Closed himynamesdave closed 2 months ago
@fqrious test 7 and 8 still failing.
Seems like they're not being created...
python3 -m unittest tests/test_7_0_sigma_to_attack.py
python3 -m unittest tests/test_8_0_sigma_to_cve.py
for test 8, the file you're uploading is not to our spec (still using labels
instead of external_references
), please correct it and it should work.
looking into test 7
so, I found an issue causing all groups to be skipped, which I have fixed but the test is still failing... I don't think the problem is from the cti_pro... here though, maybe the test code is wrong?
RETURN MERGE(
FOR doc in sigma_rules_edge_collection
FILTER doc._arango_cti_processor_note == "sigma-attack" AND doc._is_latest
COLLECT type = SPLIT(doc.target_ref, "--")[0] into docs
RETURN {[type]: COUNT(docs[*].doc)}
)
gave me this
[
{
"intrusion-set": 42,
"attack-pattern": 3543,
"tool": 60,
"x-mitre-tactic": 10476
}
]
As identified in #16 and #17 sigma objects no longer use labels for att&ck (sigma-attack) and cve (sigma-cve) (covered in tests 07 and 08)
instead
external_references
are now used like soCVEs
Identified where
"source_name": "cve",
, theexternal_id
property is what can be used to find the CVE id in the databaseATT&CK
most of the searches are done in the same way
https://github.com/muchdogesec/arango_cti_processor/blob/main/tests/test-data-research.md#5-sigma-rule-indicator---attck-attack-pattern
Tactic
Techniques/Subtechniques
external_id
's start withT
Groups
external_id
's start withG
Software
external_id
's start withS