Add mitre tags (#3)

Author: Priyanka-Chatterjee-2000

dashboards/activity_dashboard.pp

@@ -102,14 +102,14 @@
 
   sql = <<-EOQ
     select
-      split_part(log_name, '%2F', 2) as "Type",
+      split_part(replace(log_name, '%2F', '/'),'/', 5) as "Type",
       count(*) as "Logs"
     from
       gcp_audit_log
     where
-      split_part(log_name, '%2F', 2) is not null
+      split_part(replace(log_name, '%2F', '/'),'/', 5) is not null
     group by
-      split_part(log_name, '%2F', 2)
+      split_part(replace(log_name, '%2F', '/'),'/', 5)
     order by
       count(*) desc
     limit 10;

detections/access_context_manager.pp

@@ -27,7 +27,9 @@
   query           = query.access_context_manager_policy_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.access_context_manager_common_tags
+  tags = merge(local.access_context_manager_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "access_context_manager_access_level_deleted" {
@@ -38,7 +40,9 @@
   query           = query.access_context_manager_access_level_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.access_context_manager_common_tags
+  tags = merge(local.access_context_manager_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 query "access_context_manager_policy_deleted" {

detections/apigee.pp

@@ -25,7 +25,9 @@
   query           = query.apigee_security_action_disabled
   display_columns = local.detection_display_columns
 
-  tags = local.apigee_common_tags
+  tags = merge(local.apigee_common_tags, {
+    mitre_attack_ids = "TA0005:T1562.001"
+  })
 }
 
 query "apigee_security_action_disabled" {

detections/app_engine.pp

@@ -27,7 +27,9 @@
   query           = query.app_engine_firewall_ingress_rule_created
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "app_engine_firewall_ingress_rule_updated" {
@@ -38,7 +40,9 @@
   query           = query.app_engine_firewall_ingress_rule_updated
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "app_engine_firewall_ingress_rule_deleted" {
@@ -49,7 +53,9 @@
   query           = query.app_engine_firewall_ingress_rule_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 query "app_engine_firewall_ingress_rule_created" {

detections/artifact_registry.pp

@@ -26,7 +26,9 @@
   query           = query.artifact_registry_repository_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.artifact_registry_common_tags
+  tags = merge(local.artifact_registry_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.003"
+  })
 }
 
 detection "artifact_registry_package_deleted" {
@@ -36,7 +38,9 @@
   severity      = "low"
   query         = query.artifact_registry_package_deleted
 
-  tags = local.artifact_registry_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.003"
+  })
 }
 
 query "artifact_registry_package_deleted" {

detections/cloud_run.pp

@@ -25,7 +25,9 @@
   query           = query.cloud_run_function_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.cloud_run_function_common_tags
+  tags = merge(local.cloud_run_function_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.004"
+  })
 }
 
 query "cloud_run_function_deleted" {

detections/compute.pp

@@ -32,7 +32,9 @@
   query           = query.compute_vpn_tunnel_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = " TA0005:T1578.003"
+  })
 }
 
 detection "compute_firewall_rule_deleted" {
@@ -43,7 +45,9 @@
   query           = query.compute_firewall_rule_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_image_iam_policy_set" {
@@ -54,7 +58,9 @@
   query           = query.compute_image_iam_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_disk_iam_policy_set" {
@@ -65,7 +71,9 @@
   query           = query.compute_disk_iam_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_snapshot_iam_policy_set" {
@@ -76,7 +84,9 @@
   query           = query.compute_snapshot_iam_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_instance_with_public_network_interface" {
@@ -87,7 +97,9 @@
   query           = query.compute_instance_with_public_network_interface
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0001:T1133"
+  })
 }
 
 detection "compute_subnetwork_flow_logs_disabled" {
@@ -98,7 +110,9 @@
   query           = query.compute_subnetwork_flow_logs_disabled
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1562.001"
+  })
 }
 
 query "compute_firewall_rule_deleted" {

detections/dlp.pp

@@ -25,7 +25,9 @@
   query           = query.dlp_reidentify_content
   display_columns = local.detection_display_columns
 
-  tags = local.dlp_common_tags
+  tags = merge(local.dlp_common_tags, {
+    mitre_attack_ids = "TA0005:T1140"
+  })
 }
 
 query "dlp_reidentify_content" {

detections/dns.pp

@@ -29,7 +29,9 @@
   query           = query.dns_managed_zone_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 detection "dns_managed_zone_updated" {
@@ -40,7 +42,9 @@
   query           = query.dns_managed_zone_updated
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 detection "dns_record_set_updated" {
@@ -51,7 +55,9 @@
   query           = query.dns_record_set_updated
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 detection "dns_record_set_deleted" {
@@ -62,7 +68,9 @@
   query           = query.dns_record_set_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 query "dns_managed_zone_deleted" {

detections/iam.pp

@@ -47,7 +47,7 @@
   display_columns = local.detection_display_columns
 
   tags = merge(local.iam_common_tags, {
-    mitre_attack_ids = "TA0001:T1078,TA0003:T1098,TA0003:T1136"
+    mitre_attack_ids = "TA0001:T1078.004,TA0003:T1098,TA0003:T1136"
   })
 }
 
@@ -60,7 +60,7 @@
   display_columns = local.detection_display_columns
 
   tags = merge(local.iam_common_tags, {
-    mitre_attack_ids = "TA0001:T1078,TA0003:T1098"
+    mitre_attack_ids = "TA0001:T1078.004,TA0003:T1098"
   })
 }
 
@@ -72,7 +72,9 @@
   query           = query.iam_service_account_disabled
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0040:T1490"
+  })
 }
 
 detection "iam_service_account_token_creator_role_assigned" {
@@ -83,7 +85,9 @@
   query           = query.iam_service_account_token_creator_role_assigned
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0003:T1136,TA0005:T1548"
+  })
 }
 
 detection "iam_organization_policy_updated" {
@@ -94,7 +98,9 @@
   query           = query.iam_organization_policy_updated
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0005:T1562"
+  })
 }
 
 detection "iam_service_account_access_token_generated" {
@@ -105,7 +111,9 @@
   query           = query.iam_service_account_access_token_generated
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0005:T1550, TA0002:T1651"
+  })
 }
 
 detection "iam_service_account_key_deleted" {
@@ -127,7 +135,9 @@
   query           = query.iam_owner_role_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.resourcemanager_common_tags
+  tags = merge(local.resourcemanager_common_tags, {
+    mitre_attack_ids = "TA0003:T1098"
+  })
 }
 
 query "iam_service_account_created" {
@@ -273,4 +283,4 @@
     order by
       timestamp desc;
   EOQ
-}
+}