island: When generating ATT&CK report for techniques mapped to PBAs, check telem event's OS and technique's relevant systems

This commit is contained in:
Shreya Malviya 2021-10-06 14:45:48 +05:30
parent cccdf7f6c3
commit 81252e2b6a
1 changed files with 14 additions and 6 deletions

View File

@ -18,7 +18,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
...
@classmethod
def get_pba_query(cls, post_breach_action_names):
def get_pba_query(cls, post_breach_action_names, relevant_systems):
"""
:param post_breach_action_names: Names of post-breach actions with which the technique is
associated
@ -29,8 +29,11 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
return [
{
"$match": {
"telem_category": "post_breach",
"$or": [{"data.name": pba_name} for pba_name in post_breach_action_names],
"$and": [
{"telem_category": "post_breach"},
{"$or": [{"data.name": pba_name} for pba_name in post_breach_action_names]},
{"$or": [{"data.os": os} for os in relevant_systems]},
]
}
},
{
@ -50,13 +53,18 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
@cls.is_status_disabled
def get_technique_status_and_data():
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
info = list(
mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names, cls.relevant_systems))
)
status = ScanStatus.UNSCANNED.value
if info:
successful_PBAs = mongo.db.telemetry.count(
{
"$or": [{"data.name": pba_name} for pba_name in cls.pba_names],
"data.result.1": True,
"$and": [
{"$or": [{"data.name": pba_name} for pba_name in cls.pba_names]},
{"$or": [{"data.os": os} for os in cls.relevant_systems]},
{"data.result.1": True},
]
}
)
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value