search

cyb3rfox / Aurora-Incident-Response

Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders
Apache License 2.0
742 stars 79 forks source link

Type column is limited and might work better if mapped to Mitre #46

Open PeterM1981 opened 3 years ago

PeterM1981 commented 3 years ago

Currently the "Type" column on the timeline is very limiting. I suggest 2 possible improvements:

  1. The values in the type column are customizable, with a separate config file that could be edited to allow this.

  2. The "Type" column be renamed to "Technique" and the selection matching Mitre with these options:

    • Initial Access
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact

A second column could then be added called "ID", the selection in this drop down would be dependent on what had been selected for the technique, for example if "Initial Access" had been selected in the Technique column, then the list of ID's from here: https://attack.mitre.org/tactics/TA0001/ would be available in the ID column.

Mitre doesn't change that often but an API connection to the attack matrix would be best for keeping these up to date (i don't know if they offer that). either that or maintained by the devoted Aurora community :-)

cyb3rfox commented 3 years ago

That makes sense but needs some reworking. I think the best way to go is to allow the user to edit the options available in these dropdowns. I'll come up with something