island: When generating ATT&CK report for techniques mapped to PBAs, check telem event's OS and technique's relevant systems
This commit is contained in:
parent
cccdf7f6c3
commit
81252e2b6a
|
@ -18,7 +18,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
|||
...
|
||||
|
||||
@classmethod
|
||||
def get_pba_query(cls, post_breach_action_names):
|
||||
def get_pba_query(cls, post_breach_action_names, relevant_systems):
|
||||
"""
|
||||
:param post_breach_action_names: Names of post-breach actions with which the technique is
|
||||
associated
|
||||
|
@ -29,8 +29,11 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
|||
return [
|
||||
{
|
||||
"$match": {
|
||||
"telem_category": "post_breach",
|
||||
"$or": [{"data.name": pba_name} for pba_name in post_breach_action_names],
|
||||
"$and": [
|
||||
{"telem_category": "post_breach"},
|
||||
{"$or": [{"data.name": pba_name} for pba_name in post_breach_action_names]},
|
||||
{"$or": [{"data.os": os} for os in relevant_systems]},
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -50,13 +53,18 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
|||
|
||||
@cls.is_status_disabled
|
||||
def get_technique_status_and_data():
|
||||
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
|
||||
info = list(
|
||||
mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names, cls.relevant_systems))
|
||||
)
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if info:
|
||||
successful_PBAs = mongo.db.telemetry.count(
|
||||
{
|
||||
"$or": [{"data.name": pba_name} for pba_name in cls.pba_names],
|
||||
"data.result.1": True,
|
||||
"$and": [
|
||||
{"$or": [{"data.name": pba_name} for pba_name in cls.pba_names]},
|
||||
{"$or": [{"data.os": os} for os in cls.relevant_systems]},
|
||||
{"data.result.1": True},
|
||||
]
|
||||
}
|
||||
)
|
||||
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
|
|
Loading…
Reference in New Issue