From 53027bde727acd649753337523c9d5a7527755c0 Mon Sep 17 00:00:00 2001 From: DGabri Date: Tue, 6 Aug 2024 12:31:01 +0200 Subject: [PATCH] Added mitre info in host alert table. To implement filters --- .../datatable/sprymedia-datatable-utils.js | 17 + http_src/vue/page-alert-stats.vue | 3 +- httpdocs/tables_config/alert_host.json | 42 +- scripts/locales/en.lua | 8 +- .../modules/alert_store/host_alert_store.lua | 24 + scripts/lua/modules/mitre_utils.lua | 410 +++++++++++++++++- 6 files changed, 494 insertions(+), 10 deletions(-) diff --git a/http_src/utilities/datatable/sprymedia-datatable-utils.js b/http_src/utilities/datatable/sprymedia-datatable-utils.js index 479dce44a1f2..a720ca2ad878 100644 --- a/http_src/utilities/datatable/sprymedia-datatable-utils.js +++ b/http_src/utilities/datatable/sprymedia-datatable-utils.js @@ -674,6 +674,23 @@ export class DataTableRenders { return cell; } + static formatMitreId(obj) { + return DataTableRenders.filterize('mitre_id', obj.mitre_id, obj.mitre_id_i18n, obj.mitre_id_i18n, obj.mitre_id_i18n); + } + + static formatMitreTactic(obj) { + return DataTableRenders.filterize('mitre_tactic', obj.mitre_tactic, i18n(obj.mitre_tactic_i18n), obj.mitre_tactic_i18n, obj.mitre_tactic_i18n); + } + + static formatMitreTechnique(obj) { + return DataTableRenders.filterize('mitre_tactic', obj.mitre_technique, i18n(obj.mitre_technique_i18n), obj.mitre_technique_i18n, obj.mitre_technique_i18n); + } + + static formatMitreSubTechnique(obj) { + return DataTableRenders.filterize('mitre_tactic', obj.mitre_subtechnique, i18n(obj.mitre_subtechnique_i18n), obj.mitre_subtechnique_i18n, obj.mitre_subtechnique_i18n); + + } + static formatScore(obj, type, row, zero_is_null) { if (type !== "display") return obj.value; let cell = obj.label; diff --git a/http_src/vue/page-alert-stats.vue b/http_src/vue/page-alert-stats.vue index e3856f096d77..00222759d57f 100644 --- a/http_src/vue/page-alert-stats.vue +++ b/http_src/vue/page-alert-stats.vue @@ -382,6 +382,7 @@ function update_select_query_presets() { const map_table_def_columns = async (columns) => { await ntopng_sync.on_ready(get_query_presets_sync_key()); + let map_columns = { "l7_proto": (proto, row) => { let confidence = ""; @@ -404,7 +405,7 @@ const map_table_def_columns = async (columns) => { }, "srv2cli_bytes": (info, row) => { return `${DataTableRenders.filterize('srv2cli_bytes', row.total_bytes.bytes_rcvd, formatterUtils.getFormatter("bytes")(row.total_bytes.bytes_rcvd))}`; - }, + } }; let set_query_preset_columns = selected_query_preset.value.is_preset && columns.length > 0; diff --git a/httpdocs/tables_config/alert_host.json b/httpdocs/tables_config/alert_host.json index 1b7866ed43ee..3bd897b1e515 100644 --- a/httpdocs/tables_config/alert_host.json +++ b/httpdocs/tables_config/alert_host.json @@ -50,24 +50,56 @@ "class": ["text-center"] }, { - "title_i18n": "alerts_dashboard.alert", + "title_i18n": "alerts_dashboard.alert", "data_field": "msg", "sortable": false, - "min-width" : "155px", + "min-width" : "155px", "render_type": "formatNameDescription", "class": ["text-nowrap"] }, { - "title_i18n": "host_details.host", + "title_i18n": "host_details.host", "data_field": "ip", "sortable": false, - "min-width" : "155px", + "min-width" : "155px", "render_type": "formatHost", "class": ["text-nowrap"] }, { - "title_i18n": "description", + "title_i18n": "description", "data_field": "description", + "sortable": false, + "min-width" : "200px", + "class": ["text-nowrap"] + }, + { + "title_i18n": "mitre.mitre_id", + "data_field": "mitre_data", + "render_type": "formatMitreId", + "sortable": false, + "min-width" : "200px", + "class": ["text-nowrap"] + }, + { + "title_i18n": "mitre.mitre_tactic", + "data_field": "mitre_data", + "render_type": "formatMitreTactic", + "sortable": false, + "min-width" : "200px", + "class": ["text-nowrap"] + }, + { + "title_i18n": "mitre.mitre_technique", + "data_field": "mitre_data", + "render_type": "formatMitreTechnique", + "sortable": false, + "min-width" : "200px", + "class": ["text-nowrap"] + }, + { + "title_i18n": "mitre.mitre_sub_technique", + "data_field": "mitre_data", + "render_type": "formatMitreSubTechnique", "sortable": false, "min-width" : "200px", "class": ["text-nowrap"] diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua index 2f8134e24c9e..cfd39a70055f 100644 --- a/scripts/locales/en.lua +++ b/scripts/locales/en.lua @@ -5621,6 +5621,10 @@ local lang = { ["secs"] = "Secs", }, ["mitre"] = { + ['mitre_tactic'] = "Mitre Tactic", + ['mitre_technique'] = "Mitre Technique", + ['mitre_sub_technique'] = "Mitre Subtechnique", + ['mitre_id'] = "Mitre ID", ["sub_technique"] = { ["arp_cache_poisoning"] = "Arp Cache Poisoning", ["dhcp_spoofing"] = "DHCP Spoofing", @@ -5694,7 +5698,7 @@ local lang = { ["hide_infrastructure"] = "Hide Infrastructure", ["impair_defenses"] = "Impair Defenses", ["indicator_removal"] = "Indicator Removal", - ["ingress_tool_tranfer"] = "Ingress Tool Tranfer", + ["ingress_tool_transfer"] = "Ingress Tool Transfer", ["internal_spearphishing"] = "Internal Spearphishing", ["lateral_tool_transfer"] = "Lateral Tool Transfer", ["network_ddos"] = "Network Denial of Service", @@ -5711,7 +5715,7 @@ local lang = { ["remote_system_discovery"] = "Remote System Discovery", ["resource_hijacking"] = "Resource Hijacking", ["rogue_domain_controller"] = "Rogue Domain Controller", - ["scheduled_tranfer"] = "Scheduled Tranfer", + ["scheduled_transfer"] = "Scheduled Transfer", ["search_open_tech_db"] = "Search Open Technical Databases", ["server_software_component"] = "Server Software Component", ["session_hijacking"] = "Session Hijacking", diff --git a/scripts/lua/modules/alert_store/host_alert_store.lua b/scripts/lua/modules/alert_store/host_alert_store.lua index 945c34c5955c..22d84e79c56e 100644 --- a/scripts/lua/modules/alert_store/host_alert_store.lua +++ b/scripts/lua/modules/alert_store/host_alert_store.lua @@ -17,6 +17,7 @@ local alert_entities = require "alert_entities" local alert_roles = require "alert_roles" local json = require "dkjson" local tag_utils = require "tag_utils" +--local mitre_consts = require "mitre_consts" -- ############################################## @@ -328,6 +329,10 @@ local RNAME = { NETWORK = { name = "network", export = false + }, + MITRE = { + name = "mitre_data", + export = false } } @@ -367,6 +372,25 @@ function host_alert_store:format_record(value, no_html) reference_html = nil end + local alert_key = alert_consts.getAlertType(tonumber(value["alert_id"]), alert_entities.host.entity_id) + local mitre_info = alert_consts.getAlertMitreInfo(alert_key) + + -- Add mitre info from db + local mitre_tactic = value["mitre_tactic"] or "" + local mitre_technique = value["mitre_technique"] or "" + local mitre_subtechnique = value["mitre_subtechnique"] or "" + + record[RNAME.MITRE.name] = { + mitre_tactic = mitre_tactic, + mitre_technique = mitre_technique, + mitre_subtechnique = mitre_subtechnique, + mitre_id = value["mitre_id"] or "", + + mitre_tactic_i18n = mitre_info.mitre_tactic and mitre_info.mitre_tactic.i18n_label or "", + mitre_technique_i18n = mitre_info.mitre_technique and mitre_info.mitre_technique.i18n_label or "", + mitre_subtechnique_i18n = mitre_info.mitre_subtechnique and mitre_info.mitre_subtechnique.i18n_label or "", + } + record[RNAME.IP.name] = { value = host, label = host, diff --git a/scripts/lua/modules/mitre_utils.lua b/scripts/lua/modules/mitre_utils.lua index 2e4182cc822b..17c243302769 100644 --- a/scripts/lua/modules/mitre_utils.lua +++ b/scripts/lua/modules/mitre_utils.lua @@ -10,7 +10,7 @@ local alert_entities = require "alert_entities" -- ############################################## -- table containing information about mitre attack matrix --- keep in sync with en.lua["mitre"] +-- keep in sync with en.lua["mitre"] AND scripts/lua/modules/mitre_consts.lua local mitre_table_utils = { tactic = { c_and_c = { @@ -395,7 +395,391 @@ local mitre_table_utils = { id = 159503, i18n_label = "mitre.sub_technique.wordlist_scanning" }, - } + }, + tactic = { + c_and_c = { + id = 11, + i18n_label = "mitre.tactic.c_and_c" + }, + credential_access = { + id = 6, + i18n_label = "mitre.tactic.credential_access" + }, + collection = { + id = 9, + i18n_label = "mitre.tactic.collection" + }, + defense_evasion = { + id = 5, + i18n_label = "mitre.tactic.defense_evasion" + }, + discovery = { + id = 7, + i18n_label = "mitre.tactic.discovery" + }, + execution = { + id = 2, + i18n_label = "mitre.tactic.execution" + }, + exfiltration = { + id = 10, + i18n_label = "mitre.tactic.exfiltration" + }, + impact = { + id = 40, + i18n_label = "mitre.tactic.impact"}, + initial_access = { + id = 1, + i18n_label = "mitre.tactic.initial_access" + }, + lateral_movement = { + id = 8, + i18n_label = "mitre.tactic.lateral_movement" + }, + persistence = { + id = 3, + i18n_label = "mitre.tactic.persistence" + }, + privilege_escalation = { + id = 4, + i18n_label = "mitre.tactic.privilege_escalation" + }, + reconnaissance = { + id = 43, + i18n_label = "mitre.tactic.reconnaissance"}, + resource_develop = { + id = 42, + i18n_label = "mitre.tactic.resource_develop" + }, + }, + technique = { + account_manipulation = { + id = 1098, + i18n_label = "mitre.technique.account_manipulation" + }, + active_scanning = { + id = 1595, + i18n_label = "mitre.technique.active_scanning" + }, + adversary_in_the_middle = { + id = 1557, + i18n_label = "mitre.technique.adversary_in_the_middle" + }, + app_layer_proto = { + id = 1071, + i18n_label = "mitre.technique.app_layer_proto" + }, + automated_exf = { + id = 1020, + i18n_label = "mitre.technique.automated_exf" + }, + content_inj = { + id = 1659, + i18n_label = "mitre.technique.content_inj" + }, + data_destruction = { + id = 1485, + i18n_label = "mitre.technique.data_destruction" + }, + data_from_conf_repo = { + id = 1602, + i18n_label = "mitre.technique.data_from_conf_repo" + }, + data_from_net_shared_driver = { + id = 1039, + i18n_label = "mitre.technique.data_from_net_shared_driver" + }, + data_manipulation = { + id = 1565, + i18n_label = "mitre.technique.data_manipulation" + }, + data_obfuscation = { + id = 1001, + i18n_label = "mitre.technique.data_obfuscation" + }, + drive_by_compr = { + id = 1189, + i18n_label = "mitre.technique.drive_by_compr" + }, + dynamic_resolution = { + id = 1568, + i18n_label = "mitre.technique.dynamic_resolution" + }, + encrypted_channel = { + id = 1573, + i18n_label = "mitre.technique.encrypted_channel" + }, + endpoint_ddos = { + id = 1499, + i18n_label = "mitre.technique.endpoint_ddos" + }, + exfiltration_over_alt_proto = { + id = 1048, + i18n_label = "mitre.technique.exfiltration_over_alt_proto" + }, + exfiltration_over_c2_channel = { + id = 1041, + i18n_label = "mitre.technique.exfiltration_over_c2_channel" + }, + exfiltration_over_web_service = { + id = 1567, + i18n_label = "mitre.technique.exfiltration_over_web_service" + }, + exploitatation_client_exec = { + id = 1203, + i18n_label = "mitre.technique.exploitatation_client_exec" + }, + expl_privilege_escalation = { + id = 1068, + i18n_label = "mitre.technique.expl_privilege_escalation" + }, + exploit_pub_facing_app = { + id = 1190, + i18n_label = "mitre.technique.exploit_pub_facing_app" + }, + ext_remote_services = { + id = 1133, + i18n_label = "mitre.technique.ext_remote_services" + }, + forced_authentication = { + id = 1187, + i18n_label = "mitre.technique.forced_authentication" + }, + gather_victim_net_info = { + id = 1590, + i18n_label = "mitre.technique.gather_victim_net_info" + }, + hide_infrastructure = { + id = 1665, + i18n_label = "mitre.technique.hide_infrastructure" + }, + impair_defenses = { + id = 1562, + i18n_label = "mitre.technique.impair_defenses" + }, + indicator_removal = { + id = 1070, + i18n_label = "mitre.technique.indicator_removal" + }, + ingress_tool_transfer = { + id = 1105, + i18n_label = "mitre.technique.ingress_tool_transfer" + }, + internal_spearphishing = { + id = 1534, + i18n_label = "mitre.technique.internal_spearphishing" + }, + lateral_tool_transfer = { + id = 1570, + i18n_label = "mitre.technique.lateral_tool_transfer" + }, + network_ddos = { + id = 1498, + i18n_label = "mitre.technique.network_ddos" + }, + network_service_discovery = { + id = 1046, + i18n_label = "mitre.technique.network_service_discovery" + }, + network_sniffing = { + id = 1040, + i18n_label = "mitre.technique.network_sniffing" + }, + non_app_layer_proto = { + id = 1095, + i18n_label = "mitre.technique.non_app_layer_proto" + }, + non_std_port = { + id = 1571, + i18n_label = "mitre.technique.non_std_port" + }, + obfuscated_files_info = { + id = 1027, + i18n_label = "mitre.technique.obfuscated_files_info" + }, + os_credential_dump = { + id = 1003, + i18n_label = "mitre.technique.os_credential_dump" + }, + phishing = { + id = 1566, + "mitre.technique.phishing" + }, + phishing_info = { + id = 1598, + i18n_label = "mitre.technique.phishing_info" + }, + proxy = { + id = 1090, + i18n_label = "mitre.technique.proxy" + }, + remote_services = { + id = 1021, + i18n_label = "mitre.technique.remote_services" + }, + remote_system_discovery = { + id = 1018, + i18n_label = "mitre.technique.remote_system_discovery" + }, + resource_hijacking = { + id = 1496, + i18n_label = "mitre.technique.resource_hijacking" + }, + rogue_domain_controller = { + id = 1207, + i18n_label = "mitre.technique.rogue_domain_controller" + }, + scheduled_transfer = { + id = 1029, + i18n_label = "mitre.technique.scheduled_transfer" + }, + search_open_tech_db = { + id = 1596, + i18n_label = "mitre.technique.search_open_tech_db" + }, + server_software_component = { + id = 1505, + i18n_label = "mitre.technique.server_software_component" + }, + session_hijacking = { + id = 1563, + i18n_label = "mitre.technique.session_hijacking" + }, + steal_web_session_cookie = { + id = 1539, + i18n_label = "mitre.technique.steal_web_session_cookie" + }, + system_network_conf_discovery = { + id = 1016, + i18n_label = "mitre.technique.system_network_conf_discovery" + }, + traffic_signaling = { + id = 1205, + i18n_label = "mitre.technique.traffic_signaling" + }, + user_execution = { + id = 1204, + i18n_label = "mitre.technique.user_execution" + }, + valid_accounts = { + id = 1078, + i18n_label = "mitre.technique.valid_accounts" + }, + web_service = { + id = 1102, + i18n_label = "mitre.technique.web_service" + }, + }, + sub_technique = { + arp_cache_poisoning = { + id = 155702, + i18n_label = "mitre.sub_technique.arp_cache_poisoning" + }, + dhcp_spoofing = { + id = 155703, + i18n_label = "mitre.sub_technique.dhcp_spoofing" + }, + direct_network_flood = { + id = 149801, + i18n_label = "mitre.sub_technique.direct_network_flood" + }, + dns = { + id = 107104, + i18n_label = "mitre.sub_technique.dns" + }, + dns_calculation = { + id = 156803, + i18n_label = "mitre.sub_technique.dns_calculation" + }, + dns_passive_dns = { + id = 159601, + i18n_label = "mitre.sub_technique.dns_passive_dns" + }, + domain_fronting = { + id = 109004, + i18n_label = "mitre.sub_technique.domain_fronting" + }, + domain_generation_algorithms = { + id = 156802, + i18n_label = "mitre.sub_technique.domain_generation_algorithms" + }, + external_proxy = { + id = 109002, + i18n_label = "mitre.sub_technique.external_proxy" + }, + mail_protocol = { + id = 107103, + i18n_label = "mitre.sub_technique.mail_protocol" + }, + malicious_link = { + id = 120401, + i18n_label = "mitre.sub_technique.malicious_link" + }, + multi_hop_proxy = { + id = 109003, + i18n_label = "mitre.sub_technique.multi_hop_proxy" + }, + network_device_config_dump = { + id = 160202, + i18n_label = "mitre.sub_technique.network_device_config_dump" + }, + network_topology = { + id = 159004, + i18n_label = "mitre.sub_technique.network_topology" + }, + one_way_communication = { + id = 110203, + i18n_label = "mitre.sub_technique.one_way_communication" + }, + port_knocking = { + id = 120501, + i18n_label = "mitre.sub_technique.port_knocking" + }, + protocol_impersonation = { + id = 100103, + i18n_label = "mitre.sub_technique.protocol_impersonation" + }, + rdp_hijacking = { + id = 156302, + i18n_label = "mitre.sub_technique.rdp_hijacking" + }, + reflection_amplification = { + id = 149802, + i18n_label = "mitre.sub_technique.reflection_amplification" + }, + remote_desktop_proto = { + id = 102101, + i18n_label = "mitre.sub_technique.remote_desktop_proto" + }, + smb_relay = { + id = 155701, + i18n_label = "mitre.sub_technique.smb_relay" + }, + smb_windows_admin_share = { + id = 102102, + i18n_label = "mitre.sub_technique.smb_windows_admin_share" + }, + spearphishing_link = { + id = 156602, + i18n_label = "mitre.sub_technique.spearphishing_link" + }, + spearphishing_service = { + id = 156603, + i18n_label = "mitre.sub_technique.spearphishing_service" + }, + ssh = { + id = 109804, + i18n_label = "mitre.sub_technique.ssh" + }, + web_protocol = { + id = 107101, + i18n_label = "mitre.sub_technique.web_protocol" + }, + wordlist_scanning = { + id = 159503, + i18n_label = "mitre.sub_technique.wordlist_scanning" + }, + } } -- ############################################## @@ -524,5 +908,27 @@ function mitre_table_utils.insertDBMitreInfo() end -- ############################################## +--[[ + function mitre_table_utils.convert_mitre_to_id_map() + -- tprint(convert_mitre_to_id_map_once) + -- tprint(debug.traceback()) + + if(convert_mitre_to_id_map_once ~= nil) then return(convert_mitre_to_id_map_once) end + + local mitre_table = mitreTableInfo() + -- tprint(mitre_table) + + convert_mitre_to_id_map = {} + -- Populate lookup table with mitre info + for family, categories in pairs(mitre_table) do + for name, data in pairs(categories) do + convert_mitre_to_id_map[data.id] = {type = family, i18n_label = data.i18n_label} + end + end + + return convert_mitre_to_id_map + + end + ]] return mitre_table_utils