From ef06dbbc1244d500f35e0246d6e8c2d7cd57c7f5 Mon Sep 17 00:00:00 2001 From: Christoph Bott Date: Thu, 5 Aug 2021 11:23:54 +0200 Subject: [PATCH 01/10] Issue # 344 - Added extensible schema for RAs --- response_actions/RA_1000_test.yml | 19 +++++++++++ response_actions/respose_action.yml.template | 16 ++++++++-- scripts/responseplaybook.py | 7 ++-- .../markdown_responseaction_template.md.j2 | 32 ++++++++++++++++++- .../markdown_responseplaybook_template.md.j2 | 21 ++++++++---- 5 files changed, 81 insertions(+), 14 deletions(-) create mode 100644 response_actions/RA_1000_test.yml diff --git a/response_actions/RA_1000_test.yml b/response_actions/RA_1000_test.yml new file mode 100644 index 00000000..2f58fd8b --- /dev/null +++ b/response_actions/RA_1000_test.yml @@ -0,0 +1,19 @@ +title: RA_1000_testing +id: RA1000 +description: A test response action without any sensible content +author: Christoph Bott (@xofolowski) +creation_date: 2021/08/05 +stage: preparation +details: + description-full: | + This is a fancy mitigation that will allow SOC to trigger self destruction of all Windows Endpoints. + Once triggered, the endpoint will start screaming, wait for close-by people to evacuate and then shortcut the battery, effectively causing the endpoint to burn down. + workflow: | + Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. + Here newlines will be saved. + + raEffect: Disrupt + pot_business_impact: Very High + activation_SLA: + expected_coverage: + minTierLevel: 2 diff --git a/response_actions/respose_action.yml.template b/response_actions/respose_action.yml.template index b87c519a..ea68e6eb 100644 --- a/response_actions/respose_action.yml.template +++ b/response_actions/respose_action.yml.template @@ -17,6 +17,16 @@ references: requirements: - MS_something # link to the Mitigation System required for the Response Action - DN_something # link to the Data Needed entity, required for the Response Action -workflow: | - Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. - Here newlines will be saved. +details: + description-full: | + This is a fancy mitigation that will allow SOC to trigger self destruction of all Windows Endpoints. + Once triggered, the endpoint will start screaming, wait for close-by people to evacuate and then shortcut the battery, effectively causing the endpoint to burn down. + workflow: | + Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. + Here newlines will be saved. + + raEffect: Detect | Disrupt | Deny | Degrade | Deceive + pot_business_impact: Very High | High | Medium | Low + activation_SLA: + expected_coverage: + minTierLevel: 2 \ No newline at end of file diff --git a/scripts/responseplaybook.py b/scripts/responseplaybook.py index e5fbaaa1..f2e86d39 100755 --- a/scripts/responseplaybook.py +++ b/scripts/responseplaybook.py @@ -144,7 +144,7 @@ def render_template(self, template_type): + REACTutils.normalize_react_title(action.get('title')) stage_list.append( - (action_title, task, action.get('description'), action.get('workflow')) + (action_title, task, action.get('description'), action.get('workflow'), action.get('details')) ) except TypeError: pass @@ -294,8 +294,9 @@ def render_template(self, template_type): + '/' + task + '.yml') stage_list.append( (action.get('description'), - action.get('workflow')) - ) + action.get('workflow'), + action.get('details')) + ) except TypeError: pass diff --git a/scripts/templates/markdown_responseaction_template.md.j2 b/scripts/templates/markdown_responseaction_template.md.j2 index bcc3c9ca..50c34054 100755 --- a/scripts/templates/markdown_responseaction_template.md.j2 +++ b/scripts/templates/markdown_responseaction_template.md.j2 @@ -7,6 +7,36 @@ | **Category** | {{ category }} | | **Stage** | {%- for rs_id, rs_name in stage %}[{{ rs_id }}: {{rs_name}}](../Response_Stages/{{ rs_id }}.md){% endfor -%} | {% if automation is not none and automation|length %}{{ '\n' }}| **Automation** ||{% endif %}{% if references is not none and references|length %}{{ '\n' }}| **References** ||{% endif %}{% if requirements is not none and requirements|length %}{{ '\n' }}| **Requirements** ||{% endif %} -### Workflow +--- + +{% if workflow is defined and workflow|length %} +## Workflow +**Please note:** This RA has not yet been converted to the extensible RA scheme {{ workflow }} +{% else %} + {% if details['raEffect'] is defined and details['raEffect'] != none or details['pot_business_impact'] is defined and details['pot_business_impact'] != none or details['activation_SLA'] is defined and details['activation_SLA'] != none or details['expected_coverage'] is defined and details['expected_coverage'] != none %} +## Response Action Details +|*Attribute*|*Value*|*Remarks*| +|:---|:---|:---|{% if details['raEffect'] is defined and details['raEffect'] != none %} +| **RA Objective** |{{ details['raEffect'] }} | Either of: *Disrupt, Deny, Degrade, Destroy, Deceive*|{% endif %} {% if details['pot_business_impact'] is defined and details['pot_business_impact'] != none %} +| **Potential Business Impact** |{{ details['pot_business_impact'] }}| Either of: *Low, Medium, High, Very High*|{% endif %}{% if details['activation_SLA'] is defined and details['activation_SLA'] != none %} +| **Activation SLA** |{{ details['activation_SLA'] }} |How quickly can we expect the action to be implemented?|{% endif %}{% if details['expected_coverage'] is defined and details['expected_coverage'] != none %} +| **Expected Coverage** |{{ details['expected_coverage'] }} | |{% endif %} + +--- + + {% endif %} + {% if details['description-full'] is defined %} +## Full Description +{{ details['description-full'] }} + {% endif %} + {% if details['workflow'] is defined %} +## Standing Operating Procedure + {% if details['minTierLevel'] is defined and details['minTierLevel'] > 1 %} +> ***Attention:*** +> Minimum TIER level for execution of this response activity is: **TIER-*{{ details['minTierLevel'] }}*!** + {% endif %} +{{ details['workflow'] }} + {% endif %} +{% endif %} diff --git a/scripts/templates/markdown_responseplaybook_template.md.j2 b/scripts/templates/markdown_responseplaybook_template.md.j2 index 2ac6e40c..6ddebb2c 100755 --- a/scripts/templates/markdown_responseplaybook_template.md.j2 +++ b/scripts/templates/markdown_responseplaybook_template.md.j2 @@ -24,7 +24,7 @@ {%- endif -%} {%- for stage_name, stage_actions in stages -%} {%- if stage_actions is not none and stage_actions|length -%} - {{'\n'}}| **{{stage_name}}** || + {{'\n'}}| **{{stage_name}}** || {%- endif -%} {%- endfor %} @@ -33,11 +33,18 @@ {{ workflow }} {% for stage_name, stage_actions in stages %} -{% if stage_actions is not none and stage_actions|length %}#### {{ stage_name }}{% endif %} -{% for action_title, action_filename, action_description, action_workflow in stage_actions%} -##### {{ action_description }} - +{% if stage_actions is not none and stage_actions|length %}
+### {{ stage_name }}{% endif %} +{% for action_title, action_filename, action_description, action_workflow, action_details in stage_actions%} +#### {{ action_description }} + +{% if action_details['workflow'] is not none -%} +{{ action_details['workflow'] }} +{% elif action_workflow is not none -%} {{ action_workflow }} +{% endif %} -{%- endfor %} -{%- endfor %} +---- + +{%+ endfor %} +{% endfor %} \ No newline at end of file From 12fe30e5cd295d41678556d95dec915a69c08882 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 23 Aug 2021 03:03:25 +0200 Subject: [PATCH 02/10] Update RA_1000_test.yml --- response_actions/RA_1000_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/response_actions/RA_1000_test.yml b/response_actions/RA_1000_test.yml index 2f58fd8b..df529a55 100644 --- a/response_actions/RA_1000_test.yml +++ b/response_actions/RA_1000_test.yml @@ -1,7 +1,7 @@ title: RA_1000_testing id: RA1000 description: A test response action without any sensible content -author: Christoph Bott (@xofolowski) +author: 'Christoph Bott (@xofolowski)' creation_date: 2021/08/05 stage: preparation details: From 512fc9f91462359ce8c4e931c6a8e4a52bcd334c Mon Sep 17 00:00:00 2001 From: -XoF- Date: Sun, 29 Aug 2021 11:17:26 +0200 Subject: [PATCH 03/10] cleanup --- docs/Response_Actions/RA_1000_test.md | 38 +++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 docs/Response_Actions/RA_1000_test.md diff --git a/docs/Response_Actions/RA_1000_test.md b/docs/Response_Actions/RA_1000_test.md new file mode 100644 index 00000000..fcabbf07 --- /dev/null +++ b/docs/Response_Actions/RA_1000_test.md @@ -0,0 +1,38 @@ +| Title | Testing | +|:---------------------------:|:--------------------| +| **ID** | RA1000 | +| **Description** | A test response action without any sensible content | +| **Author** | Christoph Bott (@xofolowski) | +| **Creation Date** | 2021/08/05 | +| **Category** | General | +| **Stage** |[RS0001: Preparation](../Response_Stages/RS0001.md)| + +--- + + + +## Response Action Details +|*Attribute*|*Value*|*Remarks*| +|:---|:---|:---| +| **RA Objective** |Disrupt | Either of: *Disrupt, Deny, Degrade, Destroy, Deceive*| +| **Potential Business Impact** |Very High| Either of: *Low, Medium, High, Very High*| + +--- + + + +## Full Description +This is a fancy mitigation that will allow SOC to trigger self destruction of all Windows Endpoints. +Once triggered, the endpoint will start screaming, wait for close-by people to evacuate and then shortcut the battery, effectively causing the endpoint to burn down. + + + +## Standing Operating Procedure + +> ***Attention:*** +> Minimum TIER level for execution of this response activity is: **TIER-*2*!** + +Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. +Here newlines will be saved. + + From 3bd0bf17ff2f1b39c3a8bb9f5618036af2e5dd6e Mon Sep 17 00:00:00 2001 From: -XoF- Date: Sun, 29 Aug 2021 11:18:01 +0200 Subject: [PATCH 04/10] circleci --- .circleci/config.yml | 3 +++ mkdocs.yml | 1 + response_actions/RA_1000_test.yml | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9dc4adf7..89f8ada8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,6 +6,9 @@ jobs: branches: only: - develop + - issue344_RA-schema-extension + - issue354_customisable-formatting-rules + - playground docker: - image: circleci/python:3.7.7 steps: diff --git a/mkdocs.yml b/mkdocs.yml index 9acf58da..5411d0e0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,6 +28,7 @@ nav: - Response Stages: responsestages.md - Response Actions: - Preparation: + - "RA1000: Testing-foobar": ./Response_Actions/RA_1000_testing-foobar.md - "RA1001: Practice": ./Response_Actions/RA_1001_practice.md - "RA1002: Take trainings": ./Response_Actions/RA_1002_take_trainings.md - "RA1003: Raise personnel awareness": ./Response_Actions/RA_1003_raise_personnel_awareness.md diff --git a/response_actions/RA_1000_test.yml b/response_actions/RA_1000_test.yml index 2f58fd8b..df529a55 100644 --- a/response_actions/RA_1000_test.yml +++ b/response_actions/RA_1000_test.yml @@ -1,7 +1,7 @@ title: RA_1000_testing id: RA1000 description: A test response action without any sensible content -author: Christoph Bott (@xofolowski) +author: 'Christoph Bott (@xofolowski)' creation_date: 2021/08/05 stage: preparation details: From 1e942afd093a028d6895c5f26e12c1f895107781 Mon Sep 17 00:00:00 2001 From: -XoF- Date: Sun, 29 Aug 2021 11:27:33 +0200 Subject: [PATCH 05/10] ignored circleci and .gitgnore --- .circleci/config.yml | 49 -------------------------------------------- .gitignore | 11 ---------- 2 files changed, 60 deletions(-) delete mode 100644 .circleci/config.yml delete mode 100644 .gitignore diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 89f8ada8..00000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,49 +0,0 @@ -version: 2 - -jobs: - build: - filters: - branches: - only: - - develop - - issue344_RA-schema-extension - - issue354_customisable-formatting-rules - - playground - docker: - - image: circleci/python:3.7.7 - steps: - - add_ssh_keys - - checkout - - run: - name: Generate markdown documents, thehive templates and mkdocs navigation (config) file - command: | - if [[ $(echo "${CIRCLE_BRANCH}" | grep -c "gh-pages") -gt 0 ]]; then - echo "Not committing documentation because we are on a gh-pages branch" - exit 0 - fi - python -m pip install -r requirements.txt - python ./main.py --markdown --auto --init - python ./main.py --thehive - python ./main.py -MK - python ./main.py --stix - python ./main.py -NAV - echo "" - echo "" - git status - echo "" - echo "" - git diff-index HEAD -- - if git diff-index --quiet HEAD -- ; then - echo "Not committing documentation because there are no changes" - elif [[ ! $( git diff-index HEAD -- | grep -v "docs/react.json" ) ]]; then - echo "Not committing stix file because it is the same but with different IDs" - elif [[ $(echo "${CIRCLE_BRANCH}" | grep -c "master") -gt 0 ]]; then - echo "Not committing documentation because we are on a master branch" - else - git config credential.helper 'cache --timeout=120' - git config user.email "" - git config user.name "CircleCI ATC RE&CT doc generator" - git add --all - git commit -am "Generate all the analytics from job=$CIRCLE_JOB branch=${CIRCLE_BRANCH} [skip ci]" - git push -u origin ${CIRCLE_BRANCH} - fi diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 320bfc34..00000000 --- a/.gitignore +++ /dev/null @@ -1,11 +0,0 @@ -*DS_Store -*__pycache__/* -*.pyc -*.idea -_* -.pytest_cache -# Ignore local configuration -config.yml -site/ - -*atc_env/* From 183b7cb4704d58e9184cea16d8e2e20ae85e7bc6 Mon Sep 17 00:00:00 2001 From: xofoloswki Date: Sat, 2 Oct 2021 07:41:23 +0200 Subject: [PATCH 06/10] fixed undefined action_details --- scripts/responseplaybook.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/responseplaybook.py b/scripts/responseplaybook.py index f2e86d39..67814f2d 100755 --- a/scripts/responseplaybook.py +++ b/scripts/responseplaybook.py @@ -142,9 +142,12 @@ def render_template(self, template_type): action_title = action.get('id')\ + ": "\ + REACTutils.normalize_react_title(action.get('title')) - + try: + action_details = action.get('details') + except: + action_details = {} stage_list.append( - (action_title, task, action.get('description'), action.get('workflow'), action.get('details')) + (action_title, task, action.get('description'), action.get('workflow'), action_details) ) except TypeError: pass From 19f869cc90ce190c49ba51819e79daca6bb0adb7 Mon Sep 17 00:00:00 2001 From: xofoloswki Date: Sat, 2 Oct 2021 07:42:53 +0200 Subject: [PATCH 07/10] added action_details --- scripts/templates/confluence_responseplaybook_template.html.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/templates/confluence_responseplaybook_template.html.j2 b/scripts/templates/confluence_responseplaybook_template.html.j2 index 0d5c0323..232d5d2d 100755 --- a/scripts/templates/confluence_responseplaybook_template.html.j2 +++ b/scripts/templates/confluence_responseplaybook_template.html.j2 @@ -126,7 +126,7 @@ {% for stage_name, stage_actions in stages %} {%- if stage_actions is defined and stage_actions is not none and stage_actions|length %}

{{ stage_name }}

- {% for action_description, action_workflow in stage_actions%} + {% for action_description, action_workflow, action_details in stage_actions%}

{{ action_description }}

From 72f97ca627a7e24d81bca3082106511d6e24691a Mon Sep 17 00:00:00 2001 From: xofoloswki Date: Sat, 2 Oct 2021 08:45:49 +0200 Subject: [PATCH 08/10] renamed details->raEffect to raCoA --- response_actions/RA_1000_test.yml | 2 +- response_actions/respose_action.yml.template | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/response_actions/RA_1000_test.yml b/response_actions/RA_1000_test.yml index df529a55..2ca0a8ff 100644 --- a/response_actions/RA_1000_test.yml +++ b/response_actions/RA_1000_test.yml @@ -12,7 +12,7 @@ details: Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. Here newlines will be saved. - raEffect: Disrupt + raCoA: Disrupt pot_business_impact: Very High activation_SLA: expected_coverage: diff --git a/response_actions/respose_action.yml.template b/response_actions/respose_action.yml.template index ea68e6eb..10344ba3 100644 --- a/response_actions/respose_action.yml.template +++ b/response_actions/respose_action.yml.template @@ -25,7 +25,7 @@ details: Description of the workflow in the [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) format. Here newlines will be saved. - raEffect: Detect | Disrupt | Deny | Degrade | Deceive + raCoA: Detect | Disrupt | Deny | Degrade | Deceive pot_business_impact: Very High | High | Medium | Low activation_SLA: expected_coverage: From 145423642767338e76393830049e90b384129d07 Mon Sep 17 00:00:00 2001 From: xofoloswki Date: Sat, 2 Oct 2021 08:46:11 +0200 Subject: [PATCH 09/10] added basic support for details --- scripts/templates/confluence_responseaction_template.html.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/templates/confluence_responseaction_template.html.j2 b/scripts/templates/confluence_responseaction_template.html.j2 index 4fd27cb9..62f54dc7 100755 --- a/scripts/templates/confluence_responseaction_template.html.j2 +++ b/scripts/templates/confluence_responseaction_template.html.j2 @@ -89,11 +89,12 @@


-{% if workflow is defined and workflow|length %} +{% if (workflow is defined and workflow|length) or (details is defined and details['workflow'] is defined and details['workflow']|length) %}

Workflow


- + {% if workflow is defined %} {% endif %} + {% if details is defined %} {% endif %} {% else %} {% endif %} From 389238691d61414b2c79ffa78c0ed215405eab56 Mon Sep 17 00:00:00 2001 From: xofoloswki Date: Sat, 20 Nov 2021 14:09:16 +0100 Subject: [PATCH 10/10] fixed confluence rendering issue --- scripts/templates/confluence_responseaction_template.html.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts/templates/confluence_responseaction_template.html.j2 b/scripts/templates/confluence_responseaction_template.html.j2 index 62f54dc7..dc66446a 100755 --- a/scripts/templates/confluence_responseaction_template.html.j2 +++ b/scripts/templates/confluence_responseaction_template.html.j2 @@ -91,10 +91,9 @@ {% if (workflow is defined and workflow|length) or (details is defined and details['workflow'] is defined and details['workflow']|length) %}

Workflow

-

- {% if workflow is defined %} {% endif %} - {% if details is defined %} {% endif %} + {% if workflow is defined %} {% endif %} + {% if details is defined %} {% endif %} {% else %} {% endif %}