This project is a quick a sloppy script to generate a layer for the Mitre Att&ck Navigator. The idea is take the rules you have in your Sysdig Secure instance and map them onto a mildly prepared layer such that they will create an easy to explore Navigator experience. If there is a technique you're concerned about, you can see the Sysdig Secure rules that apply to it.
You have no patience? Don't care to generate your own? I've included a sample run
in this repo. Go ahead and look in the example directory, take the file within
and head on over to navigator.
Sysdig Secure has a lot of rules out of the box. Also, it is my hope you've added your own too! Sometimes you just want to know what your coverage is so you can plan. Knowing what portions of Att&ck is covered can help you decide what rules to include in the policies you're making to cover your infrastructure.
The resulting layer is not suggesting that you use every rule or that you even care about every technique. It also cannot tell you which techniques you have rules for that are currently have in use. You could be using the rules in multiple places based on the policies you've created. I suggest you use the Rules Library in the Sysdig Secure Console to examine a specific rule and see which policies it indicates being used in.
Yeah! Why not?! Are they tagged the way I'm expecting? The tagging is very important
to how this little tool works. A community standard for tagging these rules appears
to follow the following convention: MITRE_<technique ID>_<technique name>
Following this convention you should end up with tags that look like the following examples:
MITRE_T1021_remote_servicesMITRE_T1059.004_unix_shell
What is important is the technique ID in the correct position. This is what the script relies on. Some Rules may end up providing defense for multiple Att&ck techniques, and that's fine. Just be clear, intentional, and specific in how you do it. Clarity is key.
This script is going to use the listing of rules you pull from your Sysdig Secure console.
This is done using the sdc-cli tool.
sdc-cli --json policy rule list > ~/rules.json
Once we have the rules in a json file, we need to empty layer file (in this repo). This "empty" layer file is a file generated by going to the Att&ck navigator and selecting every technique and disabling it. As mentioned, I've done this part for you, and added some other metadata to the layer file too for presentation niceness.
The script uses positional arguments with no input checking because lazy. The first argument
is the json of rules generated from sdc-cli and the second argument is the empty layer file.
$ ruby sysdig_mitre.rb ../rules.json mitre_empty_layer.json
Selecting Mitre related rules from input
Adding Sysdig Secure rule data to the Mitre Att&ck layer
Wrote file sysdig_secure_layer_2022-06-23.json
Finally, head on over the Mitre Att&ck Navigator and load it in. You will see the rules that apply to each technique listed in the comments on the technique.
Have Fun