Closed adchdev closed 1 year ago
tropChaud
commented
1 year ago I'm sorry that I just saw this now. If you are still interested in the answer (and didn't figure it out yet) - yes, you are correct that my dataset only included those groups with ATT&CK TTPs, but there is another way to pull the data down at scale generally.
See the tgc-actors.json file linked here under the MISP Users header, or the direct link here: https://apt.etda.or.th/cgi-bin/getmisp.cgi?o=g
adchdev
commented
1 year ago Thanks for the reply. I did pull the JSON from the thaiCERT website but these are the only columns it shows in my Power BI:
There's no motivation, victim industries, victim countries etc like in the threat group cards or in your merged dataset.
I don't want to load each threat group card's JSON 400 times...
AbeWinters
commented
1 year ago @acwh0110 Note that the victim industries and countries are named different in this JSON file from https://apt.etda.or.th/cgi-bin/getmisp.cgi?o=g
They are called cfr-target-category and cfr-suspected-victims respectively
See the image below
If you cannot access the actor data in this JSON, try expanding the top level values list. This list contains all the actors.
I've noticed that this dataset has 124 rows whereas the total number of threat actors on the thaiCERT website is over 400. I assume this is because this dataset only maps those actors that also have a MITRE profile.
However, I would like to pull the entire thaiCERT dataset, but using this link provided on its homepage only provides columns like the group's name, description and country. It doesn't provide the data on motivation, sector, country etc.
It appears the only way to get that data is to pull the JSON file from each actor's card, but I would like to avoid doing that 400+ times for each actor. Is there a better way to do this based on your experience with the thaiCERT dataset?