Update ATT&CK data for the HELK kibana dashboard.
Project description
Update Mitre Dashboard
Goal: Update the Mitre Dashboard from the HELK with the latest data.
Challenge
- The old data does not match with newer data, both in column names and count.
- Different sources with varying data formats.
- Sub-techniques not included in the old data.
Set up
Get started:
poetry install
Mitreattack-py
Mitre offers a python lib to parse their data. The returned data is very rich and in json format. Surely it contains all the columns we need, yet renaming and joining will require patience.
Challenge
- The data is split into different tables which reference between each other.
- Table joining results in a
60GB
and130M
row table. - (Optionally) Exclude
sub-techniques
from the table.
The following sript exports the data as csv and the headers as txt.
poetry run python run.py --matrix_name <matrix> --include_subtechniques --output_dir ./output
Options for matrix_name
are enterprise-attack
, mobile-attack
and ics-attack
.
Optional flags are:
--include_sub_techniques
to include sub_techniques.--include_detection
to include detection methods.--include_descriptions
to include descriptions of techniques, software, groups, etc.
Note: setting all flags will result in a
60GB
csv file and might take a while.
Send 2 Logstash
Now that we got the more or les lean data as csv, lets use logstash to import it into elasticsearch. First set your creds in the
.env` file. Then run:
export $(grep -v '^#' .env | xargs -d '\n')
export HEADERS=$(grep -v '^#' output/<pick1>.txt)
logstash -f logstash.conf
then in a separate shell:
nc <logstash-host> 32173 -q 11 < output/<the-same1>.csv
OTRF attackcti
From the dude who wrote the HELK. Yet columns do not match.
Work can be found in the mitre_tables notebook.
He also introduces the openhunt
library to visualize pivoting. Experiments are in the openhunt notebook.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for attack_dashboard-0.11.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 19774eaad7acc434e699af0adcbf20a87c1cebd88288b1bdb5435b976849d8e1 |
|
MD5 | 63803ba4a60b2bd4b4c9f4901c9d8b89 |
|
BLAKE2b-256 | b5c0d4d03fa0f44887dd0911eaa8edca126a5afec057690646f8c3a140c0f241 |