Feature Request: Add actor procedure to group mapping, update overlay generation script to account for custom key-value pairs #91
Description
Being able to overlay group mappings with Detection & Visibility layers is a core use case for me, and while it does work, the lack of detail that we can add to the group mappings - as well as the fact it doesn't come through when generating the overlay json layer - severely hamper its utility.
Group Mapping
The information that can be recorded is limited to actor and campaign names, and specifying at a high level the software and ATT&CK techniques used.
This limits its use for answering Operational questions, e.g. "what Detections do we have for threat actor Y's TTPs?" We can show that we have detections, and even add some detail on the detection through the relevant layer - but we can't do the same for the actor. I can only show that they use - for example - the technique T1003.001, when I need to be able to specify that they dumped credentials from lsass using Mimikatz's sekurlsa:logonpasswords.
Perhaps adding a "Procedure" field to the group mapping layer will help address that?
Overlay generation
Currently overlays only pull in key fields from the group mapping layer when generated - custom key value fields that I've added don't appear in the resulting layer.
e.g. I've added this custom key-value pair through the Editor and saved the layer:
The generated overlay doesn't display the custom key-value pair:
It would be helpful if the relevant script could be updated to add custom key-value pairs when generating overlays, as that allows more flexibility in how this feature can be used.