module MITRE_IN_NOTICES;

export {
    type Val: record {
        id: string;
        label: string;
    };

    type Idx: record {
        observable: string;
    };

    global observableToKillchain: table[string] of Val = table();

	const killchain_file = @DIR + "/notice-to-mitre.csv" &redef;
  
    redef record Notice::Info += {
        killchain_id: string &log &optional;
        killchain_stage: string &log &optional;
    };
}

event zeek_init() {
    Input::add_table([$source=killchain_file, 
                      $name="mitre_file", 
                      $idx=Idx, 
                      $val=Val, 
                      $destination=MITRE_IN_NOTICES::observableToKillchain, 
                      $mode=Input::REREAD]);
}

hook Notice::policy(n: Notice::Info) 
{
    local k: MITRE_IN_NOTICES::Idx = [$observable=fmt("notice::%s", n$note)];

    if (k$observable in MITRE_IN_NOTICES::observableToKillchain) {
        local v = MITRE_IN_NOTICES::observableToKillchain[k$observable];
        n$killchain_id = v$id;
        n$killchain_stage = v$label;
    }
}