anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp/stix): fleet-wide STIX 2.1 export — GET /api/v1/attackers/export/stix

Browse Source
This commit is contained in:
anti
2026-05-09 07:37:41 -04:00
parent f827197cc8
commit c210a56fc8
7 changed files with 299 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
decnet/ttp/stix_export.py
View File

@@ -300,3 +300,47 @@ def build_attacker_bundle(
objs.append(note) objs.append(note)
return stix2.Bundle(objects=objs, allow_custom=True) return stix2.Bundle(objects=objs, allow_custom=True)
def build_fleet_bundle(
rows: list[dict[str, Any]],
ttp_by_attacker: dict[str, list[dict[str, Any]]],
) -> stix2.Bundle:
"""Assemble a STIX 2.1 Bundle covering all attackers in *rows*.
Deduplicates by STIX ID — attack-pattern SDOs with the same canonical
MITRE UUID appear once regardless of how many attackers used the technique.
Per-tag Sightings, Artifacts, and SMTP targets are omitted in fleet mode
(too verbose; use the per-attacker endpoint for full fidelity).
"""
objs_by_id: dict[str, Any] = {}
for row in rows:
raw_cmds = row.get("commands") or []
if isinstance(raw_cmds, str):
try:
raw_cmds = json.loads(raw_cmds)
except Exception:
raw_cmds = []
cmds = [
str(e.get("command_text", "")).strip()
for e in raw_cmds
if isinstance(e, dict) and e.get("command_text")
]
intel = row.get("threat_intel")
bundle = build_attacker_bundle(
attacker=row,
behavior=None,
identity=None,
intel=intel,
technique_rollup=ttp_by_attacker.get(row["uuid"], []),
raw_tags=[],
artifacts=[],
smtp_targets=[],
commands=cmds,
)
for obj in bundle.objects:
objs_by_id[obj.id] = obj
return stix2.Bundle(objects=list(objs_by_id.values()), allow_custom=True)

4
decnet/web/db/repository.py
View File

@@ -1496,6 +1496,10 @@ class BaseRepository(ABC):
"""Deduplicated ``command_text`` strings for one attacker, order-preserved.""" """Deduplicated ``command_text`` strings for one attacker, order-preserved."""
raise NotImplementedError raise NotImplementedError
async def get_all_ttp_rollups_for_export(self) -> dict[str, list[dict[str, Any]]]:
"""Return ``{attacker_uuid: [rollup_dict, ...]}`` for all attackers."""
raise NotImplementedError
async def list_ttp_decky_phases( async def list_ttp_decky_phases(
self, identity_uuid: str, self, identity_uuid: str,
) -> list[dict[str, Any]]: ) -> list[dict[str, Any]]:

35
decnet/web/db/sqlmodel_repo/ttp.py
View File

@@ -361,6 +361,41 @@ class TTPMixin(_MixinBase):
res = await session.execute(stmt) res = await session.execute(stmt)
return [r.model_dump(mode="json") for r in res.scalars().all()] return [r.model_dump(mode="json") for r in res.scalars().all()]
async def get_all_ttp_rollups_for_export(self) -> dict[str, list[dict[str, Any]]]:
"""Return ``{attacker_uuid: [rollup_dict, ...]}`` for all attackers.
Single query; used by the fleet STIX export so it doesn't fan out
N × list_techniques_by_attacker calls.
"""
async with self._session() as session:
stmt: Any = (
select(
col(TTPTag.attacker_uuid),
col(TTPTag.technique_id),
col(TTPTag.sub_technique_id),
func.max(col(TTPTag.tactic)).label("tactic"),
func.count().label("count"),
func.max(col(TTPTag.confidence)).label("confidence_max"),
)
.where(col(TTPTag.attacker_uuid).is_not(None))
.group_by(
TTPTag.attacker_uuid,
TTPTag.technique_id,
TTPTag.sub_technique_id,
)
)
res = await session.execute(stmt)
out: dict[str, list[dict[str, Any]]] = {}
for r in res.all():
out.setdefault(r.attacker_uuid, []).append({
"technique_id": r.technique_id,
"sub_technique_id": r.sub_technique_id,
"tactic": r.tactic,
"count": r.count,
"confidence_max": r.confidence_max,
})
return out
# ── Backfill iterators (E.4) ──────────────────────────────────── # ── Backfill iterators (E.4) ────────────────────────────────────
# #
# Read-only iterators consumed by ``decnet ttp backfill`` to replay # Read-only iterators consumed by ``decnet ttp backfill`` to replay

2
decnet/web/router/__init__.py
View File

@@ -16,6 +16,7 @@ from .stream.api_stream_events import router as stream_router
from .attackers.api_get_attackers import router as attackers_router from .attackers.api_get_attackers import router as attackers_router
from .attackers.api_export_attackers import router as attackers_export_router from .attackers.api_export_attackers import router as attackers_export_router
from .attackers.api_export_attacker_stix import router as attacker_export_stix_router from .attackers.api_export_attacker_stix import router as attacker_export_stix_router
from .attackers.api_export_attackers_stix import router as attackers_export_stix_router
from .attackers.api_events import router as attacker_events_router from .attackers.api_events import router as attacker_events_router
from .attackers.api_get_attacker_detail import router as attacker_detail_router from .attackers.api_get_attacker_detail import router as attacker_detail_router
from .attackers.api_get_attacker_commands import router as attacker_commands_router from .attackers.api_get_attacker_commands import router as attacker_commands_router
@@ -106,6 +107,7 @@ api_router.include_router(deploy_deckies_router)
# Attacker Profiles # Attacker Profiles
api_router.include_router(attackers_router) api_router.include_router(attackers_router)
api_router.include_router(attackers_export_router) api_router.include_router(attackers_export_router)
api_router.include_router(attackers_export_stix_router)
api_router.include_router(attacker_export_stix_router) api_router.include_router(attacker_export_stix_router)
api_router.include_router(attacker_detail_router) api_router.include_router(attacker_detail_router)
api_router.include_router(attacker_events_router) api_router.include_router(attacker_events_router)

65
decnet/web/router/attackers/api_export_attackers_stix.py Normal file
View File

@@ -0,0 +1,65 @@
"""GET /api/v1/attackers/export/stix — fleet-wide STIX 2.1 bundle.
Returns a self-contained STIX 2.1 Bundle covering every attacker the
instance has observed. Attack-pattern SDOs carry canonical MITRE STIX IDs
and are deduplicated across attackers — consumers who already have the
public ATT&CK bundle won't accumulate duplicates.
Per-tag Sightings, captured Artifacts, and SMTP targets are omitted in
fleet mode. Use GET /api/v1/attackers/{uuid}/export/stix for full fidelity
on a single attacker.
"""
from __future__ import annotations
from datetime import datetime, timezone
from typing import Any
from fastapi import APIRouter, Depends
from fastapi.responses import Response
from decnet.telemetry import traced as _traced
from decnet.ttp.stix_export import build_fleet_bundle
from decnet.web.dependencies import require_viewer, repo
router = APIRouter()
@router.get(
"/attackers/export/stix",
tags=["Attacker Profiles"],
response_class=Response,
responses={
200: {
"content": {"application/json": {}},
"description": "STIX 2.1 bundle for all attackers",
},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
},
)
@_traced("api.attackers.export_stix_fleet")
async def api_export_attackers_stix(
user: dict[str, Any] = Depends(require_viewer),
) -> Response:
"""Download a STIX 2.1 bundle covering every observed attacker."""
rows, ttp_by_attacker = await _gather_fleet_data()
bundle = build_fleet_bundle(rows=rows, ttp_by_attacker=ttp_by_attacker)
ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
return Response(
content=bundle.serialize(pretty=True, indent=2),
media_type="application/json",
headers={
"Content-Disposition": (
f'attachment; filename="decnet-fleet-{ts}.stix.json"'
),
},
)
async def _gather_fleet_data() -> tuple[list[dict[str, Any]], dict[str, list[dict[str, Any]]]]:
import asyncio
rows, ttp_by_attacker = await asyncio.gather(
repo.get_all_attackers_for_export(),
repo.get_all_ttp_rollups_for_export(),
)
return rows, ttp_by_attacker

4
tests/db/test_base_repo.py
View File

@@ -131,6 +131,8 @@ class DummyRepo(BaseRepository):
return [] return []
async def list_attacker_commands_deduped(self, uuid): async def list_attacker_commands_deduped(self, uuid):
return [] return []
async def get_all_ttp_rollups_for_export(self):
return {}
# Iter helpers — async generators, can't `await super()` on them # Iter helpers — async generators, can't `await super()` on them
# because the base raises in the body before any yield. Just yield # because the base raises in the body before any yield. Just yield
# nothing so the consumer's ``async for`` exits cleanly. # nothing so the consumer's ``async for`` exits cleanly.
@@ -274,6 +276,8 @@ async def test_base_repo_coverage():
await BaseRepository.list_ttp_tags_by_attacker(dr, "a") await BaseRepository.list_ttp_tags_by_attacker(dr, "a")
with pytest.raises(NotImplementedError): with pytest.raises(NotImplementedError):
await BaseRepository.list_attacker_commands_deduped(dr, "a") await BaseRepository.list_attacker_commands_deduped(dr, "a")
with pytest.raises(NotImplementedError):
await BaseRepository.get_all_ttp_rollups_for_export(dr)
# Iter helpers: just consume the empty generator. # Iter helpers: just consume the empty generator.
now = datetime.now(timezone.utc) now = datetime.now(timezone.utc)
async for _ in dr.iter_attacker_commands_since(now): async for _ in dr.iter_attacker_commands_since(now):

145
tests/web/test_api_export_attackers_stix.py Normal file
View File

@@ -0,0 +1,145 @@
"""Tests for GET /api/v1/attackers/export/stix — fleet-wide STIX bundle."""
from __future__ import annotations
import json
from datetime import datetime, timezone
from pathlib import Path
from unittest.mock import AsyncMock, patch
import pytest
import stix2
from decnet.ttp import attack_stix
from decnet.web.router.attackers.api_export_attackers_stix import (
api_export_attackers_stix,
)
_REPO_BUNDLE = Path(__file__).resolve().parents[2] / "enterprise-attack-19.0.json"
_FAKE_USER: dict = {"uuid": "test-user", "role": "viewer"}
@pytest.fixture(autouse=True)
def _pin_bundle(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
license_path = tmp_path / "LICENSE.txt"
license_path.write_text("placeholder", encoding="utf-8")
monkeypatch.setenv("DECNET_ATTACK_BUNDLE", str(_REPO_BUNDLE))
monkeypatch.setenv("DECNET_ATTACK_LICENSE", str(license_path))
attack_stix._data = None
attack_stix._loaded_path = None
attack_stix._attack_pattern_by_id.cache_clear()
attack_stix._tactic_by_id.cache_clear()
attack_stix._tactic_by_short_name.cache_clear()
attack_stix.groups_using_technique.cache_clear()
def _attacker(uuid: str = "att-aaaa", ip: str = "1.2.3.4") -> dict:
return {
"uuid": uuid,
"ip": ip,
"first_seen": datetime(2026, 1, 1, tzinfo=timezone.utc),
"last_seen": datetime(2026, 1, 31, tzinfo=timezone.utc),
"event_count": 10,
"identity_id": None,
"country_code": "US",
"asn": 15169,
"as_name": "GOOGLE",
"commands": [],
"threat_intel": None,
}
def _mock_repo(*, rows=None, ttp_by_attacker=None):
m = type("M", (), {})()
m.get_all_attackers_for_export = AsyncMock(return_value=rows or [])
m.get_all_ttp_rollups_for_export = AsyncMock(return_value=ttp_by_attacker or {})
return m
@pytest.mark.asyncio
async def test_empty_fleet_returns_bundle():
"""Zero attackers → valid bundle with just the DECNET org identity."""
m = _mock_repo()
with patch("decnet.web.router.attackers.api_export_attackers_stix.repo", m):
resp = await api_export_attackers_stix(user=_FAKE_USER)
bundle = json.loads(resp.body)
assert bundle["type"] == "bundle"
@pytest.mark.asyncio
async def test_single_attacker_baseline_objects():
"""One attacker with no TTPs → 4 objects (org, ip, observed-data, threat-actor)."""
m = _mock_repo(rows=[_attacker()])
with patch("decnet.web.router.attackers.api_export_attackers_stix.repo", m):
resp = await api_export_attackers_stix(user=_FAKE_USER)
objs = json.loads(resp.body)["objects"]
types = [o["type"] for o in objs]
assert types.count("identity") == 1
assert types.count("ipv4-addr") == 1
assert types.count("observed-data") == 1
assert types.count("threat-actor") == 1
assert len(objs) == 4
@pytest.mark.asyncio
async def test_attack_patterns_deduplicated_across_attackers():
"""Two attackers sharing T1059 → only one attack-pattern SDO in bundle."""
rows = [_attacker("att-1111", "1.1.1.1"), _attacker("att-2222", "2.2.2.2")]
rollup = {"technique_id": "T1059", "sub_technique_id": None, "tactic": "TA0002",
"count": 1, "confidence_max": 0.9}
ttp_by_attacker = {"att-1111": [rollup], "att-2222": [rollup]}
m = _mock_repo(rows=rows, ttp_by_attacker=ttp_by_attacker)
with patch("decnet.web.router.attackers.api_export_attackers_stix.repo", m):
resp = await api_export_attackers_stix(user=_FAKE_USER)
objs = json.loads(resp.body)["objects"]
assert [o for o in objs if o["type"] == "attack-pattern"].__len__() == 1
@pytest.mark.asyncio
async def test_two_attackers_two_threat_actors():
"""Two distinct attacker rows → two distinct threat-actor SDOs."""
rows = [_attacker("att-1111", "1.1.1.1"), _attacker("att-2222", "2.2.2.2")]
m = _mock_repo(rows=rows)
with patch("decnet.web.router.attackers.api_export_attackers_stix.repo", m):
resp = await api_export_attackers_stix(user=_FAKE_USER)
objs = json.loads(resp.body)["objects"]
assert len([o for o in objs if o["type"] == "threat-actor"]) == 2
@pytest.mark.asyncio
async def test_commands_included_in_fleet():
"""Commands from the inline commands field are emitted as process SCOs."""
row = _attacker()
row["commands"] = [
{"command_text": "whoami", "ts": "2026-01-10T00:00:00"},
{"command_text": "id", "ts": "2026-01-10T00:01:00"},
]
m = _mock_repo(rows=[row])
with patch("decnet.web.router.attackers.api_export_attackers_stix.repo", m):
resp = await api_export_attackers_stix(user=_FAKE_USER)
objs = json.loads(resp.body)["objects"]
processes = [o for o in objs if o["type"] == "process"]
assert len(processes) == 2
assert {p["command_line"] for p in processes} == {"whoami", "id"}
@pytest.mark.asyncio
async def test_stix2_round_trip_validation():
"""Fleet bundle must parse cleanly with stix2."""
rows = [_attacker("att-1111", "1.1.1.1"), _attacker("att-2222", "2.2.2.2")]
rollup = {"technique_id": "T1059", "sub_technique_id": None, "tactic": "TA0002",
"count": 2, "confidence_max": 0.85}
m = _mock_repo(rows=rows, ttp_by_attacker={"att-1111": [rollup]})
with patch("decnet.web.router.attackers.api_export_attackers_stix.repo", m):
resp = await api_export_attackers_stix(user=_FAKE_USER)
parsed = stix2.parse(resp.body, allow_custom=True)
assert parsed.type == "bundle"
@pytest.mark.asyncio
async def test_response_headers():
m = _mock_repo()
with patch("decnet.web.router.attackers.api_export_attackers_stix.repo", m):
resp = await api_export_attackers_stix(user=_FAKE_USER)
assert resp.media_type == "application/json"
assert "decnet-fleet-" in resp.headers["content-disposition"]
assert ".stix.json" in resp.headers["content-disposition"]