search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.36k stars 161 forks source link

More Detailed Export of Test Case Data #102

Closed jeFF0Falltrades closed 3 years ago

jeFF0Falltrades commented 3 years ago

Thanks for your hard work and for sharing such a great product with the community, SRA team!

One request I would like to see as a user is a more detailed export of Test Case data from an Assessment.

In the current state, the only data captured in an export of the Test Cases for an Assessment is the description, timing, and outcome of the case.

It would be convenient to be able to either export (as a report) or query (from a database or API) a more detailed breakdown of Test Cases which included both the Red and Blue Team notes, as well as Detection Rules associated with a Test Case.

This may be a deviation from how the Test Case objects were meant to be used, but the use case I have in mind is: If - during the course of an Assessment - the Blue Team comes up with a new detection query or rule for the Test Case, we can capture it in real time, and then export it from VECTR later for ingestion into our production detection tools.

Currently, it's much more convenient to duplicate and track these rules outside of VECTR as there is no way to export them from VECTR easily; It would be much nicer to be able to store it all in VECTR, and export it as needed to external tools/reports.

Let me know if I can explain any of the above points further, and thanks again for your dedication to this tool!

thebleucheese commented 3 years ago

Hey Jeff, thanks so much for the feedback!

There are 3 things we're working on that I think will help you achieve your goals:

1. We're planning to make the columns on the Test Case Drilldown report configurable which would extend to reporting exports of the same screen (likely CSV). That will allow you to select which data points are shown on the filtered report and I think would meet the need you describe above. We expect development to begin on this early in the New Year and currently have a rough Q2 target.

2. We do have a working read-only GraphQL API in development. It's currently in testing, and we expect to release it in Q1 of 2021.

  1. We're planning a revamp to the Detection Rules interface from the Test Case panel as well as the administration in VECTR for next year. We're still in the requirements gathering phase for this so it's more long term than the other features described above, but we think this will help a lot with Blue Team content management.

jeFF0Falltrades commented 3 years ago

Thank you @thebleucheese ! Brilliant; It sounds like all 3 of the roadmap items you listed address this Issue and more.

Appreciate the quick response and good work!

carlvonderheid commented 3 years ago

@jeFF0Falltrades An update: The GraphQL API (read-only) was just released this morning. The other 2 items above are still in development.

jeFF0Falltrades commented 3 years ago

Thank you, @carlvonderheid ! I’m excited to see the changes made and will close this issue for now.

I appreciate all of the support from the team!