panther-labs · le4ker · Oct 1, 2024 · Sep 25, 2024 · Sep 25, 2024 · Sep 25, 2024
@@ -0,0 +1,36 @@
+on:
+    pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Check MITRE Mappings
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+      - name: Checkout panther-analysis
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
+
+      - name: Set python version
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Setup venv
+        run: make venv
+
+      - name: make lint-mitre
+        run: make lint-mitre
@@ -22,7 +22,7 @@ jobs:
             pypi.org:443
 
       - name: Checkout panther-analysis
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
 
       - name: Set python version
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
@@ -64,4 +64,4 @@ jobs:
             ```diff
             ${{ steps.check-packs.outputs.errors }}
             ```
-          comment_tag: check-packs
+          comment_tag: check-packs
@@ -27,7 +27,7 @@ jobs:
             registry-1.docker.io:443
             www.python.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
       - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
       - name: Set up Docker Buildx
         id: buildx

@@ -19,7 +19,7 @@ jobs:
             github.com:443
             pypi.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
 
       - name: Set python version
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0

@@ -18,7 +18,7 @@ jobs:
       - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
         with:
           fetch-depth: 0
           token: ${{ env.GITHUB_TOKEN }}

@@ -37,7 +37,7 @@ jobs:
           branch: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
       # Checkout this repo into the branch
       - name: Checkout your local repo in PR branch
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
         with:
           ref: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
           token: ${{ secrets.GITHUB_TOKEN }}

@@ -8,19 +8,23 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
-
+    env:
+      API_HOST: ${{ secrets.API_HOST }}
+      API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
       - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            files.pythonhosted.org:443
-            github.com:443
-            ipinfo.io:443
-            pypi.org:443
+          egress-policy: audit
+
+      - name: Validate Secrets
+        if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
+        run: |
+          echo "API_HOST or API_TOKEN not set"
+          exit 0
+
       - name: Checkout panther-analysis
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
 
       - name: Set python version
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
@@ -35,4 +39,4 @@ jobs:
 
       - name: test
         run: |
-          pipenv run panther_analysis_tool test
+          pipenv run panther_analysis_tool test --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }}
@@ -25,7 +25,7 @@ jobs:
           exit 0
 
       - name: Checkout panther-analysis
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
 
       - name: Set python version
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0

@@ -24,7 +24,7 @@ jobs:
           exit 0
 
       - name: Checkout panther-analysis
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
 
       - name: Set python version
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0

@@ -0,0 +1,57 @@
+""" This script checks all the MITRE Mappings in the Reports section of each analysis item to
+ensure they follow the formal TAXXXX:TXXXX. If MITRE mappings aren't in this format, they don't
+display properly in Panther's UI. """
+
+import re
+import sys
+from pathlib import Path
+
+from panther_analysis_tool.analysis_utils import load_analysis_specs
+
+# All MITRE Tags must match this regex pattern
+MITRE_PATTERN = re.compile("^TA\d+\:T\d+(\.\d+)?$")
+
+def main(path: Path) -> bool:
+    # Load Repo
+    analysis_items = load_analysis_specs([path], ignore_files=[])
+
+    items_with_invalid_mappings = [] # Record all items with bad tags
+    for analysis_item in analysis_items:
+        rel_path = analysis_item[0] # Relative path to YAML file
+        spec = analysis_item[2] # YAML spec as a dict
+
+        bad_tags = [] # Record the invalid tags for this analysis item
+        if reports := spec.get("Reports"):
+            if mitre := reports.get("MITRE ATT&CK"):
+                for mapping in mitre:
+                    if not MITRE_PATTERN.match(mapping):
+                        bad_tags.append(mapping)
+
+        if bad_tags:
+            items_with_invalid_mappings.append({
+                "rel_path": rel_path,
+                "bad_tags": bad_tags
+            })
+
+    if items_with_invalid_mappings:
+        print("❌ Some items had invalid MITRE mapping formats:")
+        print()
+        for invalid_item in items_with_invalid_mappings:
+            print(invalid_item.get("rel_path", "<UNKNOWN PATH>"))
+            for bad_tag in invalid_item.get("bad_tags", []):
+                print("\t" + bad_tag)
+            print()
+
+        print(("To ensure that your MITRE mappings are correctly displayed in the Panther "
+               "console, make sure your MITRE mappings are formatted like 'TA0000:T0000'."))
+    else:
+        print("✅ No invalid MITRE mappings found! You're in the clear! 👍")
+
+    return bool(items_with_invalid_mappings)
+
+if __name__ == "__main__":
+    path = Path.cwd() # Default to current directory
+    if len(sys.argv) > 1:
+        path = Path(sys.argv[1])
+    if main(path):
+        exit(1) # Exit with error if issues were found
@@ -43,6 +43,9 @@ lint-fmt:
 	@echo Checking python file formatting with the black code style checker
 	pipenv run black --line-length=100 --check $(dirs)
 
+lint-mitre:
+	pipenv run python3 ./.scripts/mitre_mapping_check.py
+
 venv:
 	pipenv sync --dev
 

@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.52.2"
+panther-analysis-tool = "~=0.53.0"
 panther-detection-helpers = "==0.4.0"
 
 [requires]