Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding script to calcuate CAR-like coverage #177

Open
wants to merge 100 commits into
base: master
Choose a base branch
from
Open

Adding script to calcuate CAR-like coverage #177

wants to merge 100 commits into from

Conversation

keepwatch
Copy link

@keepwatch keepwatch commented Sep 26, 2023
edited
Loading

From the README: This script queries four open-source detection repositories to calculate known and likely detectable MITRE ATT&CK techniques. It's inspired by and attempts to improve CAR's coverage comparison website. (ed. note - it seemed like keeping it with the other CAR code would be a good fit!)

Key differences:

  • Split per-technique detection results by operating system (Windows and Linux only for now)
  • Focuses on detections in "active" library content (a Github term search will match on content like this deprecated Sigma rule, and it seems like CAR is including these results)
  • Can be run anytime instead of depending on a CAR coverage update (last update as of writing was December 30, 2022)
  • Outputs a conservative list of "likely detectable" techniques and subtechniques using the conditions above and a configurable threshold (UNIQUE_DETECTION_THRESHOLD).

This is linked to #176 .

dependabot bot and others added 30 commits May 19, 2022 03:35
@dependabot
Bump nokogiri from 1.13.3 to 1.13.6 in /docs
7d1f069 
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.13.3 to 1.13.6.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.13.3...v1.13.6)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@alexiacrumpton
Delete implementations directory
d928619 
Added bzar as a submodule
@alexiacrumpton
Create updates.md
006e043
@alexiacrumpton
Update index.md
7de7b1e
@alexiacrumpton
Rename updates.md to index.md
47e3fbb
@alexiacrumpton
Update and rename docs/resources/index.md to docs/resources/updates/i…
7ba4d38 
…ndex.md
@alexiacrumpton
Rename docs/Glossary.md to docs/resources/glossary/index.md
f8f54cf
@alexiacrumpton
Create index.md
1c02e6b
@alexiacrumpton
Update header.html
21a1861
@Ptylu
Update CAR-2016-04-002.yaml
257fc5c 
Update to merge CAR-2021-01-003.yaml in CAR-2016-04-002.yaml.
New attack and detection added
@Ptylu
Update CAR-2016-04-002.yaml
1d17ce0 
yaml typo corrected
@dependabot
Bump tzinfo from 1.2.5 to 1.2.10 in /docs
3457780 
Bumps [tzinfo](https://github.com/tzinfo/tzinfo) from 1.2.5 to 1.2.10.
- [Release notes](https://github.com/tzinfo/tzinfo/releases)
- [Changelog](https://github.com/tzinfo/tzinfo/blob/master/CHANGES.md)
- [Commits](tzinfo/tzinfo@v1.2.5...v1.2.10)

---
updated-dependencies:
- dependency-name: tzinfo
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@InfiniteInsight
Update file.md
b48c969 
fixing coverage map table formatting for autoruns and sysmon line breaks
@InfiniteInsight
Merge pull request mitre-attack#1 from InfiniteInsight/InfiniteInsigh…
0882ed9 
…t-file-md-format-fix-1

fixing coverage map table formatting for autoruns and sysmon line breaks
@InfiniteInsight
Create http.md
2f2c58a 
Initial commit of planned file that is missing from current production repo
@InfiniteInsight
Merge pull request mitre-attack#2 from InfiniteInsight/InfiniteInsigh…
707eb02 
…t-docs-data_model-http-md-creation-01

Create http.md
@InfiniteInsight
Beginning to format document based on car/data_model/ http.yml
0ae783c
@InfiniteInsight
adding headings and the coverage map table
04f7456
@InfiniteInsight
adjusting table format for coverage map
2049ec3
@InfiniteInsight
Merge pull request mitre-attack#3 from InfiniteInsight/http-md-writing
06f0d71 
Http md writing
@InfiniteInsight
fixing like breaks in the coverage map table
34959d9
@InfiniteInsight
Merge pull request mitre-attack#4 from InfiniteInsight/http-md-writing
a749871 
fixing like breaks in the coverage map table
@InfiniteInsight
Update process.md
0abab47 
Changing line 41 example from `FooCorp` to `True` since it is a boolean.
@InfiniteInsight
Merge pull request mitre-attack#5 from InfiniteInsight/InfiniteInsigh…
c16920e 
…t-process.md-fix-1

Update process.md
@dependabot
Bump pillow from 9.0.1 to 9.3.0 in /scripts
246813d 
Bumps [pillow](https://github.com/python-pillow/Pillow) from 9.0.1 to 9.3.0.
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@9.0.1...9.3.0)

---
updated-dependencies:
- dependency-name: pillow
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@alexiacrumpton
Merge pull request mitre-attack#160 from InfiniteInsight/master
d2824f1 
Create missing car/docs/data_model/http.md file
@dependabot
Bump certifi from 2020.12.5 to 2022.12.7 in /scripts
54be062 
Bumps [certifi](https://github.com/certifi/python-certifi) from 2020.12.5 to 2022.12.7.
- [Release notes](https://github.com/certifi/python-certifi/releases)
- [Commits](certifi/python-certifi@2020.12.05...2022.12.07)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@alexiacrumpton
Merge pull request mitre-attack#156 from mitre-attack/dependabot/bund…
302b402 
…ler/docs/nokogiri-1.13.6

Bump nokogiri from 1.13.3 to 1.13.6 in /docs
@alexiacrumpton
Merge pull request mitre-attack#157 from Ptylu/Ptylu-update-CAR-2016-…
e6a9a7f 
…04-002

Ptylu update car 2016 04 002
@alexiacrumpton
Merge pull request mitre-attack#158 from mitre-attack/dependabot/bund…
3fa6f5b 
…ler/docs/tzinfo-1.2.10

Bump tzinfo from 1.2.5 to 1.2.10 in /docs
Amndeep7 and others added 29 commits February 23, 2023 23:30
@Amndeep7
implemented data model template
ad45f84 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
changed up whitespace and also used td instead of th
8ca29c2 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
changed whitespace again and simplified table structure
a51838f 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
trying with th again
ffac373 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
wrapped examples with code tags
6937482 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
fixed tables to actually show the sensors
6649d58 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
markdown links don't work in html table
5d01e40 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
update references to the glossary's location and also run the redirec…
e7ac755 
…ts script

Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
made the key of the dict the filename instead of the path since i nev…
a951c30 
…er use that path anyways

Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
generate index file from template
e4b4a89 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
generate index with sensors
0912ea8 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
formatting change to fix tables
01ff21d 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
use the more modern pathlib instead of path and glob
5b9c3a8 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@alexiacrumpton
Merge pull request mitre-attack#166 from Amndeep7/generate_improvements
01c9588 
Generate script improvements and runs
@alexiacrumpton
Merge pull request mitre-attack#167 from Amndeep7/generate_workflow
fbb3cfc 
Workflow to automatically regenerate /docs on every push to master and pr
@alexiacrumpton
Merge pull request mitre-attack#168 from Amndeep7/yaml
9a02481 
Yaml
@alexiacrumpton
Automated commit to rebuild the static site
5684c73 
Signed-off-by: Build and Push Automation Script <>
@Amndeep7
resolved conflicts
c8c2314 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
added generate_datamodels to the workflow
581658f 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
added coverage field to datamodel schema
2e5f456 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
reran generate analytics - just seem to hae changed the order for som…
7abef66 
…e of them

Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
reran generate sensors - seems to put the data model coverage section…
292d191 
… in a different order than live

Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
reran generate nav layer - seems to be a reordering
1ac88dc 
Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
handle case where data_model directory is removed entirely before reg…
d720756 
…enerating files

Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
reran generate_datamodels - changes to file permissions to not be exe…
9f06a95 
…cutable

Signed-off-by: Amndeep Singh Mann <[email protected]>
@Amndeep7
Automated commit to rebuild the static site
6a882ac 
Signed-off-by: Build and Push Automation Script <>
@alexiacrumpton
Merge pull request mitre-attack#170 from Amndeep7/generate_datamodel
50bae40 
Create generate_datamodels script
@keepwatch
Create detectable_calcuator.py
84ac9ea
@keepwatch
Adding supplement files
9d8b6cc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@keepwatch @wzy19830823 @alexiacrumpton @Ptylu @InfiniteInsight @Amndeep7