Some changes for PurpleOps after internal PoC #26
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…, also reworked the function
…gency' and 'expectedalertseverity' templatable/exportable. Changed layout in testcase_blue html
… the expectations of the red team
from upstream
|
My employer is also trying this tool out. This merge request is incredible!!! Thank you so much for the contribution!!! |
|
Same situation here, absolutely love this PR |
|
Hey there @fxai, Wow - thanks for contribution to PurpleOps! We are aiming to merge this ASAP - just doing some internal reviewing and seeing how everything will fit into our next big update. Cheers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello CyberCX Team
We are looking for a lightweight documentation platform for our Purple Team engagements and came across PurpleOps. I have modified some aspects of PurpleOps for an internal PoC that I think might be of interest to you. Feel free to pick and choose the changes you like.
7ed1118
Added autoescaping for exported docx format to avoid breaking the docx XML structure.
0146f9d
Two new fields added:
The general idea is to provide a means of reporting where something has been prevented (e.g. firewall) and where something has been alerted (actually this might be better called alertsource).
4583a36
Added two new time fields:
Idea is to have a means of reporting when an alert or prevention mechanism was triggered. Can be useful to identify large drifts. E.g. something was blocked immediately after execution, but the alert was generated x time later.
e24284e
Added a new outcome "Prevented and Alerted" as we often have the case that something is prevented but no alerts are generated.
dca502c
I have reworked the mitre attack navigator export function to include the Prevented and Alerted state. I have also changed the logic of how the output is generated. This now allows exports to be generated where a single technique is not selected in every tactic, but only in the specified tactic. So now you can have a T1078.002 in initial access that does not affect the colour/outcome of a T1078.002 test in persistence.
b697a4c
Added a new field:
The red team can now define what kind of alert severity they expect from a particular test. This helps to detect drifts between expected and actual alerts. I also added the priority, priorityurgency and expectedalertseverity to the exports/templates functions. So when you define a test, you can set the expected result in the template.
2153343
Adapts the wording in the testcase_blue files to the idea above.
thats it
I hope this helps.
Let me know if something is unclear
Cheers and thanks for the great tool!