Closed himynamesdave closed 2 months ago
https://github.com/muchdogesec/arango_cti_processor/blob/adding-tests/tests/README.md#test-70-test-sigma-rule-indicator-to-attck-attack-pattern-relationship-sigma-attack
These two tests fail
# test 2 Expects 15546 results (see test-data-research.md for why) def test_02_check_generated_relationships(self): query = """ RETURN LENGTH( FOR doc IN sigma_rules_edge_collection FILTER doc._is_latest == true AND doc.relationship_type == "detects" AND doc._arango_cti_processor_note == "sigma-attack" AND doc.object_marking_refs == [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "marking-definition--2e51a631-99d8-52a5-95a6-8314d3f4fbf3" ] RETURN [doc] ) """ result_count = self.run_query(query) self.assertEqual(result_count, [15546], f"Expected 15546 documents, but found {result_count}.") # check relationships for indicator--1a7e070a-64cb-5d4f-aff4-8e5fdcd72edf has 3 ATT&CK references, # { # "source_name": "mitre-attack", # "description": "tactic", # "external_id": "credential_access" # }, # { # "source_name": "mitre-attack", # "url": "https://attack.mitre.org/techniques/T1003.001", # "external_id": "T1003.001" # }, # { # "source_name": "mitre-attack", # "url": "https://attack.mitre.org/software/S0002", # "external_id": "S0002" # }, # Enterprise # * credential_access TA0002 x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5 # * `2e51a631-99d8-52a5-95a6-8314d3f4fbf3` `detects+sigma_rules_vertex_collection/indicator--1a7e070a-64cb-5d4f-aff4-8e5fdcd72edf+mitre_attack_enterprise_vertex_collection/x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5` = `86ac99cc-d4c4-56fb-ae8b-720c3772503a` # * T1003.001 attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90 # * `2e51a631-99d8-52a5-95a6-8314d3f4fbf3` `detects+sigma_rules_vertex_collection/indicator--1a7e070a-64cb-5d4f-aff4-8e5fdcd72edf+mitre_attack_enterprise_vertex_collection/attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90` = `e119b459-c4c7-5ce3-bdd5-1caedb9f6d4b` # * S0002 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 # * `2e51a631-99d8-52a5-95a6-8314d3f4fbf3` `detects+sigma_rules_vertex_collection/indicator--1a7e070a-64cb-5d4f-aff4-8e5fdcd72edf+mitre_attack_enterprise_vertex_collection/tool--afc079f3-c0ea-4096-b75d-3f05338b7f60` = `d7e0a492-db21-5021-a7fb-ec8d31acb051` # Mobile # * credential_access TA0035 x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba # * `2e51a631-99d8-52a5-95a6-8314d3f4fbf3` `detects+sigma_rules_vertex_collection/indicator--1a7e070a-64cb-5d4f-aff4-8e5fdcd72edf+mitre_attack_mobile_vertex_collection/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba` = `96495af9-cd33-5191-95ab-d098b7ef2f5e` def test_03_check_relationship_gen_for_object1(self): query = """ FOR doc IN sigma_rules_edge_collection FILTER doc._is_latest == true AND doc.relationship_type == "detects" AND doc.source_ref == "indicator--1a7e070a-64cb-5d4f-aff4-8e5fdcd72edf" RETURN doc.id """ result_count = self.run_query(query) expected_ids = [ "relationship--86ac99cc-d4c4-56fb-ae8b-720c3772503a", "relationship--e119b459-c4c7-5ce3-bdd5-1caedb9f6d4b", "relationship--d7e0a492-db21-5021-a7fb-ec8d31acb051", "relationship--96495af9-cd33-5191-95ab-d098b7ef2f5e" ] self.assertEqual(result_count, expected_ids, f"Expected {expected_ids}, but found {result_count}.") if __name__ == '__main__': unittest.main()
It seems only techniques are currently generatated as only the SRO relationship--e119b459-c4c7-5ce3-bdd5-1caedb9f6d4b" matches for test 03
relationship--e119b459-c4c7-5ce3-bdd5-1caedb9f6d4b"
https://dogesec.slack.com/archives/D05L8JEAM1N/p1722437276690279
closing for #18
https://github.com/muchdogesec/arango_cti_processor/blob/adding-tests/tests/README.md#test-70-test-sigma-rule-indicator-to-attck-attack-pattern-relationship-sigma-attack
These two tests fail
It seems only techniques are currently generatated as only the SRO
relationship--e119b459-c4c7-5ce3-bdd5-1caedb9f6d4b"
matches for test 03