From a03c98bd398bb9a41c0a1517ab7e552fcc06f07f Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Thu, 19 Sep 2024 12:57:24 -0500 Subject: [PATCH 1/4] add format checker script and update makefile --- .scripts/mitre_mapping_check.py | 57 +++++++++++++++++++++++++++++++++ Makefile | 5 ++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 .scripts/mitre_mapping_check.py diff --git a/.scripts/mitre_mapping_check.py b/.scripts/mitre_mapping_check.py new file mode 100644 index 000000000..d856ec7a7 --- /dev/null +++ b/.scripts/mitre_mapping_check.py @@ -0,0 +1,57 @@ +""" This script checks all the MITRE Mappings in the Reports section of each analysis item to +ensure they follow the formal TAXXXX:TXXXX. If MITRE mappings aren't in this format, they don't +display properly in Panther's UI. """ + +import re +import sys +from pathlib import Path + +from panther_analysis_tool.analysis_utils import load_analysis_specs + +# All MITRE Tags must match this regex pattern +MITRE_PATTERN = re.compile("^TA\d+\:T\d+(\.\d+)?$") + +def main(path: Path) -> bool: + # Load Repo + analysis_items = load_analysis_specs([path], ignore_files=[]) + + items_with_invalid_mappings = [] # Record all items with bad tags + for analysis_item in analysis_items: + rel_path = analysis_item[0] # Relative path to YAML file + spec = analysis_item[2] # YAML spec as a dict + + bad_tags = [] # Record the invalid tags for this analysis item + if reports := spec.get("Reports"): + if mitre := reports.get("MITRE ATT&CK"): + for mapping in mitre: + if not MITRE_PATTERN.match(mapping): + bad_tags.append(mapping) + + if bad_tags: + items_with_invalid_mappings.append({ + "rel_path": rel_path, + "bad_tags": bad_tags + }) + + if items_with_invalid_mappings: + print("❌ Some items had invalid MITRE mapping formats:") + print() + for invalid_item in items_with_invalid_mappings: + print(invalid_item.get("rel_path", "")) + for bad_tag in invalid_item.get("bad_tags", []): + print("\t" + bad_tag) + print() + + print(("To ensure that your MITRE mappings are correctly displayed in the Panther " + "console, make sure your MITRE mappings are formatted like 'TA0000:T0000'.")) + else: + print("✅ No invalid MITRE mappings found! You're in the clear! 👍") + + return bool(items_with_invalid_mappings) + +if __name__ == "__main__": + path = Path.cwd() # Default to current directory + if len(sys.argv) > 1: + path = Path(sys.argv[1]) + if main(path): + exit(1) # Exit with error if issues were found \ No newline at end of file diff --git a/Makefile b/Makefile index 8cf5815a1..4f22ed844 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ deps-update: global-helpers-unit-test: pipenv run python -m unittest global_helpers/*_test.py -lint: lint-pylint lint-fmt +lint: lint-pylint lint-fmt lint-misc lint-pylint: pipenv run bandit -r $(dirs) @@ -43,6 +43,9 @@ lint-fmt: @echo Checking python file formatting with the black code style checker pipenv run black --line-length=100 --check $(dirs) +lint-misc: + pipenv run python3 ./.scripts/mitre_mapping_check.py + venv: pipenv sync --dev From d24efac4708d5c3eb90afbcfc4e27639f07ebb45 Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Tue, 24 Sep 2024 13:49:39 -0500 Subject: [PATCH 2/4] remove mitre check from make lint Removed the mitre check from `make lint` command and added a separate make target, `make lint-mitre`. --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 4f22ed844..08377a946 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ deps-update: global-helpers-unit-test: pipenv run python -m unittest global_helpers/*_test.py -lint: lint-pylint lint-fmt lint-misc +lint: lint-pylint lint-fmt lint-pylint: pipenv run bandit -r $(dirs) @@ -43,7 +43,7 @@ lint-fmt: @echo Checking python file formatting with the black code style checker pipenv run black --line-length=100 --check $(dirs) -lint-misc: +lint-mitre: pipenv run python3 ./.scripts/mitre_mapping_check.py venv: From f7539d3f53383147c7367aaa2c139e25d76f4138 Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Tue, 24 Sep 2024 13:49:59 -0500 Subject: [PATCH 3/4] add github action to check mitre fomat on PR --- .github/workflows/check-mitre.yml | 37 +++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/check-mitre.yml diff --git a/.github/workflows/check-mitre.yml b/.github/workflows/check-mitre.yml new file mode 100644 index 000000000..945312b07 --- /dev/null +++ b/.github/workflows/check-mitre.yml @@ -0,0 +1,37 @@ +on: + pull_request: + + permissions: + contents: read + + jobs: + lint: + name: Check MITRE Mappings + runs-on: ubuntu-latest + + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + - name: Checkout panther-analysis + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + + - name: Set python version + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0 + with: + python-version: "3.11" + + - name: Install pipenv + run: pip install pipenv + + - name: Setup venv + run: make venv + + - name: make lint-mitre + run: make lint-mitre + \ No newline at end of file From 82b86798caad9120901fe523c1c642b2c9f7f14d Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Tue, 24 Sep 2024 13:53:02 -0500 Subject: [PATCH 4/4] fix yaml formatting issues --- .github/workflows/check-mitre.yml | 67 +++++++++++++++---------------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/.github/workflows/check-mitre.yml b/.github/workflows/check-mitre.yml index 945312b07..0da059229 100644 --- a/.github/workflows/check-mitre.yml +++ b/.github/workflows/check-mitre.yml @@ -1,37 +1,36 @@ on: pull_request: - permissions: - contents: read - - jobs: - lint: - name: Check MITRE Mappings - runs-on: ubuntu-latest - - steps: - - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - files.pythonhosted.org:443 - github.com:443 - pypi.org:443 - - name: Checkout panther-analysis - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 - - - name: Set python version - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0 - with: - python-version: "3.11" - - - name: Install pipenv - run: pip install pipenv - - - name: Setup venv - run: make venv - - - name: make lint-mitre - run: make lint-mitre - \ No newline at end of file +permissions: + contents: read + +jobs: + lint: + name: Check MITRE Mappings + runs-on: ubuntu-latest + + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + - name: Checkout panther-analysis + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + + - name: Set python version + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0 + with: + python-version: "3.11" + + - name: Install pipenv + run: pip install pipenv + + - name: Setup venv + run: make venv + + - name: make lint-mitre + run: make lint-mitre