mirror of
https://github.com/Yamato-Security/WELA.git
synced 2025-12-06 17:22:50 +01:00
fix: update MITRE ATT&CK Navigator to use sigma rules for heatmap export
This commit is contained in:
fukusuket
72
WELA.ps1
72
WELA.ps1
@@ -5185,11 +5185,12 @@ function AuditLogSetting {
|
|||||||
Write-Output "Usable detection rules list saved to: UsableRules.csv"
|
Write-Output "Usable detection rules list saved to: UsableRules.csv"
|
||||||
Write-Output "Unusable detection rules list saved to: UnusableRules.csv"
|
Write-Output "Unusable detection rules list saved to: UnusableRules.csv"
|
||||||
|
|
||||||
Export-MitreHeatmap -usableRules $usableRules -OutputPath "mitre-ttp-navigator-current.json"
|
$sigma_rules = $auditResult | Select-Object -ExpandProperty Rules
|
||||||
|
Export-MitreHeatmap -sigmaRules $sigma_rules -OutputPath "mitre-ttp-navigator-current.json"
|
||||||
Write-Output "MITRE ATT&CK Navigator data(based on current settings) saved to: mitre-ttp-navigator-current.json"
|
Write-Output "MITRE ATT&CK Navigator data(based on current settings) saved to: mitre-ttp-navigator-current.json"
|
||||||
$idealRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.ideal -eq $true }
|
Export-MitreHeatmap -sigmaRules $sigma_rules -OutputPath "mitre-ttp-navigator-ideal.json" -UseIdealCount $true
|
||||||
Export-MitreHeatmap -usableRules $idealRules -OutputPath "mitre-ttp-navigator-ideal.json"
|
Write-Output "MITRE ATT&CK Navigator data(based on current settings) saved to: mitre-ttp-navigator-ideal.json"
|
||||||
Write-Output "MITRE ATT&CK Navigator data(based on ideal settings) saved to: mitre-ttp-navigator-ideal.json"
|
|
||||||
|
|
||||||
$totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count
|
$totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count
|
||||||
$usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count
|
$usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count
|
||||||
@@ -5209,37 +5210,72 @@ function AuditLogSetting {
|
|||||||
function Export-MitreHeatmap {
|
function Export-MitreHeatmap {
|
||||||
param (
|
param (
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[array]$usableRules,
|
[array]$sigmaRules,
|
||||||
|
|
||||||
[Parameter(Mandatory = $false)]
|
[Parameter(Mandatory = $false)]
|
||||||
[string]$OutputPath = "mitre-ttp-heatmap.json"
|
[string]$OutputPath = "mitre-ttp-heatmap.json",
|
||||||
|
|
||||||
|
[Parameter(Mandatory=$false)]
|
||||||
|
[bool]$UseIdealCount = $false
|
||||||
)
|
)
|
||||||
$tagMapping = @{}
|
$tagMapping = @{}
|
||||||
$usableRules | ForEach-Object {
|
$sigmaRules | ForEach-Object {
|
||||||
$rule = $_
|
$rule = $_
|
||||||
|
if ($rule.tags) {
|
||||||
$rule.tags | ForEach-Object {
|
$rule.tags | ForEach-Object {
|
||||||
$tag = $_
|
$tag = $_
|
||||||
if (-not $tagMapping.ContainsKey($tag)) {
|
if (-not $tagMapping.ContainsKey($tag)) {
|
||||||
$tagMapping[$tag] = @()
|
$tagMapping[$tag] = @{
|
||||||
|
titles = @()
|
||||||
|
idealCount = 0
|
||||||
|
applicableCount = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$tagMapping[$tag].titles += $rule.title
|
||||||
|
if ($rule.applicable -eq $true) {
|
||||||
|
$tagMapping[$tag].applicableCount++
|
||||||
|
}
|
||||||
|
if ($rule.ideal -eq $true) {
|
||||||
|
$tagMapping[$tag].idealCount++
|
||||||
|
}
|
||||||
}
|
}
|
||||||
$tagMapping[$tag] += $rule.title
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = @{}
|
$techniques = @()
|
||||||
$tagMapping.Keys | ForEach-Object {
|
$tagMapping.Keys | ForEach-Object {
|
||||||
$result[$_] = $tagMapping[$_] -join ", "
|
$techniqueId = $_
|
||||||
|
$info = $tagMapping[$techniqueId]
|
||||||
|
$titlesCount = $info.titles.Count
|
||||||
|
$score = if ($titlesCount -gt 0) {
|
||||||
|
[math]::Round(($info.applicableCount / $titlesCount) * 100, 2)
|
||||||
|
} else {
|
||||||
|
0
|
||||||
|
}
|
||||||
|
if ($info.idealCount -gt 0 -and $info.applicableCount -eq 0) {
|
||||||
|
$score = 0
|
||||||
}
|
}
|
||||||
|
|
||||||
$techniques = $result.GetEnumerator() | ForEach-Object {
|
if ($UseIdealCount) {
|
||||||
@{
|
$score = [math]::Round(($info.idealCount / $titlesCount) * 100, 2)
|
||||||
"techniqueID" = $_.Key
|
}
|
||||||
"score" = ($_.Value.ToCharArray() | Where-Object { $_ -eq ',' }).Count + 1
|
|
||||||
"comment" = $_.Value
|
$techniques += @{
|
||||||
"showSubtechniques" = $true
|
techniqueID = $techniqueId
|
||||||
|
score = $score
|
||||||
|
comment = ($info.titles -join ", ")
|
||||||
|
showSubtechniques = $true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$colors = @(
|
||||||
|
"#c62828", # Red
|
||||||
|
"#fff176", # Yellow
|
||||||
|
"#ffa726", # Orange
|
||||||
|
"#c8e6c9", # Light Green
|
||||||
|
"#2e7d32" # Dark Green
|
||||||
|
)
|
||||||
|
|
||||||
$heatmap = @{
|
$heatmap = @{
|
||||||
"name" = "WELA detection heatmap"
|
"name" = "WELA detection heatmap"
|
||||||
"versions" = @{
|
"versions" = @{
|
||||||
@@ -5251,7 +5287,7 @@ function Export-MitreHeatmap {
|
|||||||
"description" = "WELA detection heatmap"
|
"description" = "WELA detection heatmap"
|
||||||
"techniques" = $techniques
|
"techniques" = $techniques
|
||||||
"gradient" = @{
|
"gradient" = @{
|
||||||
"colors" = @("#8ec843ff", "#ffe766ff", "#ff6666ff")
|
"colors" = $colors
|
||||||
"minValue" = 0
|
"minValue" = 0
|
||||||
"maxValue" = 100
|
"maxValue" = 100
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user