thehive export release

README.md

@@ -54,7 +54,7 @@ In other words, you don't have to work on data representation layer manually, yo
 
 ### How it works
 
-![](images/atc_scheme_v1.jpg)
+![](images/atc_scheme_v2.jpg)
 
 Everything starts from Sigma rule and ends up with human-readable wiki-style pages and other valuable analytics. Atomic Threat Coverage parses it and:
 
@@ -70,8 +70,9 @@ Everything starts from Sigma rule and ends up with human-readable wiki-style pag
 10. Pushes all pages to local repo and Confluence server (according to configuration provided in `scripts/config.yml`)
 11. Creates [Elasticsearch](https://www.elastic.co/products/elasticsearch) index for visualisation and analysis of existing data in [Kibana](https://www.elastic.co/products/kibana)
 12. Creates [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/enterprise/) profile for visualisation of current detection abilities per Customer
-13. Creates `analytics.csv` and `pivoting.csv` files for simple analysis of existing data
-14. Creates Dashboards json files for uploading to Kibana
+13. Creates [TheHive](https://thehive-project.org) Case Templates, build on top of Response Playbooks
+14. Creates `analytics.csv` and `pivoting.csv` files for simple analysis of existing data
+15. Creates Dashboards json files for uploading to Kibana
 
 ### Under the hood
 
@@ -83,6 +84,8 @@ Data in the repository:
 │   │   ├── analytics.csv
 │   │   ├── pivoting.csv
 │   │   ├── atc_es_index.json
+│   │   ├── thehive_templates/
+│   │   │   └── RP_0001_phishing_email.json
 │   │   └── attack_navigator_profiles/
 │   │   │   ├── atc_attack_navigator_profile.json
 │   │   │   ├── atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json
@@ -252,72 +255,86 @@ Triggers are unmodified [Atomic Red Team tests](https://github.com/redcanaryco/a
 
 This entity needed to test specific technical controls and detections. Detailed description could be found in official [site](https://atomicredteam.io).
 
-#### Response Actions
+#### Customers
 
 <details>
-  <summary>Response Action yaml (click to expand)</summary>
-  <img src="images/ra_yaml_v1.png" />
+  <summary>Customers yaml (click to expand)</summary>
+  <img src="images/cu_yaml_v1.png" />
 </details>
 
 <details>
   <summary>Automatically created confluence page (click to expand)</summary>
-  <img src="images/ra_confluence_v1.png" />
+  <img src="images/cu_confluence_v1.png" />
 </details>
 
 <details>
   <summary>Automatically created markdown page (click to expand)</summary>
-  <img src="images/ra_markdown_v1.png" />
+  <img src="images/cu_markdown_v1.png" />
 </details>
 
 <br>
 
-This entity used to build Response Playbooks.
+This entity used to track Logging Policies configuration, Data Needed collection and Detection Rules implementation per customer. Customer could be internal (for example, remote site) or external (in case of Service Providers). It even could be a specific host. There are no limitations for definition of the entity.
 
-#### Response Playbooks
+This entity expected to simplify communication with SIEM/LM/Data Engineering teams, provide visibility on implementation for Leadership. It used to generate `analytics.csv`, `atc_attack_navigator_profile.json` (per customer) and `atc_es_index.json`.
+
+#### Response Actions
 
 <details>
-  <summary>Response Playbook yaml (click to expand)</summary>
-  <img src="images/rp_yaml_v1.png" />
+  <summary>Response Action yaml (click to expand)</summary>
+  <img src="images/ra_yaml_v2.png" />
 </details>
 
 <details>
   <summary>Automatically created confluence page (click to expand)</summary>
-  <img src="images/rp_confluence_v1.png" />
+  <img src="images/ra_confluence_v2.png" />
 </details>
 
 <details>
   <summary>Automatically created markdown page (click to expand)</summary>
-  <img src="images/rp_markdown_v1.png" />
+  <img src="images/ra_markdown_v2.png" />
 </details>
 
 <br>
 
-This entity used as an Incident Response plan for specific threat.
+This entity used to build Response Playbooks, as well as TheHive Case Templates' Tasks.
 
-#### Customers
+#### Response Playbooks
 
 <details>
-  <summary>Customers yaml (click to expand)</summary>
-  <img src="images/cu_yaml_v1.png" />
+  <summary>Response Playbook yaml (click to expand)</summary>
+  <img src="images/rp_yaml_v2.png" />
 </details>
 
 <details>
   <summary>Automatically created confluence page (click to expand)</summary>
-  <img src="images/cu_confluence_v1.png" />
+  <img src="images/rp_confluence_v2.png" />
 </details>
 
 <details>
   <summary>Automatically created markdown page (click to expand)</summary>
-  <img src="images/cu_markdown_v1.png" />
+  <img src="images/rp_markdown_v2.png" />
 </details>
 
 <br>
 
-This entity used to track Logging Policies configuration, Data Needed collection and Detection Rules implementation per customer. Customer could be internal (for example, remote site) or external (in case of Service Providers). It even could be a specific host. There are no limitations for definition of the entity.
+This entity used as an Incident Response plan for specific threat, as well as TheHive Case Templates.
 
-This entity expected to simplify communication with SIEM/LM/Data Engineering teams, provide visibility on implementation for Leadership. It used to generate `analytics.csv`, `atc_attack_navigator_profile.json` (per customer) and `atc_es_index.json`.
+#### TheHive Case Templates
+
+Atomic Threat Coverage generates [TheHive Case Templates](analytics/generated/thehive_templates/) build on top of [Response Playbooks](#response-playbooks). Each task in Case Template is [Response Action](#response-actions), mapped to specific IR Lifecycle step (according to description in Response Playbook).
+
+<details>
+  <summary>Exported TheHive Case Template, made of Response Playbook (click to expand)</summary>
+  <img src="images/thehive_case_template_v1.png" />
+</details>
+
+<details>
+  <summary>One of the Tasks in TheHive Case, made of Response Action (click to expand)</summary>
+  <img src="images/thehive_case_task_v1.png" />
+</details>
 
-#### visualizations
+#### Visualizations
 
 <details>
   <summary>Visualization yaml (click to expand)</summary>

scripts/config.default.yml

@@ -24,4 +24,4 @@ detection_queries: 'es-qs,xpack-watcher,graylog,splunk,logpoint,grep'
 customers_directory: '../customers'
 response_playbooks_dir: '../response_playbooks'
 response_actions_dir: '../response_actions'
-thehive_templates_dir: '../analytics/generated/thehivetemplates'
+thehive_templates_dir: '../analytics/generated/thehive_templates'

scripts/templates/confluence_responseaction_template.html.j2

@@ -8,10 +8,6 @@
             <col />
          </colgroup>
          <tbody>
-            <tr>
-               <th class="confluenceTh">Title</th>
-               <td class="confluenceTd">{{ title|e}}<br /></td>
-            </tr>
             <tr>
                <th class="confluenceTh">Stage</th>
                <td class="confluenceTd">{{ stage|e }}<br /></td>

scripts/templates/confluence_responseplaybook_template.html.j2

@@ -8,10 +8,6 @@
             <col />
          </colgroup>
          <tbody>
-            <tr>
-               <th class="confluenceTh">Title</th>
-               <td class="confluenceTd">{{ title|e}}<br /></td>
-            </tr>
 {% if tactics is defined and tactics|length %}
              <tr>
                  <th class="confluenceTh">ATT&amp;CK Tactic</th>