feat!: Adding splunk security content to dataset.

Closes Add Splunk Detections to Dataset  #6

data_collector/src/data_collector/collect.py

@@ -24,6 +24,7 @@
 from .services.osqueryattack import OsqueryAttack
 from .services.stockpile import MitreStockpile
 from .services.sysmonhunter import SysmonHunter
+from .services.splunkcontent import SplunkSecurityContent
 
 
 class Collector(Base):
@@ -53,6 +54,7 @@ def collect(self) -> None:
             OsqueryAttack,
             MitreStockpile,
             SysmonHunter,
+            SplunkSecurityContent,
         ]:
             self.__logger.info(f"Collecting data from {service.__name__}")
             service().parse()

data_collector/src/data_collector/services/splunkcontent.py

@@ -0,0 +1,34 @@
+from .base import Base
+
+
+class SplunkSecurityContent(Base):
+    """
+    Data Source: https://raw.githubusercontent.com/splunk/security_content/develop/dist/api/detections.json
+    Authors:
+        - Splunk
+
+    This class is a wrapper for the above data set
+    """
+    URL = 'https://raw.githubusercontent.com/splunk/security_content/develop/dist/api/detections.json'
+
+    def parse(self):
+        self.count = 0
+        self.actor_count = 0
+        data = self.session.get(self.URL).json()
+        for item in data.get("detections"):
+            if item.get("tags"):
+                if item["tags"].get("mitre_attack_enrichments"):
+                    for enrichment in item["tags"]["mitre_attack_enrichments"]:
+                        if enrichment.get("mitre_attack_id"):
+                            tech = self.helper.get_object_by_external_id(enrichment["mitre_attack_id"], "attack-pattern")
+                            tech.possible_detections.append({"name": item["name"], "description": item["description"], "search": item["search"], "tags": item["tags"]})
+                            tech.external_references.extend(item.get("external_references",[]))
+                            self.count += 1
+                            self.helper.replace_object(tech)
+                        if enrichment.get("mitre_attack_groups"):
+                            for group in enrichment["mitre_attack_groups"]:
+                                actor = self.helper.get_object_by_name_or_aliases(group, "intrusion-set")
+                                actor.links.extend(item.get("external_references", []))
+                                self.actor_count += 1
+                                self.helper.replace_object(actor)
+        self.__logger.info(f"Updated {self.count} techniques and {self.actor_count} actors")

src/pyattck_data/actor.py

@@ -39,6 +39,7 @@ class Actor(BaseModel):
     targets:                     List              = field(factory=list)
     external_description:        List              = field(factory=list)
     attck_id:                    AnyStr            = field(factory=str)
+    attck_ids:                   List              = field(factory=list)
     comment:                     AnyStr            = field(factory=str)
     comments:                    List              = field(factory=list)
 

tests/test_models.py

@@ -2,7 +2,6 @@
 import requests
 
 from pyattck_data.attack import MitreAttck
-from pyattck_data.generated import GeneratedData
 from pyattck_data.nist import NistControls, GeneratedNistControlMap
 from pyattck_data.malware import Malware
 from pyattck_data.tool import Tool
@@ -13,7 +12,8 @@
 from pyattck_data.tactic import Tactic
 from pyattck_data.technique import Technique
 from pyattck_data.campaign import Campaign
-
+
+
 ENTERPRISE_ATTCK_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_enterprise_attck_v1.json").json()
 PRE_ATTCK_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_pre_attck_v1.json").json()
 MOBILE_ATTCK_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_mobile_attck_v1.json").json()