timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

Predefined labels import

Open rushattac opened this issue 3 years ago • 10 comments

Describe the solution you'd like It would be nice if there is a way to add a label on specific events with MITRE ATT&CK techniques\sub-techniques ID's through a a drop downlist.

data source: https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json

Additional context A rough estimation of how the feature would look like. MITRE_Attack_label

rushattac avatar Jun 23 '21 09:06 rushattac

@rushattac can you explain your use case here? And maybe answer why this threat-model, why not another one? How is this going to help an analyst? What about non-intrusion investigations?

joachimmetz avatar Jun 23 '21 09:06 joachimmetz

find below answer to your questions: can you explain your use case here? For my case during the investigation of an intrusion tagging events that could be mapped to MITRE ATT&CK threat-model will assist other analyst working the same sketch to faster understand context of a tagged event.

And maybe answer why this threat-model, why not another one? I haven't looked at alternative threat models but this one is granular and very well documented.

How is this going to help an analyst? Adding the ability to tag events with MITRE ATT&CK threat-model can assist other analysts working the same sketch to faster understand why a specific event has a star (comments could be used but this is a more standardized approach). also helps tracking which stage an intruder has reached in the attack life cycle on a specific timeline or generally in a sketch.

What about non-intrusion investigations? Correct this feature request only accounts for intrusion investigations

rushattac avatar Jun 23 '21 10:06 rushattac

So in essence your request is to be able to provide more context on why an event is starred?

joachimmetz avatar Jun 23 '21 10:06 joachimmetz

yes and this context also helps down the road when reporting

rushattac avatar Jun 23 '21 10:06 rushattac

So from a tooling perceptive, and to not enforce your specific workflow/framework onto others. What you want/need is means to custom information? Does this need to be structured information? How do you plan to integrate with reporting?

Adding the ability to tag events with MITRE ATT&CK threat-model can assist other analysts working the same sketch to faster understand why a specific event has a star (comments could be used but this is a more standardized approach).

The downside is that this can also lead to tunnel vision, over reliance on this, or any other, framework. Take it from me attackers don't think in terms of such frameworks.

joachimmetz avatar Jun 23 '21 11:06 joachimmetz

Could you please elaborate more on what you mean in custom information. If i understand what you mean correctly the feature should be more flixibility for other to use whatever framework or predefined labels they want so the feature will be more like the existing label creator but with the added ability to add custom labels file that gets imported every time a new sketch is created and allows for searching and selecting any of the predefined labels.

How do you plan to integrate with reporting? An example of how this could help in reporting is to map the events tagged with the MITRE framework with associated mitigation steps and include them in the report.

rushattac avatar Jun 23 '21 12:06 rushattac

Could you please elaborate more on what you mean in custom information.

the ability to add the additional information that is useful for your use case/workflow

If i understand what you mean correctly the feature should be more flixibility for other to use whatever framework or predefined labels they want so the feature will be more like the existing label creator but with the added ability to add custom labels file that gets imported every time a new sketch is created and allows for searching and selecting any of the predefined labels.

correct, I would recommend making the functionality more generic, less tailored to 1 specific option

An example of how this could help in reporting is to map the events tagged with the MITRE framework with associated mitigation steps and include them in the report.

As in manual copy/pasting the information? not as in automated integration with other tooling?

joachimmetz avatar Jun 23 '21 12:06 joachimmetz

I agree thanks for pointing this out this will make it more versatile.

maybe something along the lines of the below screenshot Labels_Import a searchable drop down list in the labels tab that could be populated from a file under /data called labels.yaml or something.

As in manual copy/pasting the information? not as in automated integration with other tooling?

I'm thinking of two approaches maybe a python script while restructuring the exported of interest data from timesketch and enriching those events with the mitigation steps acquired from MITRE based on associated IDs or and excel macro that will resolve ID's to mitigations and add it in another column. Then it could be copied to the report if appropriate.

rushattac avatar Jun 23 '21 12:06 rushattac

Hi @rushattac

I agree with both you and @joachimmetz here that we want this to be a generic feature. Having a way to define your own tags is something that we have been thinking about as well. In a first iteration I would see this being a site specific YAML file that you can administer for your installation. The file would list a set of tag names that will be populated in the UI.

We will see when we have time to look at this in more detail and design the implemenation, but I will keep this issue open for tracking.

Thanks!

berggren avatar Jul 01 '21 07:07 berggren

There was prior art to the idea: https://github.com/google/timesketch/issues/716. So even if there is no implementation from a UI perspective, it is not that hard to implement on a API level.

jaegeral avatar Jul 01 '21 08:07 jaegeral