From daa12014f174d767755f418ee61ff7b253c0b48a Mon Sep 17 00:00:00 2001 From: jcwilliamsATmitre <36889852+jcwilliamsATmitre@users.noreply.github.com> Date: Sat, 8 May 2021 19:53:56 -0400 Subject: [PATCH 1/4] Updating Data Sources Updated to reflect new data sources values/format as of v9 (APR 2021). Aiming for data sources that are mapped to ~5-15 techniques. --- scripts/techniques_data_sources_vis.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/scripts/techniques_data_sources_vis.py b/scripts/techniques_data_sources_vis.py index 371265d9..eb337e07 100644 --- a/scripts/techniques_data_sources_vis.py +++ b/scripts/techniques_data_sources_vis.py @@ -480,18 +480,18 @@ def defaultStr(multi=False): nargs="+", metavar=("datasource1", "datasource2"), default=[ - "windows event logs", - "anti-virus", - "binary file metadata", - "data loss prevention", - "dll monitoring", - "loaded dlls", - "malware reverse engineering", - "netflow/enclave netflow", - "network intrusion detection system", - "network protocol analysis", - "ssl/tls inspection", - "system calls" + "User Account: User Account Creation", + "Active Directory: Active Directory Object Creation", + "Container: Container Creation", + "Driver: Driver Load", + "File: File Deletion", + "Firmware: Firmware Modification", + "Instance: Instance Creation", + "Logon Session: Logon Session Metadata", + "Scheduled Job: Scheduled Job Creation", + "Service: Service Modification", + "Process: Process Metadata", + "Sensor Health: Host Status" ], help="list data source names for datasources written in techniques_datasources.csv." + defaultStr(True) ) @@ -519,4 +519,4 @@ def defaultStr(multi=False): args = parser.parse_args() verbose = args.verbose generate_content(args.datasources, args.tactics, args.output_folder) - \ No newline at end of file + From 2a935ab6395e61ab0cd39a930d070ae630d9051c Mon Sep 17 00:00:00 2001 From: Isabel Tuson Date: Tue, 1 Jun 2021 08:02:22 -0400 Subject: [PATCH 2/4] update changelog --- CHANGELOG.md | 4 ++++ scripts/techniques_from_data_source.py | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 560a8a15..45eeba8f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# Changes staged on Develop +# v1.9.2 +## Fixes +- Patched list of data sources in [techniques_data_sources_vis.py](/scripts/techniques_data_sources_vis.py) and [techniques_from_Data_source.py](/scripts/techniques_from_Data_source.py) to use current data sources. # v1.9.1 - 9 April 2021 With the release of our [mitreattack-python](https://github.com/mitre-attack/mitreattack-python) pip module, we're removing the tools previously found in the `layers` folder as they are now part of that module. diff --git a/scripts/techniques_from_data_source.py b/scripts/techniques_from_data_source.py index b3982dbb..2a054e81 100644 --- a/scripts/techniques_from_data_source.py +++ b/scripts/techniques_from_data_source.py @@ -41,7 +41,7 @@ def techniques(data_source): ) parser.add_argument("-data_source", type=str, - default="Windows Registry", + default="User Account: User Account Creation", help="the datasource by which to filter techniques. Default value is '%(default)s'." ) From 4bf765b8174a6c44f591d322ca8e152ea1ea1257 Mon Sep 17 00:00:00 2001 From: jcwilliamsATmitre <36889852+jcwilliamsATmitre@users.noreply.github.com> Date: Tue, 1 Jun 2021 17:22:57 -0400 Subject: [PATCH 3/4] Data source values to lowercase --- scripts/techniques_data_sources_vis.py | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/scripts/techniques_data_sources_vis.py b/scripts/techniques_data_sources_vis.py index eb337e07..b5e4330f 100644 --- a/scripts/techniques_data_sources_vis.py +++ b/scripts/techniques_data_sources_vis.py @@ -480,18 +480,18 @@ def defaultStr(multi=False): nargs="+", metavar=("datasource1", "datasource2"), default=[ - "User Account: User Account Creation", - "Active Directory: Active Directory Object Creation", - "Container: Container Creation", - "Driver: Driver Load", - "File: File Deletion", - "Firmware: Firmware Modification", - "Instance: Instance Creation", - "Logon Session: Logon Session Metadata", - "Scheduled Job: Scheduled Job Creation", - "Service: Service Modification", - "Process: Process Metadata", - "Sensor Health: Host Status" + "user account: user account creation", + "active directory: active directory object creation", + "container: container creation", + "driver: driver load", + "file: file deletion", + "firmware: firmware modification", + "instance: instance creation", + "logon session: logon session metadata", + "scheduled job: scheduled job creation", + "service: service modification", + "process: process metadata", + "sensor health: host status" ], help="list data source names for datasources written in techniques_datasources.csv." + defaultStr(True) ) From 651fdc0840a3eee3ff6d33f237c7c2328722af6c Mon Sep 17 00:00:00 2001 From: Isabel Tuson Date: Fri, 25 Jun 2021 07:48:00 -0400 Subject: [PATCH 4/4] update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 45eeba8f..292ef063 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ -# Changes staged on Develop +# 25 June 2021 # v1.9.2 ## Fixes - Patched list of data sources in [techniques_data_sources_vis.py](/scripts/techniques_data_sources_vis.py) and [techniques_from_Data_source.py](/scripts/techniques_from_Data_source.py) to use current data sources. + # v1.9.1 - 9 April 2021 With the release of our [mitreattack-python](https://github.com/mitre-attack/mitreattack-python) pip module, we're removing the tools previously found in the `layers` folder as they are now part of that module.