Feature Request: Add actor procedure to group mapping, update overlay generation script to account for custom key-value pairs
tailsec opened this issue · 3 comments
Being able to overlay group mappings with Detection & Visibility layers is a core use case for me, and while it does work, the lack of detail that we can add to the group mappings - as well as the fact it doesn't come through when generating the overlay json layer - severely hamper its utility.
Group Mapping
The information that can be recorded is limited to actor and campaign names, and specifying at a high level the software and ATT&CK techniques used.
This limits its use for answering Operational questions, e.g. "what Detections do we have for threat actor Y's TTPs?" We can show that we have detections, and even add some detail on the detection through the relevant layer - but we can't do the same for the actor. I can only show that they use - for example - the technique T1003.001, when I need to be able to specify that they dumped credentials from lsass using Mimikatz's sekurlsa:logonpasswords.
Perhaps adding a "Procedure" field to the group mapping layer will help address that?
Overlay generation
Currently overlays only pull in key fields from the group mapping layer when generated - custom key value fields that I've added don't appear in the resulting layer.
e.g. I've added this custom key-value pair through the Editor and saved the layer:
The generated overlay doesn't display the custom key-value pair:
It would be helpful if the relevant script could be updated to add custom key-value pairs when generating overlays, as that allows more flexibility in how this feature can be used.
That sounds like a good idea @tailsec! I will put it on our backlog.
If for example you were trying to map Detection/Visibility coverage of a Procedure captured in the Group Layer - this would require the Procedure field to also be added to the Technique Administration layer too, and the logic for the Overlay function to be tweaked, is that right?
Is it possible to re-write the overlay logic so that it can perform fuzzy matches, e.g. if the command line flags are in a different order in the Group layer as compared to the Technique Administration layer, or the command is typed in camel-case?
That would be a big challenge to map procedure level detections to procedure level threat intel. Maybe AI will solve that issue somewhere in the future. But till that, I think an analyst should look into the procedure level to check the coverage. A visual model can't fix that.