42 lines
1.0 KiB
Plaintext
42 lines
1.0 KiB
Plaintext
module MITRE_IN_NOTICES;
|
|
|
|
export {
|
|
type Val: record {
|
|
id: string;
|
|
label: string;
|
|
};
|
|
|
|
type Idx: record {
|
|
observable: string;
|
|
};
|
|
|
|
global observableToKillchain: table[string] of Val = table();
|
|
|
|
const killchain_file = @DIR + "/notice-to-mitre.csv" &redef;
|
|
|
|
redef record Notice::Info += {
|
|
killchain_id: string &log &optional;
|
|
killchain_stage: string &log &optional;
|
|
};
|
|
}
|
|
|
|
event zeek_init() {
|
|
Input::add_table([$source=killchain_file,
|
|
$name="mitre_file",
|
|
$idx=Idx,
|
|
$val=Val,
|
|
$destination=MITRE_IN_NOTICES::observableToKillchain,
|
|
$mode=Input::REREAD]);
|
|
}
|
|
|
|
hook Notice::policy(n: Notice::Info)
|
|
{
|
|
local k: MITRE_IN_NOTICES::Idx = [$observable=fmt("notice::%s", n$note)];
|
|
|
|
if (k$observable in MITRE_IN_NOTICES::observableToKillchain) {
|
|
local v = MITRE_IN_NOTICES::observableToKillchain[k$observable];
|
|
n$killchain_id = v$id;
|
|
n$killchain_stage = v$label;
|
|
}
|
|
}
|