Aurora-Incident-Response
Aurora-Incident-Response copied to clipboard
Type column is limited and might work better if mapped to Mitre
Currently the "Type" column on the timeline is very limiting. I suggest 2 possible improvements:
-
The values in the type column are customizable, with a separate config file that could be edited to allow this.
-
The "Type" column be renamed to "Technique" and the selection matching Mitre with these options:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
A second column could then be added called "ID", the selection in this drop down would be dependent on what had been selected for the technique, for example if "Initial Access" had been selected in the Technique column, then the list of ID's from here: https://attack.mitre.org/tactics/TA0001/ would be available in the ID column.
Mitre doesn't change that often but an API connection to the attack matrix would be best for keeping these up to date (i don't know if they offer that). either that or maintained by the devoted Aurora community :-)
That makes sense but needs some reworking. I think the best way to go is to allow the user to edit the options available in these dropdowns. I'll come up with something