Visibility v2: STIX-driven tiered coverage, CIM-aware, remediation + threat ranking#1
Open
emerygiles wants to merge 1 commit into
Open
Visibility v2: STIX-driven tiered coverage, CIM-aware, remediation + threat ranking#1emerygiles wants to merge 1 commit into
emerygiles wants to merge 1 commit into
Conversation
…dback) Rework the visibility-vs-detection coverage from a hand-mapped boolean into a production-grade, STIX-derived, tiered, threat-ranked engine. - STIX-driven: technique->telemetry from ATT&CK's STIX bundle (v17 detection- strategy/analytic model -> concrete log sources). Generalizes to ~600 techniques and survives ATT&CK releases. scripts/build_attack_mapping.py (mitreattack-python), cached at backend/data/attack_stix_mapping.json (runtime needs no heavy deps). - Tiered none/partial/good via DeTT&CT dimensions (completeness, timeliness, retention, consistency) instead of visible/blind. - Splunk reality: "have the data source" = onboarded AND CIM-mapped AND in the search window. CIM membership is MEASURED on the live backend via | tstats per CIM data model (SplunkRest.telemetry_posture); the mock supplies representative measured posture. - Remediation: every gap carries the concrete Splunk input to onboard / CIM-map. - Priority queue: ranked against a configurable threat profile (backend/threat_profiles.py, THREAT_PROFILE, GET /threat-profiles). - OR for "visible at all" + quality/redundancy weighting for the tier, with a small documented AND overlay for necessary primary sources (e.g. S3 object exfil needs CloudTrail data events). Rationale documented in threat_profiles.py. Also: drop the prod-safe default (AUTO_DEPLOY=false), frontend VisibilityPanel upgraded to tiered chips + model posture + remediation + priority, tests/test_visibility.py. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reworks the visibility-vs-detection coverage from a hand-mapped boolean into a production-grade engine, implementing v2 review end-to-end.
What changed
AWS:CloudTrail,WinEventLog:Sysmon,saas:okta). Generalizes to ~600 techniques and survives ATT&CK releases. Built byscripts/build_attack_mapping.py(usesmitreattack-python), cached atbackend/data/attack_stix_mapping.jsonso runtime needs no heavy deps or network.| tstatsper CIM data model (SplunkRest.telemetry_posture); the sandbox supplies representative measured posture.backend/threat_profiles.py,THREAT_PROFILE,GET /threat-profiles).AUTO_DEPLOY=falsedefault; oldattack_datasources.pyremoved.VisibilityPanelupgraded to tier chips + CIM data-model posture strip + remediation + priority.tests/test_visibility.pyadded (7 tests, all passing).OR vs AND across data sources
OR for "can you see it at all" (any one relevant CIM data model present → some visibility), then weight count + quality of present sources for the tier. A small, documented AND overlay applies for the few techniques with a genuinely necessary primary source e.g. S3 object-exfil (T1537) needs CloudTrail data events; the management plane can't see it, so it's capped at
partialeven when Change/Auth are healthy. Pure AND invents blind spots; pure OR throws away the quality signal.Verified
/visibility,/threat-profiles(TestClient), full agent loop (recon → tiered visibility → … → propose).python tests/test_visibility.py→ 7 passed.