Add CTI Butler lookups for ATT&CK Matches

himynamesdave commented 1 week ago

This is currently covered in Arango CTI Processor Logic

I want to remove this logic from Arango CTI Processor Logic and have ATT&CK objects imported from CTI Butler.

Below is the logic currently in ACTIP

We essentially need the same thing, however, the lookup should not be local (an Arango search) it should be a call to the CTI Butler ATT&CK endpoints

/api/v1/attack-enterprise/objects/{attack_id}/
/api/v1/attack-ics/objects/{attack_id}/
/api/v1/attack-mobile/objects/{attack_id}/

The ATT&CK object will be imported, and the relationship between indicator and ATT&CK created (as described below)

(use sigma2stix namespace for relationship gen)

Sigma Rule Indicator -> ATT&CK Attack Pattern relationship (`sigma-attack`)

Source collection: sigma_rules_vertex_collection (type==indicator objects only)
Destination collections: mitre_attack_enterprise_vertex_collection, mitre_attack_mobile_vertex_collection, mitre_attack_ics_vertex_collection (type==attack-pattern objects only)

Inside some Indicators for Sigma Rules are labels with ATT&CK tags. e.g.

    "labels": [
        "attack.T1055",
        "attack.T1055.011",
        "attack.S0039"
    ]

The labels identifying ATT&CKs always start with attack. followed by the ATT&CK ID.

You can identify the ATT&CK objects listed as follows;

LET attack_ids = ["<ATTACK IDS>"]

LET lowercased_attack_ids = (
    FOR id IN attack_ids
        RETURN LOWER(id)
)

LET enterprise_results = (
    FOR doc IN mitre_attack_enterprise_vertex_collection
        FILTER doc._stix2arango_note != "automatically imported on collection creation"
        AND doc._is_latest == true
        AND IS_ARRAY(doc.external_references)
        FOR ext_ref IN doc.external_references
            FILTER LOWER(ext_ref.external_id) IN lowercased_attack_ids
            RETURN doc
)

LET ics_results = (
    FOR doc IN mitre_attack_ics_vertex_collection
        FILTER doc._stix2arango_note != "automatically imported on collection creation"
        AND doc._is_latest == true
        AND IS_ARRAY(doc.external_references)
        FOR ext_ref IN doc.external_references
            FILTER LOWER(ext_ref.external_id) IN lowercased_attack_ids
            RETURN doc
)

LET mobile_results = (
    FOR doc IN mitre_attack_mobile_vertex_collection
        FILTER doc._stix2arango_note != "automatically imported on collection creation"
        AND doc._is_latest == true
        AND IS_ARRAY(doc.external_references)
        FOR ext_ref IN doc.external_references
            FILTER LOWER(ext_ref.external_id) IN lowercased_attack_ids
            RETURN doc
)

RETURN UNION(enterprise_results, ics_results, mobile_results)

Note, tactics (x-mitre-tactic) objects use the name of the object, not the ID, e.g.

    "labels": [
        "attack.credential_access"
    ]

In this case you need to search the name field by replacing the _ with a whitespace and making the first letter of each word upper case, e.g.

LET enterprise_results = (
    FOR doc IN mitre_attack_enterprise_vertex_collection
        FILTER doc.type == "x-mitre-tactic"
        AND doc._is_latest == true
        AND doc.name == "Credential Access"
        RETURN doc
)
LET ics_results = (
    FOR doc IN mitre_attack_ics_vertex_collection
        FILTER doc.type == "x-mitre-tactic"
        AND doc._is_latest == true
        AND doc.name == "Credential Access"
        RETURN doc
)
LET mobile_results = (
    FOR doc IN mitre_attack_mobile_vertex_collection
        FILTER doc.type == "x-mitre-tactic"
        AND doc._is_latest == true
        AND doc.name == "Credential Access"
        RETURN doc
)

RETURN UNION(enterprise_results, ics_results, mobile_results)

When an ATT&CK label is identified in a Sigma STIX Indicator object a relationship is created as follows;

{
    "type": "relationship",
    "spec_version": "2.1",
    "id": "relationship--<UUID V5 LOGIC>",
    "created_by_ref": "<IMPORTED IDENTITY OBJECT>",
    "created": "<indicator.created>",
    "modified": "<indicator.modified>",
    "relationship_type": "detects",
    "source_ref": "indicator--<SIGMA INDICATOR STIX OBJECT>",
    "target_ref": "<ATT&CK STIX OBJECT>",
    "description": "<SIGMA RULE NAME> <relationship_type without - char> <ATT&CK name>",
    "object_marking_refs": [
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
        "<MARKING DEFINITION IMPORTED>"
    ]
}

To generate the id of SRO, a UUIDv5 is generated using the namespace 2e51a631-99d8-52a5-95a6-8314d3f4fbf3 and the relationship_type+source_collection_name/source_ref+target_collection_name/target_ref values.

All generated objects are stored in the source edge collection.

You should also use add the arango internal property _arango_cti_processor_note == sigma-attack

himynamesdave commented 5 days ago

Same issue as #6

himynamesdave commented 4 days ago

Similar issue to #7 still happening (relationships created, but the actual object not imported)

python3 sigma2stix.py \
        --mode sigmayaml \
        --file tests/demo_rule.yml

sigma-rule-bundle.json

muchdogesec / sigma2stix