From 813d4cab6976c3bd811ae1e24dc43dbb56c5f640 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Tue, 15 Dec 2020 09:09:15 -0700 Subject: [PATCH 1/3] Make threat.technique optional --- detection_rules/schemas/v7_11.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection_rules/schemas/v7_11.py b/detection_rules/schemas/v7_11.py index 934adf7f5ab..35792a0d033 100644 --- a/detection_rules/schemas/v7_11.py +++ b/detection_rules/schemas/v7_11.py @@ -24,7 +24,7 @@ class ThreatSubTechnique(jsl.Document): subtechnique = jsl.ArrayField(jsl.DocumentField(ThreatSubTechnique), required=False) # override the `technique` field definition - technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=True) + technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=False) class ApiSchema711(ApiSchema710): From 21fd55d99c7c167ca664900a9fa94e270865948b Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 17 Dec 2020 12:05:21 -0900 Subject: [PATCH 2/3] make techniques optional in attack builder --- detection_rules/attack.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detection_rules/attack.py b/detection_rules/attack.py index d008d8fc94a..f982ae5189b 100644 --- a/detection_rules/attack.py +++ b/detection_rules/attack.py @@ -134,7 +134,6 @@ def make_entry(_id): entry = { 'framework': 'MITRE ATT&CK', - 'technique': sorted(tech_entries.values(), key=lambda x: x['id']), 'tactic': { 'id': tactic_id, 'name': tactic, @@ -142,6 +141,9 @@ def make_entry(_id): } } + if tech_entries: + entry['technique'] = sorted(tech_entries.values(), key=lambda x: x['id']) + return entry From 589ccd0221c1ac35e605c47d79398e72d0f0eafc Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 17 Dec 2020 12:06:10 -0900 Subject: [PATCH 3/3] Make techniques optional in rule builder --- detection_rules/rule.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 480c8f5b66d..b4bfc604887 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -362,7 +362,7 @@ def build(cls, path=None, rule_type=None, required_only=True, save=True, verbose while click.confirm('add mitre tactic?'): tactic = schema_prompt('mitre tactic name', type='string', enum=tactics, required=True) technique_ids = schema_prompt(f'technique or sub-technique IDs for {tactic}', type='array', - required=True, enum=list(technique_lookup)) + required=False, enum=list(technique_lookup)) or [] try: threat_map.append(build_threat_map_entry(tactic, *technique_ids))