Skip to content

Commit

Permalink
Merge pull request SigmaHQ#1944 from ncrqnt/elastic-subtechniques
Browse files Browse the repository at this point in the history
[Elastic] Add support for authors and subtechniques
  • Loading branch information
thomaspatzke authored Sep 1, 2021
2 parents 6d3f706 + 00dec96 commit 3d6ad1b
Showing 1 changed file with 49 additions and 1 deletion.
50 changes: 49 additions & 1 deletion tools/sigma/backends/elasticsearch.py
Original file line number Diff line number Diff line change
Expand Up @@ -1490,6 +1490,10 @@ def generate(self, sigmaparser):

def create_threat_description(self, tactics_list, techniques_list):
threat_list = list()
# sort lists for correct handling with subtechniques
tactics_list.sort(key=lambda x: x['external_id'], reverse=False)
techniques_list.sort(key=lambda x: x['technique_id'], reverse=False)

for tactic in tactics_list:
temp_tactics = {
"tactic": {
Expand All @@ -1507,6 +1511,23 @@ def create_threat_description(self, tactics_list, techniques_list):
"name": tech.get("technique", ""),
"reference": tech.get("url", "")
})
elif re.match('[T][0-9]{4}.[0-9]{3}', tech.get("technique_id", ""), re.IGNORECASE):
# add subtechnique to main technique
technique = tech.get("technique_id", "").split(".")[0]
technique_entry = list(filter(lambda temp_techniques: temp_techniques['id'] == technique, temp_techniques))

if technique_entry:
index = temp_techniques.index(technique_entry[0])
temp_subtechniques = temp_techniques[index].get("subtechnique", [])
temp_subtechniques.append(
{
"id": tech.get("technique_id", ""),
"name": tech.get("technique", ""),
"reference": tech.get("url", "")
}
)
temp_techniques[index].update({"subtechnique": temp_subtechniques})

temp_tactics.update({"technique": temp_techniques})
threat_list.append(temp_tactics)
return threat_list
Expand Down Expand Up @@ -1570,8 +1591,20 @@ def create_rule(self, configs, index):
technics_list = list()
new_tags = list()

# sort tags so it looks nice :)
tags.sort()

for tag in tags:
tag = tag.replace("attack.", "")
# if there's a subtechnique, add main technique to the list if not already there
if re.match("[t][0-9]{4}.[0-9]{3}", tag, re.IGNORECASE):
technique = tag.split('.')[0]
if technique not in tags and technique.title() not in new_tags:
tech = self.find_technique(technique.title())
if tech:
new_tags.append(technique.title())
technics_list.append(tech)

if re.match("[t][0-9]{4}", tag, re.IGNORECASE):
tech = self.find_technique(tag.title())
if tech:
Expand All @@ -1593,8 +1626,13 @@ def create_rule(self, configs, index):
else:
tact = self.find_tactics(key_name=tag.title())
if tact:
new_tags.append(tag.title())
tactics_list.append(tact)

# capitalize if not a MITRE CAR tag
if re.match("car.\d{4}-\d{2}-\d{3}", tag, re.IGNORECASE):
new_tags.append(tag)
else:
new_tags.append(tag.title())

if self.custom_tag:
if ',' in self.custom_tag:
Expand Down Expand Up @@ -1633,7 +1671,17 @@ def create_rule(self, configs, index):
else:
references.append(add_ref_yml)

# add author filed depending on data type in rule file
author = configs.get("author", "")
if isinstance(author, str):
author_list = author.split(', ')
elif isinstance(author, list):
author_list = author
else:
author_list = []

rule = {
"author": author_list,
"description": configs.get("description", ""),
"enabled": True,
"false_positives": falsepositives,
Expand Down

0 comments on commit 3d6ad1b

Please sign in to comment.