Closed ForrestYockey closed 2 years ago
Forrest, thank you for the detailed report! I'll take a look at both of these and get back to you here.
This is a bug but there's a work-around. Try changing your technique to just the TID
"technique": "Security Account Manager - T1003.002",
to
"technique": "T1003.002",
It looks like there's a kind of validation and technique inference issue. I had to tweak and save the template in the UI after I created one using the first technique string with the name and TID. Then I was able to save over it using the UI and API.
Edit: found another issue, it also doesn't seem to overwrite unless you change the name. There's some complex behavior here to map out all the dependencies from names when creating data. We'll fix that as well.
I couldn't get the work-around to work, though I guess my underlying usecase complicates things. I am working on an automated way to import the remaining 900+ Atomic Red Team tests (and update existing/new ones) as fully populated Test Cases in Vectr; the example GraphQL queries come from a script I wrote, that populates the missing 900+ Test Cases. (just read your update; sounds great). Of course, I do not expect or want my/Red Canary's goals to influence SRA's/Vectr's development goals, though I think Red Canary's Community Engagement team and others would support collaboration on better Atomic Red Team integration, if it is within SRA's interests.
@ForrestYockey Just a note, VECTR directly supports importing the index.yaml
file from ART in the UI. Administration -> Import Data section. You can drag/drop the latest ART index from there and it will allow you to import what you want, including importing and updating previous imports of the data, adding automation variables, etc.
If there are any additions or changes to that process you'd like to see, we can try to address them. We haven't had a chance to update what's shipped with VECTR yet. We started on a database migration to address this, but it's complicated to keep historical mapping with existing data from prior to ART having GUIDs so it will likely be a while before we get to it.
Of course, you're welcome to use the API too, it just may be easier to use the UI.
Oh yeah, importing the index.yaml works great for getting the base information in there. There are other pieces of data (e.g., Detections, Preventions, Attacker Tools, other References, enhanced Operator Notes, threat-actor-based Tags, additional insights) that I wanted to automatically generate and add to that base data, to help out some of my compatriots that aren't so Red Team focused. No rush on anything! Migrating backend is a huge pain.
Sounds great, I have a fix for this in testing right now. We'll soon have update() commands in place as well so you won't have to overwrite existing content.
Fixed underlying bugs in 8.3.1
Describe the bug Successful Test Case createTemplate GraphQL mutation requests with CreateTestCaseTemplateInput's "overwrite" set to True does not overwrite an existing Test Case template "with the same template ID", when specified.
To Reproduce Steps to reproduce the behavior:
Expected behavior After submitting the second, modified Test Case template request, the modified fields in the GraphQL request are expected to appear on the modified Test Case, within the Vectr web interface (e.g., the description should read "xxxxxxDump hives from..." after the overwrite request).
Screenshots Screenshot of initial Test Case template:
Screenshot of Test Case template after sending the modified overwrite request and reloading the interface/restarting the server (nothing has changed):
The response from the server, for the second overwrite request:
Desktop (please complete the following information):
Additional context As with my other issue, my queries could be flawed, though the server probably should not hand back a 200 response for the overwrite if the overwrite is not actually happening or if the query is wrong. According to the documentation (https://docs.vectr.io/graphql/schema/createtestcasetemplateinput.doc.html):