Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

💡 [REQUEST] Ability to Filter on MITRE ATT&CK Metadata #360

Open
d3sch41n opened this issue Sep 26, 2023 · 2 comments
Open

💡 [REQUEST] Ability to Filter on MITRE ATT&CK Metadata #360

d3sch41n opened this issue Sep 26, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@d3sch41n
Copy link
Contributor

d3sch41n commented Sep 26, 2023
edited by l50
Loading

Implementation PR

No response

Reference Issues

No response

Summary

The ttpforge list ttps command should have the ability to filter on the MITRE tactics/techniques/subtechniques fields

Basic Example

Intended operation should implement "list all TTPs from these MITRE tactics" as follows:

ttpforge list ttps --mitre-tactics="TA0042,TA0003"

An error should be thrown if higher-specificity options are mixed with lower specificity ones, because it's ambiguous what that should mean (intersection or union) - intersection will give weird empty results too frequently due to non-overlapping filters, and union is better achieved by just running the command twice. Hence, this should error:

ttpforge list ttps --mitre-tactics="TA0042" --mitre-techniques="T1098"

Drawbacks

maintaining a search index might take more work than anticipated

Unresolved questions

No response

Associated Issues

#196
@d3sch41n d3sch41n added question Clarification and/or additional information required to move forward enhancement New feature or request batch-2023-q4 and removed question Clarification and/or additional information required to move forward labels Sep 26, 2023
@d3sch41n
Copy link
Contributor Author

Note: No guarantees that this will be implemented in a fancy way - for example, I might just symlink a MITRE catalog directory structure on top of our existing Armory TTPs directory structure. Whatever gets the job done.

However, I'm thinking I'll probably have this command:

ttpforge search build-index

That will walk all the repos and update the index - this command will need to be re-run when you change any TTPs. We can ship the index files in the armory repo, like how ART does it

@l50
Copy link
Contributor

l50 commented Oct 19, 2023

Note: No guarantees that this will be implemented in a fancy way - for example, I might just symlink a MITRE catalog directory structure on top of our existing Armory TTPs directory structure. Whatever gets the job done.

However, I'm thinking I'll probably have this command:

ttpforge search build-index

That will walk all the repos and update the index - this command will need to be re-run when you change any TTPs. We can ship the index files in the armory repo, like how ART does it

This could work, although we'd probably want to use a go routine to run on a regular basis in the background or based on changes in the target repo (could do like a git diff or track the commit hash and compare it)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@l50 @d3sch41n @TTPForge-bot