feat(ttp/stix): fleet-wide STIX 2.1 export — GET /api/v1/attackers/export/stix
This commit is contained in:
@@ -1496,6 +1496,10 @@ class BaseRepository(ABC):
|
||||
"""Deduplicated ``command_text`` strings for one attacker, order-preserved."""
|
||||
raise NotImplementedError
|
||||
|
||||
async def get_all_ttp_rollups_for_export(self) -> dict[str, list[dict[str, Any]]]:
|
||||
"""Return ``{attacker_uuid: [rollup_dict, ...]}`` for all attackers."""
|
||||
raise NotImplementedError
|
||||
|
||||
async def list_ttp_decky_phases(
|
||||
self, identity_uuid: str,
|
||||
) -> list[dict[str, Any]]:
|
||||
|
||||
@@ -361,6 +361,41 @@ class TTPMixin(_MixinBase):
|
||||
res = await session.execute(stmt)
|
||||
return [r.model_dump(mode="json") for r in res.scalars().all()]
|
||||
|
||||
async def get_all_ttp_rollups_for_export(self) -> dict[str, list[dict[str, Any]]]:
|
||||
"""Return ``{attacker_uuid: [rollup_dict, ...]}`` for all attackers.
|
||||
|
||||
Single query; used by the fleet STIX export so it doesn't fan out
|
||||
N × list_techniques_by_attacker calls.
|
||||
"""
|
||||
async with self._session() as session:
|
||||
stmt: Any = (
|
||||
select(
|
||||
col(TTPTag.attacker_uuid),
|
||||
col(TTPTag.technique_id),
|
||||
col(TTPTag.sub_technique_id),
|
||||
func.max(col(TTPTag.tactic)).label("tactic"),
|
||||
func.count().label("count"),
|
||||
func.max(col(TTPTag.confidence)).label("confidence_max"),
|
||||
)
|
||||
.where(col(TTPTag.attacker_uuid).is_not(None))
|
||||
.group_by(
|
||||
TTPTag.attacker_uuid,
|
||||
TTPTag.technique_id,
|
||||
TTPTag.sub_technique_id,
|
||||
)
|
||||
)
|
||||
res = await session.execute(stmt)
|
||||
out: dict[str, list[dict[str, Any]]] = {}
|
||||
for r in res.all():
|
||||
out.setdefault(r.attacker_uuid, []).append({
|
||||
"technique_id": r.technique_id,
|
||||
"sub_technique_id": r.sub_technique_id,
|
||||
"tactic": r.tactic,
|
||||
"count": r.count,
|
||||
"confidence_max": r.confidence_max,
|
||||
})
|
||||
return out
|
||||
|
||||
# ── Backfill iterators (E.4) ────────────────────────────────────
|
||||
#
|
||||
# Read-only iterators consumed by ``decnet ttp backfill`` to replay
|
||||
|
||||
@@ -16,6 +16,7 @@ from .stream.api_stream_events import router as stream_router
|
||||
from .attackers.api_get_attackers import router as attackers_router
|
||||
from .attackers.api_export_attackers import router as attackers_export_router
|
||||
from .attackers.api_export_attacker_stix import router as attacker_export_stix_router
|
||||
from .attackers.api_export_attackers_stix import router as attackers_export_stix_router
|
||||
from .attackers.api_events import router as attacker_events_router
|
||||
from .attackers.api_get_attacker_detail import router as attacker_detail_router
|
||||
from .attackers.api_get_attacker_commands import router as attacker_commands_router
|
||||
@@ -106,6 +107,7 @@ api_router.include_router(deploy_deckies_router)
|
||||
# Attacker Profiles
|
||||
api_router.include_router(attackers_router)
|
||||
api_router.include_router(attackers_export_router)
|
||||
api_router.include_router(attackers_export_stix_router)
|
||||
api_router.include_router(attacker_export_stix_router)
|
||||
api_router.include_router(attacker_detail_router)
|
||||
api_router.include_router(attacker_events_router)
|
||||
|
||||
65
decnet/web/router/attackers/api_export_attackers_stix.py
Normal file
65
decnet/web/router/attackers/api_export_attackers_stix.py
Normal file
@@ -0,0 +1,65 @@
|
||||
"""GET /api/v1/attackers/export/stix — fleet-wide STIX 2.1 bundle.
|
||||
|
||||
Returns a self-contained STIX 2.1 Bundle covering every attacker the
|
||||
instance has observed. Attack-pattern SDOs carry canonical MITRE STIX IDs
|
||||
and are deduplicated across attackers — consumers who already have the
|
||||
public ATT&CK bundle won't accumulate duplicates.
|
||||
|
||||
Per-tag Sightings, captured Artifacts, and SMTP targets are omitted in
|
||||
fleet mode. Use GET /api/v1/attackers/{uuid}/export/stix for full fidelity
|
||||
on a single attacker.
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
from datetime import datetime, timezone
|
||||
from typing import Any
|
||||
|
||||
from fastapi import APIRouter, Depends
|
||||
from fastapi.responses import Response
|
||||
|
||||
from decnet.telemetry import traced as _traced
|
||||
from decnet.ttp.stix_export import build_fleet_bundle
|
||||
from decnet.web.dependencies import require_viewer, repo
|
||||
|
||||
router = APIRouter()
|
||||
|
||||
|
||||
@router.get(
|
||||
"/attackers/export/stix",
|
||||
tags=["Attacker Profiles"],
|
||||
response_class=Response,
|
||||
responses={
|
||||
200: {
|
||||
"content": {"application/json": {}},
|
||||
"description": "STIX 2.1 bundle for all attackers",
|
||||
},
|
||||
401: {"description": "Could not validate credentials"},
|
||||
403: {"description": "Insufficient permissions"},
|
||||
},
|
||||
)
|
||||
@_traced("api.attackers.export_stix_fleet")
|
||||
async def api_export_attackers_stix(
|
||||
user: dict[str, Any] = Depends(require_viewer),
|
||||
) -> Response:
|
||||
"""Download a STIX 2.1 bundle covering every observed attacker."""
|
||||
rows, ttp_by_attacker = await _gather_fleet_data()
|
||||
bundle = build_fleet_bundle(rows=rows, ttp_by_attacker=ttp_by_attacker)
|
||||
ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
|
||||
return Response(
|
||||
content=bundle.serialize(pretty=True, indent=2),
|
||||
media_type="application/json",
|
||||
headers={
|
||||
"Content-Disposition": (
|
||||
f'attachment; filename="decnet-fleet-{ts}.stix.json"'
|
||||
),
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
async def _gather_fleet_data() -> tuple[list[dict[str, Any]], dict[str, list[dict[str, Any]]]]:
|
||||
import asyncio
|
||||
rows, ttp_by_attacker = await asyncio.gather(
|
||||
repo.get_all_attackers_for_export(),
|
||||
repo.get_all_ttp_rollups_for_export(),
|
||||
)
|
||||
return rows, ttp_by_attacker
|
||||
Reference in New Issue
Block a user