MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #820 from tomking2/bug/mitre-attack-external-id-parsing 

[fix] Mitre ATT&CK parsing to pull correct external_id value and update cluster
pull/822/head
Alexandre Dulaunoy 2023-02-21 11:45:20 +01:00 committed by GitHub
parent 9f73ff73ac e52eefa0e7
commit aad2e33b80
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 239 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

462
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

9
tools/gen_mitre.py
View File

@ -15,6 +15,8 @@ misp_dir = '../'
domains = ['enterprise-attack', 'mobile-attack', 'pre-attack']
types = ['attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'tool']
mitre_sources = ['mitre-attack', 'mitre-ics-attack', 'mitre-pre-attack', 'mitre-mobile-attack']
all_data = {} # variable that will contain everything
# read in the non-MITRE data
@ -105,8 +107,13 @@ for domain in domains:
for reference in item['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if 'external_id' in reference:
# Find Mitre external IDs from allowed sources
if 'external_id' in reference and reference.get("source_name", None) in mitre_sources:
value['meta']['external_id'] = reference['external_id']
if not value['meta'].get('external_id', None):
exit("Entry is missing an external ID, please update mitre_sources. Available references: {}".format(
json.dumps(item['external_references'])
))
if 'kill_chain_phases' in item: # many (but not all) attack-patterns have this
value['meta']['kill_chain'] = []