def response_stage(self, rs_path):
"""Populate Response Stages"""
print("[*] Populating Response Stages...")
if rs_path:
rs_list = glob.glob(rs_path + '*.yml')
else:
rs_dir = REACTConfig.get('response_stages_dir')
rs_list = glob.glob(rs_dir + '/*.yml')
for rs_file in rs_list:
try:
rs = ResponseStage(rs_file)
rs.render_template("markdown")
rs.save_markdown_file(atc_dir=self.atc_dir)
except Exception as e:
print(rs_file + " failed\n\n%s\n\n" % e)
print("Err message: %s" % e)
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
template = env.get_template('markdown_responsestage_main_template.j2')
rss, rs_paths = REACTutils.load_yamls_with_paths(
REACTConfig.get('response_stages_dir'))
rs_filenames = [
_rs_path.split('/')[-1].replace('.yml', '')
for _rs_path in rs_paths
]
rss_dict = {}
rss_list = []
for i in range(len(rss)):
rs_title = rss[i].get('title')
rs_id = rss[i].get('id')
rs_description = rss[i].get('description')
rss_list.append((rs_id, rs_title, rs_description))
rss_dict.update({'rss_list': sorted(rss_list)})
content = template.render(rss_dict)
REACTutils.write_file(rs_summary_dir + '/responsestages.md', content)
print("[+] Response Stages populated!")
def __init__(self,
ra=False,
rp=False,
rs=False,
auto=False,
ra_path=False,
rp_path=False,
rs_path=False,
atc_dir=False,
init=False):
"""Init"""
# Check if atc_dir provided
if atc_dir:
self.atc_dir = atc_dir
else:
self.atc_dir = REACTConfig.get('md_name_of_root_directory') + '/'
# Main logic
if auto:
self.response_action(ra_path)
self.response_playbook(rp_path)
self.response_stage(rs_path)
if ra:
self.response_action(ra_path)
if rp:
self.response_playbook(rp_path)
if rs:
self.response_stage(rs_path)
if ra_path:
ras, ra_paths = REACTutils.load_yamls_with_paths(ra_path)
else:
ras, ra_paths = REACTutils.load_yamls_with_paths(
REACTConfig.get('response_actions_dir'))
if rp_path:
rps, rp_paths = REACTutils.load_yamls_with_paths(rp_path)
else:
rps, rp_paths = REACTutils.load_yamls_with_paths(
REACTConfig.get('response_playbooks_dir'))
if rs_path:
rss, rs_paths = REACTutils.load_yamls_with_paths(rs_path)
else:
rss, rs_paths = REACTutils.load_yamls_with_paths(
REACTConfig.get('response_stages_dir'))
ra_filenames = [
ra_path.split('/')[-1].replace('.yml', '') for ra_path in ra_paths
]
rp_filenames = [
rp_path.split('/')[-1].replace('.yml', '') for rp_path in rp_paths
]
rs_filenames = [
rs_path.split('/')[-1].replace('.yml', '') for rs_path in rs_paths
]
# Point to the templates directory
env = Environment(loader=FileSystemLoader('scripts/templates'))
# Get proper template
template = env.get_template('mkdocs_config_template.md.j2')
preparation = []
identification = []
containment = []
eradication = []
recovery = []
lessons_learned = []
detect = []
deny = []
disrupt = []
degrade = []
deceive = []
destroy = []
deter = []
stages = [('preparation', preparation),
('identification', identification),
('containment', containment), ('eradication', eradication),
('recovery', recovery), ('lessons_learned', lessons_learned),
('detect', detect), ('deny', deny), ('disrupt', disrupt),
('degrade', degrade), ('deceive', deceive),
('destroy', destroy), ('deter', deter)]
playbooks = []
data_to_render = {}
for i in range(len(ras)):
ra_updated_title = ras[i].get('id')\
+ ": "\
+ REACTutils.normalize_react_title(ras[i].get('title'),REACTConfig.get('titlefmtrules'))
if "RA1" in ras[i]['id']:
preparation.append((ra_updated_title, ra_filenames[i]))
elif "RA2" in ras[i]['id']:
identification.append((ra_updated_title, ra_filenames[i]))
elif "RA3" in ras[i]['id']:
containment.append((ra_updated_title, ra_filenames[i]))
elif "RA4" in ras[i]['id']:
eradication.append((ra_updated_title, ra_filenames[i]))
elif "RA5" in ras[i]['id']:
recovery.append((ra_updated_title, ra_filenames[i]))
elif "RA6" in ras[i]['id']:
lessons_learned.append((ra_updated_title, ra_filenames[i]))
stages = [(stage_name.replace('_',
' ').capitalize(), sorted(stage_list))
for stage_name, stage_list in stages]
for i in range(len(rps)):
rp_updated_title = rps[i].get('id')\
+ ": "\
+ REACTutils.normalize_react_title(rps[i].get('title'),REACTConfig.get('titlefmtrules'))
playbooks.append((rp_updated_title, rp_filenames[i]))
rs_list = []
for i in range(len(rss)):
rs_title = rss[i].get('title')
rs_id = rss[i].get('id')
rs_list.append((rs_title, rs_id))
data_to_render.update({'stages': stages})
data_to_render.update({'playbooks': sorted(playbooks)})
data_to_render.update({'rs_list': rs_list})
content = template.render(data_to_render)
try:
REACTutils.write_file('mkdocs.yml', content)
print("[+] Created mkdocs.yml")
except:
print("[-] Failed to create mkdocs.yml")
def __init__(self,
ra=False,
rp=False,
auto=False,
ra_path=False,
rp_path=False,
atc_dir=False,
init=False):
"""Init"""
# Check if atc_dir provided
if atc_dir:
self.atc_dir = atc_dir
else:
self.atc_dir = REACTConfig.get('md_name_of_root_directory') + '/'
# Main logic
if auto:
self.response_action(ra_path)
self.response_playbook(rp_path)
if ra:
self.response_action(ra_path)
if rp:
self.response_playbook(rp_path)
if ra_path:
ras, ra_paths = REACTutils.load_yamls_with_paths(ra_path)
else:
ras, ra_paths = REACTutils.load_yamls_with_paths(
REACTConfig.get('response_actions_dir'))
if rp_path:
rps, rp_paths = REACTutils.load_yamls_with_paths(rp_path)
else:
rps, rp_paths = REACTutils.load_yamls_with_paths(
REACTConfig.get('response_playbooks_dir'))
ra_filenames = [
ra_path.split('/')[-1].replace('.yml', '') for ra_path in ra_paths
]
rp_filenames = [
rp_path.split('/')[-1].replace('.yml', '') for rp_path in rp_paths
]
_preparation = []
_identification = []
_containment = []
_eradication = []
_recovery = []
_lessons_learned = []
stages = [('preparation', _preparation),
('identification', _identification),
('containment', _containment), ('eradication', _eradication),
('recovery', _recovery),
('lessons_learned', _lessons_learned)]
for i in range(len(ras)):
normalized_title = REACTutils.normalize_react_title(
ras[i].get('title'), REACTConfig.get('titlefmtrules'))
ra_updated_title = ras[i].get('id')\
+ ":"\
+ normalized_title
if "RA1" in ras[i]['id']:
stage = 'preparation'
elif "RA2" in ras[i]['id']:
stage = 'identification'
elif "RA3" in ras[i]['id']:
stage = 'containment'
elif "RA4" in ras[i]['id']:
stage = 'eradication'
elif "RA5" in ras[i]['id']:
stage = 'recovery'
elif "RA6" in ras[i]['id']:
stage = 'lessons-learned'
kill_chain_phases = [{
"kill_chain_name": 'atc-react',
"phase_name": stage
}]
external_references = [{
"source_name":
"atc-react",
"external_id":
ras[i].get('id'),
"url":
react_web_kb_base_url + "Response_Actions/" + ra_filenames[i]
}]
ra = ReactAction(name=normalized_title,
description=ras[i].get('description'),
external_references=external_references,
kill_chain_phases=kill_chain_phases,
x_mitre_platforms=['Windows', 'Linux', 'macOS'],
allow_custom=True)
stix_mem.add(ra)
stix_mem.add([
preparation, identification, containment, eradication, recovery,
lessons_learned
])
stix_mem.add(react_matrix)
try:
stix_mem.save_to_file(local_react_json_url)
print("[+] Created react.json STIX file")
except:
print("[-] Failed to create react.json STIX file")
def response_stage(self, rs_path):
"""Nothing here yet"""
print("[*] Populating Response Stages...")
if rs_path:
rs_list = glob.glob(rs_path + '*.yml')
else:
rs_dir = REACTConfig.get('response_stages_dir')
rs_list = glob.glob(rs_dir + '/*.yml')
for rs_file in rs_list:
try:
rs = ResponseStage(rs_file,
apipath=self.apipath,
auth=self.auth,
space=self.space)
rs.render_template("confluence")
base = os.path.basename(rs_file)
confluence_data = {
"title":
rs.rs_parsed_file['title'],
"spacekey":
self.space,
"parentid":
str(
REACTutils.confluence_get_page_id(
self.apipath, self.auth, self.space,
"Response Stages")),
"confluencecontent":
rs.content,
}
res = REACTutils.push_to_confluence(confluence_data,
self.apipath, self.auth)
if res == 'Page updated':
print("==> updated page: RS '" + base + "'")
except Exception as err:
print(rs_file + " failed")
print("Err message: %s" % err)
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
#
# Populate Response Stages root page
#
template = env.get_template(
'confluence_responsestage_main_template.html.j2')
rss, rs_paths = REACTutils.load_yamls_with_paths(
REACTConfig.get('response_stages_dir'))
rss_dict = {}
rss_list = []
for i in range(len(rss)):
rs_id = rss[i].get('id')
rs_title = rss[i].get('title')
rs_confluence_page_name = rs_id + ": " + rs_title
rs_confluence_page_id = str(
REACTutils.confluence_get_page_id(self.apipath, self.auth,
self.space,
rs_confluence_page_name))
rs_description = rss[i].get('description')
rss_list.append(
(rs_id, rs_title, rs_description, rs_confluence_page_id))
rss_dict.update({'rss_list': sorted(rss_list)})
rss_dict.update({
'confluence_viewpage_url':
REACTConfig.get('confluence_viewpage_url')
})
content = template.render(rss_dict)
try:
data = {
"title":
"Response Stages",
"spacekey":
self.space,
"parentid":
str(
REACTutils.confluence_get_page_id(self.apipath, self.auth,
self.space,
self.root_name)),
"confluencecontent":
content,
}
res = REACTutils.push_to_confluence(data, self.apipath, self.auth)
if res == 'Page updated':
print("==> updated page: Response Stages root page")
except Exception as err:
print("Response Stages root page" + " failed")
print("Err message: %s" % err)
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("[+] Response Stages populated!")
