diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 9dc4adf7..00000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,46 +0,0 @@ -version: 2 - -jobs: - build: - filters: - branches: - only: - - develop - docker: - - image: circleci/python:3.7.7 - steps: - - add_ssh_keys - - checkout - - run: - name: Generate markdown documents, thehive templates and mkdocs navigation (config) file - command: | - if [[ $(echo "${CIRCLE_BRANCH}" | grep -c "gh-pages") -gt 0 ]]; then - echo "Not committing documentation because we are on a gh-pages branch" - exit 0 - fi - python -m pip install -r requirements.txt - python ./main.py --markdown --auto --init - python ./main.py --thehive - python ./main.py -MK - python ./main.py --stix - python ./main.py -NAV - echo "" - echo "" - git status - echo "" - echo "" - git diff-index HEAD -- - if git diff-index --quiet HEAD -- ; then - echo "Not committing documentation because there are no changes" - elif [[ ! $( git diff-index HEAD -- | grep -v "docs/react.json" ) ]]; then - echo "Not committing stix file because it is the same but with different IDs" - elif [[ $(echo "${CIRCLE_BRANCH}" | grep -c "master") -gt 0 ]]; then - echo "Not committing documentation because we are on a master branch" - else - git config credential.helper 'cache --timeout=120' - git config user.email "" - git config user.name "CircleCI ATC RE&CT doc generator" - git add --all - git commit -am "Generate all the analytics from job=$CIRCLE_JOB branch=${CIRCLE_BRANCH} [skip ci]" - git push -u origin ${CIRCLE_BRANCH} - fi diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 320bfc34..00000000 --- a/.gitignore +++ /dev/null @@ -1,11 +0,0 @@ -*DS_Store -*__pycache__/* -*.pyc -*.idea -_* -.pytest_cache -# Ignore local configuration -config.yml -site/ - -*atc_env/* diff --git a/docs/Response_Actions/RA_1000_test.md b/docs/Response_Actions/RA_1000_test.md new file mode 100644 index 00000000..fcabbf07 --- /dev/null +++ b/docs/Response_Actions/RA_1000_test.md @@ -0,0 +1,38 @@ +| Title | Testing | +|:---------------------------:|:--------------------| +| **ID** | RA1000 | +| **Description** | A test response action without any sensible content | +| **Author** | Christoph Bott (@xofolowski) | +| **Creation Date** | 2021/08/05 | +| **Category** | General | +| **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)| + +--- + + + +## Response Action Details +|*Attribute*|*Value*|*Remarks*| +|:---|:---|:---| +| **RA Objective** |Disrupt | Either of: *Disrupt, Deny, Degrade, Destroy, Deceive*| +| **Potential Business Impact** |Very High| Either of: *Low, Medium, High, Very High*| + +--- + + + +## Full Description +This is a fancy mitigation that will allow SOC to trigger self destruction of all Windows Endpoints. +Once triggered, the endpoint will start screaming, wait for close-by people to evacuate and then shortcut the battery, effectively causing the endpoint to burn down. + + + +## Standing Operating Procedure + +> ***Attention:*** +> Minimum TIER level for execution of this response activity is: **TIER-*2*!** + +Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. +Here newlines will be saved. + + diff --git a/mkdocs.yml b/mkdocs.yml index 9acf58da..5411d0e0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,6 +28,7 @@ nav: - Response Stages: responsestages.md - Response Actions: - Preparation: + - "RA1000: Testing-foobar": ./Response_Actions/RA_1000_testing-foobar.md - "RA1001: Practice": ./Response_Actions/RA_1001_practice.md - "RA1002: Take trainings": ./Response_Actions/RA_1002_take_trainings.md - "RA1003: Raise personnel awareness": ./Response_Actions/RA_1003_raise_personnel_awareness.md diff --git a/response_actions/RA_1000_test.yml b/response_actions/RA_1000_test.yml new file mode 100644 index 00000000..2ca0a8ff --- /dev/null +++ b/response_actions/RA_1000_test.yml @@ -0,0 +1,19 @@ +title: RA_1000_testing +id: RA1000 +description: A test response action without any sensible content +author: 'Christoph Bott (@xofolowski)' +creation_date: 2021/08/05 +stage: preparation +details: + description-full: | + This is a fancy mitigation that will allow SOC to trigger self destruction of all Windows Endpoints. + Once triggered, the endpoint will start screaming, wait for close-by people to evacuate and then shortcut the battery, effectively causing the endpoint to burn down. + workflow: | + Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. + Here newlines will be saved. + + raCoA: Disrupt + pot_business_impact: Very High + activation_SLA: + expected_coverage: + minTierLevel: 2 diff --git a/response_actions/respose_action.yml.template b/response_actions/respose_action.yml.template index b87c519a..10344ba3 100644 --- a/response_actions/respose_action.yml.template +++ b/response_actions/respose_action.yml.template @@ -17,6 +17,16 @@ references: requirements: - MS_something # link to the Mitigation System required for the Response Action - DN_something # link to the Data Needed entity, required for the Response Action -workflow: | - Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. - Here newlines will be saved. +details: + description-full: | + This is a fancy mitigation that will allow SOC to trigger self destruction of all Windows Endpoints. + Once triggered, the endpoint will start screaming, wait for close-by people to evacuate and then shortcut the battery, effectively causing the endpoint to burn down. + workflow: | + Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. + Here newlines will be saved. + + raCoA: Detect | Disrupt | Deny | Degrade | Deceive + pot_business_impact: Very High | High | Medium | Low + activation_SLA: + expected_coverage: + minTierLevel: 2 \ No newline at end of file diff --git a/scripts/responseplaybook.py b/scripts/responseplaybook.py index e5fbaaa1..67814f2d 100755 --- a/scripts/responseplaybook.py +++ b/scripts/responseplaybook.py @@ -142,9 +142,12 @@ def render_template(self, template_type): action_title = action.get('id')\ + ": "\ + REACTutils.normalize_react_title(action.get('title')) - + try: + action_details = action.get('details') + except: + action_details = {} stage_list.append( - (action_title, task, action.get('description'), action.get('workflow')) + (action_title, task, action.get('description'), action.get('workflow'), action_details) ) except TypeError: pass @@ -294,8 +297,9 @@ def render_template(self, template_type): + '/' + task + '.yml') stage_list.append( (action.get('description'), - action.get('workflow')) - ) + action.get('workflow'), + action.get('details')) + ) except TypeError: pass diff --git a/scripts/templates/confluence_responseaction_template.html.j2 b/scripts/templates/confluence_responseaction_template.html.j2 index 4fd27cb9..dc66446a 100755 --- a/scripts/templates/confluence_responseaction_template.html.j2 +++ b/scripts/templates/confluence_responseaction_template.html.j2 @@ -89,11 +89,11 @@


-{% if workflow is defined and workflow|length %} +{% if (workflow is defined and workflow|length) or (details is defined and details['workflow'] is defined and details['workflow']|length) %}

Workflow

-

- + {% if workflow is defined %} {% endif %} + {% if details is defined %} {% endif %} {% else %} {% endif %} diff --git a/scripts/templates/confluence_responseplaybook_template.html.j2 b/scripts/templates/confluence_responseplaybook_template.html.j2 index 0d5c0323..232d5d2d 100755 --- a/scripts/templates/confluence_responseplaybook_template.html.j2 +++ b/scripts/templates/confluence_responseplaybook_template.html.j2 @@ -126,7 +126,7 @@ {% for stage_name, stage_actions in stages %} {%- if stage_actions is defined and stage_actions is not none and stage_actions|length %}

{{ stage_name }}

- {% for action_description, action_workflow in stage_actions%} + {% for action_description, action_workflow, action_details in stage_actions%}

{{ action_description }}

diff --git a/scripts/templates/markdown_responseaction_template.md.j2 b/scripts/templates/markdown_responseaction_template.md.j2 index bcc3c9ca..50c34054 100755 --- a/scripts/templates/markdown_responseaction_template.md.j2 +++ b/scripts/templates/markdown_responseaction_template.md.j2 @@ -7,6 +7,36 @@ | **Category** | {{ category }} | | **Stage** | {%- for rs_id, rs_name in stage %}[{{ rs_id }}: {{rs_name}}](../Response_Stages/{{ rs_id }}.md){% endfor -%} | {% if automation is not none and automation|length %}{{ '\n' }}| **Automation** |
    {% for auto in automation %}
  • {{ auto }}
    • {% endfor %}
|{% endif %}{% if references is not none and references|length %}{{ '\n' }}| **References** |
    {% for ref in references %}
  • [{{ ref }}]({{ ref }})
    • {% endfor %}
|{% endif %}{% if requirements is not none and requirements|length %}{{ '\n' }}| **Requirements** |
    {% for requirement in requirements %}
  • {{ requirement }}
    • {% endfor %}
|{% endif %} -### Workflow +--- + +{% if workflow is defined and workflow|length %} +## Workflow +**Please note:** This RA has not yet been converted to the extensible RA scheme {{ workflow }} +{% else %} + {% if details['raEffect'] is defined and details['raEffect'] != none or details['pot_business_impact'] is defined and details['pot_business_impact'] != none or details['activation_SLA'] is defined and details['activation_SLA'] != none or details['expected_coverage'] is defined and details['expected_coverage'] != none %} +## Response Action Details +|*Attribute*|*Value*|*Remarks*| +|:---|:---|:---|{% if details['raEffect'] is defined and details['raEffect'] != none %} +| **RA Objective** |{{ details['raEffect'] }} | Either of: *Disrupt, Deny, Degrade, Destroy, Deceive*|{% endif %} {% if details['pot_business_impact'] is defined and details['pot_business_impact'] != none %} +| **Potential Business Impact** |{{ details['pot_business_impact'] }}| Either of: *Low, Medium, High, Very High*|{% endif %}{% if details['activation_SLA'] is defined and details['activation_SLA'] != none %} +| **Activation SLA** |{{ details['activation_SLA'] }} |How quickly can we expect the action to be implemented?|{% endif %}{% if details['expected_coverage'] is defined and details['expected_coverage'] != none %} +| **Expected Coverage** |{{ details['expected_coverage'] }} | |{% endif %} + +--- + + {% endif %} + {% if details['description-full'] is defined %} +## Full Description +{{ details['description-full'] }} + {% endif %} + {% if details['workflow'] is defined %} +## Standing Operating Procedure + {% if details['minTierLevel'] is defined and details['minTierLevel'] > 1 %} +> ***Attention:*** +> Minimum TIER level for execution of this response activity is: **TIER-*{{ details['minTierLevel'] }}*!** + {% endif %} +{{ details['workflow'] }} + {% endif %} +{% endif %} diff --git a/scripts/templates/markdown_responseplaybook_template.md.j2 b/scripts/templates/markdown_responseplaybook_template.md.j2 index 2ac6e40c..6ddebb2c 100755 --- a/scripts/templates/markdown_responseplaybook_template.md.j2 +++ b/scripts/templates/markdown_responseplaybook_template.md.j2 @@ -24,7 +24,7 @@ {%- endif -%} {%- for stage_name, stage_actions in stages -%} {%- if stage_actions is not none and stage_actions|length -%} - {{'\n'}}| **{{stage_name}}** |
    {% for action_title, action_filename, action_description, action_workflow in stage_actions %}
  • [{{ action_title }}](../Response_Actions/{{action_filename}}.md)
    • {% endfor %}
| + {{'\n'}}| **{{stage_name}}** |
    {% for action_title, action_filename, action_description, action_workflow, action_details in stage_actions %}
  • [{{ action_title }}](../Response_Actions/{{action_filename}}.md)
    • {% endfor %}
| {%- endif -%} {%- endfor %} @@ -33,11 +33,18 @@ {{ workflow }} {% for stage_name, stage_actions in stages %} -{% if stage_actions is not none and stage_actions|length %}#### {{ stage_name }}{% endif %} -{% for action_title, action_filename, action_description, action_workflow in stage_actions%} -##### {{ action_description }} - +{% if stage_actions is not none and stage_actions|length %}
+### {{ stage_name }}{% endif %} +{% for action_title, action_filename, action_description, action_workflow, action_details in stage_actions%} +#### {{ action_description }} + +{% if action_details['workflow'] is not none -%} +{{ action_details['workflow'] }} +{% elif action_workflow is not none -%} {{ action_workflow }} +{% endif %} -{%- endfor %} -{%- endfor %} +---- + +{%+ endfor %} +{% endfor %} \ No newline at end of file