Skip to content

Commit

Permalink
issue #354: introduced customisable RA/RP title
Browse files Browse the repository at this point in the history 
 formatting rules
  • Loading branch information
Christoph Bott committed Aug 5, 2021
1 parent 8a879c2 commit f0c77e2
Show file tree
Hide file tree
Showing 8 changed files with 48 additions and 21 deletions.
31 changes: 30 additions & 1 deletion scripts/config.default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,33 @@ attack_json_url: 'https://raw.githubusercontent.com/mitre/cti/master/enterprise-
attack_mapping_url: 'scripts/attack_mapping.py'
# AMITT
amitt_json_url: 'https://raw.githubusercontent.com/cogsec-collaborative/amitt_cti/master/amitt/amitt-attack.json'
amitt_mapping_url: 'scripts/amitt_mapping.py'
amitt_mapping_url: 'scripts/amitt_mapping.py'
# Title formatting rules
titlefmtrules:
capitalizeWords: # will be capitalized: unix -> Unix
- "unix"
- "windows"
- "proxy"
- "firewall"
- "mach-o"
abbreviations: # will be completely converted to uppercase lan -> LAN
- "ip"
- "dns"
- "ms"
- "ngfw"
- "ips"
- "url"
- "pe"
- "pdf"
- "elf"
- "dhcp"
- "vpn"
- "smb"
- "ftp"
- "http"
- "lan"
- "wan"
- "av"
- "fqdn"
- "dfs"
- "soc"
4 changes: 2 additions & 2 deletions scripts/generate_mkdocs_config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ def __init__(self, ra=False, rp=False, rs=False, auto=False,

ra_updated_title = ras[i].get('id')\
+ ": "\
+ REACTutils.normalize_react_title(ras[i].get('title'))
+ REACTutils.normalize_react_title(ras[i].get('title'),REACTConfig.get('titlefmtrules'))

if "RA1" in ras[i]['id']:
preparation.append((ra_updated_title, ra_filenames[i]))
Expand All @@ -130,7 +130,7 @@ def __init__(self, ra=False, rp=False, rs=False, auto=False,

rp_updated_title = rps[i].get('id')\
+ ": "\
+ REACTutils.normalize_react_title(rps[i].get('title'))
+ REACTutils.normalize_react_title(rps[i].get('title'),REACTConfig.get('titlefmtrules'))

playbooks.append((rp_updated_title, rp_filenames[i]))

Expand Down
2 changes: 1 addition & 1 deletion scripts/react2stix.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ def __init__(self, ra=False, rp=False, auto=False,

for i in range(len(ras)):

normalized_title = REACTutils.normalize_react_title(ras[i].get('title'))
normalized_title = REACTutils.normalize_react_title(ras[i].get('title'),REACTConfig.get('titlefmtrules'))

ra_updated_title = ras[i].get('id')\
+ ":"\
Expand Down
10 changes: 4 additions & 6 deletions scripts/reactutils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -459,23 +459,21 @@ def push_to_confluence(data, apipath, auth):


@staticmethod
def normalize_react_title(title):
def normalize_react_title(title,fmtrules={"abbreviations": ["ip", "dns", "ms", "ngfw", "ips", "url", "pe", "pdf","elf", "dhcp", "vpn", "smb", "ftp", "http"],"capitalizeWords":["unix", "windows", "proxy", "firewall", "mach-o"]}):
"""Normalize title if it is a RA/RP title in the following format:
RP_0003_identification_make_sure_email_is_a_phishing
"""

react_id_re = re.compile(r'R[AP]_\d{4}.*$')
react_id_re = re.compile(r'R[AP]_\d{4}_.*$')
if react_id_re.match(title):
title = title[8:].split('_', 0)[-1].replace('_', ' ').capitalize()
new_title = ""
for word in title.split():
if word.lower() in [
"ip", "dns", "ms", "ngfw", "ips", "url", "pe", "pdf",
"elf", "dhcp", "vpn", "smb", "ftp", "http" ]:
if word.lower() in fmtrules["abbreviations"]:
new_title += word.upper()
new_title += " "
continue
elif word.lower() in [ "unix", "windows", "proxy", "firewall", "mach-o" ]:
elif word.lower() in fmtrules["capitalizeWords"]:
new_title += word.capitalize()
new_title += " "
continue
Expand Down
4 changes: 2 additions & 2 deletions scripts/responseaction.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ def render_template(self, template_type):

self.ra_parsed_file.update(
{'title': REACTutils.normalize_react_title(self.ra_parsed_file
.get('title'))}
.get('title'),REACTConfig.get('titlefmtrules'))}
)

stage_list = []
Expand All @@ -95,7 +95,7 @@ def render_template(self, template_type):

new_title = self.ra_parsed_file.get('id')\
+ ": "\
+ REACTutils.normalize_react_title(self.ra_parsed_file.get('title'))
+ REACTutils.normalize_react_title(self.ra_parsed_file.get('title'),REACTConfig.get('titlefmtrules'))

self.ra_parsed_file.update(
{'title': new_title}
Expand Down
8 changes: 4 additions & 4 deletions scripts/responseplaybook.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ def render_template(self, template_type):

self.rp_parsed_file.update(
{'title': REACTutils.normalize_react_title(self.rp_parsed_file
.get('title'))}
.get('title'),REACTConfig.get('titlefmtrules'))}
)

# MITRE ATT&CK Tactics and Techniques
Expand Down Expand Up @@ -141,7 +141,7 @@ def render_template(self, template_type):

action_title = action.get('id')\
+ ": "\
+ REACTutils.normalize_react_title(action.get('title'))
+ REACTutils.normalize_react_title(action.get('title'),REACTConfig.get('titlefmtrules'))

stage_list.append(
(action_title, task, action.get('description'), action.get('workflow'))
Expand All @@ -157,7 +157,7 @@ def render_template(self, template_type):

new_title = self.rp_parsed_file.get('id')\
+ ": "\
+ REACTutils.normalize_react_title(self.rp_parsed_file.get('title'))
+ REACTutils.normalize_react_title(self.rp_parsed_file.get('title'),REACTConfig.get('titlefmtrules'))

self.rp_parsed_file.update(
{'title': new_title }
Expand Down Expand Up @@ -236,7 +236,7 @@ def render_template(self, template_type):

action_title = action.get('id')\
+ ": "\
+ REACTutils.normalize_react_title(action.get('title'))
+ REACTutils.normalize_react_title(action.get('title'),REACTConfig.get('titlefmtrules'))

if self.apipath and self.auth and self.space:
stage_list.append(
Expand Down
6 changes: 3 additions & 3 deletions scripts/responsestage.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ def render_template(self, template_type):
if rs_mapping[rs_id] == REACTutils.normalize_rs_name(ras[i].get('stage')):
ra_id = ras[i].get('id')
ra_filename = ra_filenames[i]
ra_title = REACTutils.normalize_react_title(ras[i].get('title'))
ra_title = REACTutils.normalize_react_title(ras[i].get('title'),REACTConfig.get('titlefmtrules'))
ra_description = ras[i].get('description').strip()
stage_list.append(
(ra_id, ra_filename, ra_title, ra_description))
Expand All @@ -99,7 +99,7 @@ def render_template(self, template_type):
if rs_mapping[rs_id] == REACTutils.normalize_rs_name(ras[i].get('stage')):
ra_id = ras[i].get('id')
ra_filename = ra_filenames[i]
ra_title = REACTutils.normalize_react_title(ras[i].get('title'))
ra_title = REACTutils.normalize_react_title(ras[i].get('title'),REACTConfig.get('titlefmtrules'))
ra_description = ras[i].get('description').strip()
ra_confluence_page_name = ra_id + ": " + ra_title

Expand All @@ -115,7 +115,7 @@ def render_template(self, template_type):

new_title = self.rs_parsed_file.get('id')\
+ ": "\
+ REACTutils.normalize_react_title(self.rs_parsed_file.get('title'))
+ REACTutils.normalize_react_title(self.rs_parsed_file.get('title'),REACTConfig.get('titlefmtrules'))

self.rs_parsed_file.update(
{'title': new_title}
Expand Down
4 changes: 2 additions & 2 deletions scripts/thehive_templates.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ def convertRPToTemplate(self, file_input, output_file):
self.case = THC.TheHiveCase()
self.case.name = self.rp_rule.get('id')\
+ ": "\
+ REACTutils.normalize_react_title(self.rp_rule.get('title'))
+ REACTutils.normalize_react_title(self.rp_rule.get('title'),REACTConfig.get('titlefmtrules'))

self.case.description = str(self.rp_rule.get('description')) + \
'\n\nWorkflow:\n\n' + str(self.rp_rule.get('workflow'))
Expand Down Expand Up @@ -157,7 +157,7 @@ def checkRA(self, stage):
task.title = str(self.task_prefix) + " | "\
+ rtask.get('id')\
+ ": "\
+ REACTutils.normalize_react_title(rtask.get('title'))
+ REACTutils.normalize_react_title(rtask.get('title'),REACTConfig.get('titlefmtrules'))

if rtask.get('stage'):
task.group = REACTutils.normalize_rs_name(rtask.get('stage'))
Expand Down

0 comments on commit f0c77e2

Please sign in to comment.