Skip to content

Feature Request: Add actor procedure to group mapping, update overlay generation script to account for custom key-value pairs #91

@tailsec

Description

@tailsec

Being able to overlay group mappings with Detection & Visibility layers is a core use case for me, and while it does work, the lack of detail that we can add to the group mappings - as well as the fact it doesn't come through when generating the overlay json layer - severely hamper its utility.

Group Mapping

The information that can be recorded is limited to actor and campaign names, and specifying at a high level the software and ATT&CK techniques used.

This limits its use for answering Operational questions, e.g. "what Detections do we have for threat actor Y's TTPs?" We can show that we have detections, and even add some detail on the detection through the relevant layer - but we can't do the same for the actor. I can only show that they use - for example - the technique T1003.001, when I need to be able to specify that they dumped credentials from lsass using Mimikatz's sekurlsa:logonpasswords.

Perhaps adding a "Procedure" field to the group mapping layer will help address that?

Overlay generation

Currently overlays only pull in key fields from the group mapping layer when generated - custom key value fields that I've added don't appear in the resulting layer.

e.g. I've added this custom key-value pair through the Editor and saved the layer:
image

The generated overlay doesn't display the custom key-value pair:
image

It would be helpful if the relevant script could be updated to add custom key-value pairs when generating overlays, as that allows more flexibility in how this feature can be used.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions