in detection_rules/attack.py [0:0]
def build_threat_map_entry(tactic: str, *technique_ids: str) -> dict:
"""Build rule threat map from technique IDs."""
techniques_redirect_map = load_techniques_redirect()
url_base = 'https://attack.mitre.org/{type}/{id}/'
tactic_id = tactics_map[tactic]
tech_entries = {}
def make_entry(_id):
e = {
'id': _id,
'name': technique_lookup[_id]['name'],
'reference': url_base.format(type='techniques', id=_id.replace('.', '/'))
}
return e
for tid in technique_ids:
# fail if deprecated or else convert if it has been replaced
if tid in deprecated:
raise ValueError(f'Technique ID: {tid} has been deprecated and should not be used')
elif tid in techniques_redirect_map:
tid = techniques_redirect_map[tid]
if tid not in matrix[tactic]:
raise ValueError(f'Technique ID: {tid} does not fall under tactic: {tactic}')
# sub-techniques
if '.' in tid:
parent_technique, _ = tid.split('.', 1)
tech_entries.setdefault(parent_technique, make_entry(parent_technique))
tech_entries[parent_technique].setdefault('subtechnique', []).append(make_entry(tid))
else:
tech_entries.setdefault(tid, make_entry(tid))
entry = {
'framework': 'MITRE ATT&CK',
'tactic': {
'id': tactic_id,
'name': tactic,
'reference': url_base.format(type='tactics', id=tactic_id)
}
}
if tech_entries:
entry['technique'] = sorted(tech_entries.values(), key=lambda x: x['id'])
return entry