(self.rp_rule.get('workflow'))
        try:
            self.case.tags += self.rp_rule.get('tags')
        except TypeError:
            pass

        self.case.tlp = self.checkTLP(self.rp_rule.get('tlp'))
        self.case.pap = self.checkPAP(self.rp_rule.get('pap'))

        if self.args.prefix:
            self.case.prefix = self.args.prefix

        self.task_prefix = 0.0
        self.task_order = 0

        stages = [
            'preparation', 'identification', 'containment', 'eradication',
            'recovery', 'lessons_learned'
        ]

        for stage in stages:
            if stage in self.rp_rule.keys():
                self.checkRA(stage)
        try:
            with open(output_file, 'w') as f:
                f.write(self.case.json())
        except OSError:
            print("ERROR: No such directory %s" %
                  os.path.dirname(os.path.abspath(output_file)))
Exemple #27
0
from enrichment import Enrichment
from responseaction import ResponseAction
from responseplaybook import ResponsePlaybook
from customer import Customer
from attack_mapping import te_mapping  # , ta_mapping

# Import ATC Utils
from atcutils import ATCutils

# Others
import glob
import sys
import traceback
import os

ATCconfig = ATCutils.load_config("config.yml")


class PopulateConfluence:
    """Desc"""
    def __init__(self,
                 auth,
                 lp=False,
                 dn=False,
                 dr=False,
                 en=False,
                 tg=False,
                 ra=False,
                 rp=False,
                 cu=False,
                 ms=False,
Exemple #28
0
    def parse_into_fields(self, yaml_file):
        """Description"""

        self.ra_parsed_file = ATCutils.read_yaml_file(yaml_file)
Exemple #29
0
    def render_template(self, template_type):
        """Description
        template_type:
            - "markdown"
            - "confluence"
        """

        if template_type not in ["markdown", "confluence"]:
            raise Exception("Bad template_type. Available values:" +
                            " [\"markdown\", \"confluence\"]")

        # Point to the templates directory
        env = Environment(loader=FileSystemLoader('templates'))

        # Get proper template
        if template_type == "markdown":
            template = env\
                .get_template('markdown_dataneeded_template.md.j2')

            logging_policies = self.dn_fields.get("loggingpolicy")

            if isinstance(logging_policies, str):
                logging_policies = [logging_policies]

            refs = self.dn_fields.get("references")

            self.dn_fields.update({'loggingpolicy': logging_policies})

            self.dn_fields.update(
                {'description': self.dn_fields.get('description').strip()})

            if isinstance(refs, str):
                self.dn_fields.update({'references': [refs]})

        elif template_type == "confluence":
            template = env\
                .get_template('confluence_dataneeded_template.html.j2')

            self.dn_fields.update({
                'confluence_viewpage_url':
                ATCconfig.get('confluence_viewpage_url')
            })

            self.dn_fields.update(
                {'description': self.dn_fields.get('description').strip()})

            logging_policies = self.dn_fields.get("loggingpolicy")

            if not logging_policies:
                logging_policies = [
                    "None",
                ]

            logging_policies_with_id = []

            for lp in logging_policies:
                if lp != "None" and self.apipath and self.auth and self.space:
                    logging_policies_id = str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space, lp))
                else:
                    logging_policies_id = ""
                lp = (lp, logging_policies_id)
                logging_policies_with_id.append(lp)

            refs = self.dn_fields.get("references")

            if isinstance(refs, str):
                self.dn_fields.update({'references': [refs]})

            self.dn_fields.update({'loggingpolicy': logging_policies_with_id})

        self.content = template.render(self.dn_fields)

        return True
    def render_template(self, template_type):
        """Render template with data in it
        template_type:
            - "markdown"
            - "confluence"
        """

        if template_type not in ["markdown", "confluence"]:
            raise Exception("Bad template_type. Available values: " +
                            "[\"markdown\", \"confluence\"]")

        # Point to the templates directory
        env = Environment(loader=FileSystemLoader('templates'))

        # Get proper template
        if template_type == "markdown":
            template = env.get_template('markdown_alert_template.md.j2')

            # Read raw sigma rule
            sigma_rule = ATCutils.read_rule_file(self.yaml_file)

            # Put raw sigma rule into fields var
            self.fields.update({'sigma_rule': sigma_rule})

            # Define which queries we want from Sigma
            #queries = ["es-qs", "xpack-watcher", "graylog", "splunk", "logpoint", "grep", "fieldlist"]
            queries = ATCconfig.get('detection_queries').split(",")

            # dict to store query key + query values
            det_queries = {}

            # Convert sigma rule into queries (for instance, graylog query)
            for query in queries:
                # prepare command to execute from shell
                # (yes, we know)
                cmd = ATCconfig.get('sigmac_path') + " --shoot-yourself-in-the-foot -t " + \
                    query + " --ignore-backend-errors " + self.yaml_file
                #query + " --ignore-backend-errors " + self.yaml_file + \
                #" 2> /dev/null"

                p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)

                (query2, err) = p.communicate()

                # Wait for date to terminate. Get return returncode
                # p_status = p.wait()
                p.wait()
                """ Had to remove '-' due to problems with
                Jinja2 variable naming,
                e.g es-qs throws error 'no es variable'
                """
                det_queries[query] = str(query2)[2:-3]

            # Update detection rules
            self.fields.update({"det_queries": det_queries})
            self.fields.update({"queries": queries})

            # Data Needed
            data_needed = ATCutils.main_dn_calculatoin_func(self.yaml_file)

            # if there is only 1 element in the list, print it as a string,
            # without quotes
            # if isistance(data_needed, list) and len(data_needed) == 1:
            #     [data_needed] = data_needed

            # print("%s || Dataneeded: \n%s\n" %
            #       (self.fields.get("title"), data_needed))

            self.fields.update({'data_needed': data_needed})

            # Enrichments
            enrichments = self.fields.get("enrichment")

            if isinstance(enrichments, str):
                enrichments = [enrichments]

            self.fields.update({'enrichment': enrichments})

            tactic = []
            tactic_re = re.compile(r'attack\.\w\D+$')
            technique = []
            technique_re = re.compile(r'attack\.t\d{1,5}$')
            other_tags = []

            if self.fields.get('tags'):
                for tag in self.fields.get('tags'):
                    if tactic_re.match(tag):
                        if ta_mapping.get(tag):
                            tactic.append(ta_mapping.get(tag))
                        else:
                            other_tags.append(tag)
                    elif technique_re.match(tag):
                        te = tag.upper()[7:]
                        technique.append((te_mapping.get(te), te))
                    else:
                        other_tags.append(tag)

                    if not tactic_re.match(tag) and not \
                            technique_re.match(tag):
                        other_tags.append(tag)

                if len(tactic):
                    self.fields.update({'tactics': tactic})
                if len(technique):
                    self.fields.update({'techniques': technique})
                if len(other_tags):
                    self.fields.update({'other_tags': other_tags})

            triggers = []

            for trigger in technique:
                if trigger is "None":
                    continue

                try:

                    triggers.append(trigger)

                except FileNotFoundError:
                    print(trigger + ": No atomics trigger for this technique")
                    """
                    triggers.append(
                        trigger + ": No atomics trigger for this technique"
                    )
                    """

            self.fields.update(
                {'description': self.fields.get('description').strip()})
            self.fields.update({'triggers': triggers})

        elif template_type == "confluence":
            template = env.get_template('confluence_alert_template.html.j2')

            self.fields.update({
                'confluence_viewpage_url':
                ATCconfig.get('confluence_viewpage_url')
            })

            sigma_rule = ATCutils.read_rule_file(self.yaml_file)
            self.fields.update({'sigma_rule': sigma_rule})

            outputs = ["es-qs", "xpack-watcher", "graylog"]

            for output in outputs:
                cmd = ATCconfig.get('sigmac_path') + " -t " + \
                    output + " --ignore-backend-errors " + self.yaml_file + \
                    " 2> /dev/null"
                p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
                (query, err) = p.communicate()
                # Wait for date to terminate. Get return returncode ##
                # p_status = p.wait()
                p.wait()
                # have to remove '-' due to problems with
                # Jinja2 variable naming,e.g es-qs throws error
                # 'no es variable'
                self.fields.update({output.replace("-", ""): str(query)[2:-3]})

            # Data Needed
            data_needed = ATCutils.main_dn_calculatoin_func(self.yaml_file)

            data_needed_with_id = []

            for data in data_needed:
                data_needed_id = str(
                    ATCutils.confluence_get_page_id(self.apipath, self.auth,
                                                    self.space, data))
                data = (data, data_needed_id)
                data_needed_with_id.append(data)

            self.fields.update({'data_needed': data_needed_with_id})

            # Enrichments
            enrichments = self.fields.get("enrichment")

            enrichments_with_page_id = []

            if isinstance(enrichments, str):
                enrichments = [enrichments]

            if enrichments:
                for enrichment_name in enrichments:
                    enrichment_page_id = str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space,
                            enrichment_name))
                    enrichment_data = (enrichment_name, enrichment_page_id)
                    enrichments_with_page_id.append(enrichment_data)

            self.fields.update({'enrichment': enrichments_with_page_id})

            tactic = []
            tactic_re = re.compile(r'attack\.\w\D+$')
            technique = []
            technique_re = re.compile(r'attack\.t\d{1,5}$')
            other_tags = []

            if self.fields.get('tags'):
                for tag in self.fields.get('tags'):
                    if tactic_re.match(tag):
                        if ta_mapping.get(tag):
                            tactic.append(ta_mapping.get(tag))
                        else:
                            other_tags.append(tag)
                    elif technique_re.match(tag):
                        te = tag.upper()[7:]
                        technique.append((te_mapping.get(te), te))
                    else:
                        other_tags.append(tag)

                    if not tactic_re.match(tag) and not \
                            technique_re.match(tag):
                        other_tags.append(tag)

                if len(tactic):
                    self.fields.update({'tactics': tactic})
                if len(technique):
                    self.fields.update({'techniques': technique})
                if len(other_tags):
                    self.fields.update({'other_tags': other_tags})

            triggers = []

            for trigger_name, trigger_id in technique:
                if trigger_id is "None":
                    continue

                try:
                    page_name = trigger_id + ": " + trigger_name
                    trigger_page_id = str(
                        ATCutils.confluence_get_page_id(
                            self.apipath, self.auth, self.space, page_name))

                    trigger = (trigger_name, trigger_id, trigger_page_id)

                    triggers.append(trigger)
                except FileNotFoundError:
                    print(trigger + ": No atomics trigger for this technique")

            self.fields.update({'triggers': triggers})

        self.content = template.render(self.fields)
        # Need to convert ampersand into HTML "save" format
        # Otherwise confluence throws an error
        # self.content = self.content.replace("&", "&")
        # Done in the template itself

        return True