Put sub-techniques in a separate field

SEKOIA-IO · Dec 9, 2024 · b4aca59 · b4aca59
1 parent b7f9880
commit b4aca59
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 8 deletions.
diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml
@@ -70,4 +70,16 @@ stages:
           process.hash.sha256: "{{parsed_event.message.details.ObjectFileHashSha256}}"
 
           threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"
-          threat.technique.id: "{{parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = [])}}"
+          threat.technique.id: >
+            [
+            {%- for subtechnique_id in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%}
+              {%- if "." not in subtechnique_id -%}'{{ subtechnique_id }}',{%- endif -%}
+            {%- endfor -%}
+            ]
+
+          threat.technique.subtechnique.id: >
+            [
+            {%- for subtechnique_id in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%}
+              {%- if "." in subtechnique_id -%}'{{ subtechnique_id }}',{%- endif -%}
+            {%- endfor -%}
+            ]
diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json
@@ -41,9 +41,12 @@
         ]
       },
       "technique": {
-        "id": [
-          "T1560.002"
-        ]
+        "id": [],
+        "subtechnique": {
+          "id": [
+            "T1560.002"
+          ]
+        }
       }
     }
   }

diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json
@@ -43,7 +43,10 @@
       "technique": {
         "id": [
           "T1082"
-        ]
+        ],
+        "subtechnique": {
+          "id": []
+        }
       }
     }
   }

diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json
@@ -44,9 +44,13 @@
       "technique": {
         "id": [
           "T1005",
-          "T1070",
-          "T1070.006"
-        ]
+          "T1070"
+        ],
+        "subtechnique": {
+          "id": [
+            "T1070.006"
+          ]
+        }
       }
     }
   }
-Original file line number
+Diff line change
@@ Expand Up / @@ -43,7 +43,10 @@ @@
           "technique": {
             "id": [
               "T1082"
-            ]
+            ],
+            "subtechnique": {
+              "id": []
+            }
           }
         }
       }
@@ Expand Down @@