search

pan-unit42 / playbook_viewer

MIT License
168 stars 43 forks source link

Where do the campaign dates come from? #5

Closed borgendorf closed 5 years ago

borgendorf commented 5 years ago

Hi there. I'm trying to validate that I'm using all of the information you've provided correctly in our application. The first report we've ingested is the Tick group. I see two campaigns in the data, and they match up with the specific attack patterns used for each one just like I see on the Playbook Viewer page. However, the data file names one campaign "January 2018" but on the Viewer it says, "December 2017 to January 2018". Where do those dates come from? Are you using the "first_seen" and "last_seen" dates and extrapolating?

"December 2017 to January 2018"

{
      "type": "campaign",
      "id": "campaign--be7cda7f-8a8a-4bf6-9ba3-5c713664ecdf",
      "created": "2018-07-11T20:25:11.667Z",
      "modified": "2018-07-23T17:49:05.500Z",
      "name": "January 2018",
      "description": "\nTick group targeted a specific type of secure USB drive [snip]...",
      "first_seen": "2018-01-01",
      "last_seen": "2018-01-12"
    }

"October 2016 to June 2017"

{
     "type": "campaign",
     "id": "campaign--358b5915-2a63-4406-828f-890558e27a1f",
     "created": "2018-08-03T13:20:50.755Z",
     "modified": "2018-08-06T18:11:18.234Z",
     "name": "July 2017",
     "description": " The “Tick” group has conducted cyber espionage attacks [snip]... ",
     "first_seen": "2016-11-01",
     "last_seen": "2017-07-01"
   }
eiyuki commented 5 years ago

The campaign dates come from the Playbook JSON.

The dates are read in from the Playbook JSON and converted to Date objects in the Viewer using JavaScript's Date(...) constructor, which is most likely displaying the date in local time instead of UTC. Depending on the timezone and time of day it is possible this causes an off by one (day) error. However, since the first_seen and last_seen are frequently the first and last day of the month respectively, this one day change throws off the month in the Playbook Viewer.

I have merged changes that should help to correct this.

If there are any more discrepancies between the dates in the Playbook JSON and the dates in the Playbook Viewer, go with the dates in the JSON, and please let us know.

borgendorf commented 5 years ago

Fantastic. I saw the update today and the months match up to the first_ and last_seen properties now. Thanks!