1616limitations under the License.
1717-----------------------------------------------------------------
1818"""
19-
2019import copy
2120import json
2221from typing import Optional
@@ -50,21 +49,6 @@ class LogRhythmAxonRuleRender(LogRhythmAxonQueryRender):
5049 or_token = "or"
5150 field_value_map = LogRhythmAxonRuleFieldValue (or_token = or_token )
5251
53- def __create_mitre_threat (self , meta_info : MetaInfoContainer ) -> tuple [list , list ]:
54- tactics = set ()
55- techniques = []
56-
57- for tactic in meta_info .mitre_attack .get ("tactics" ):
58- tactics .add (tactic ["tactic" ])
59-
60- for technique in meta_info .mitre_attack .get ("techniques" ):
61- if technique .get ("tactic" ):
62- for tactic in technique ["tactic" ]:
63- tactics .add (tactic )
64- techniques .append (technique ["technique_id" ])
65-
66- return sorted (tactics ), sorted (techniques )
67-
6852 def finalize_query (
6953 self ,
7054 prefix : str ,
@@ -91,11 +75,11 @@ def finalize_query(
9175 )
9276 if tactics := meta_info .mitre_attack .get ("tactics" ):
9377 rule ["observationPipeline" ]["metadataFields" ]["threat.mitre_tactic" ] = ", " .join (
94- f"{ i ['external_id' ]} { i ['tactic' ]} for i in tactics
78+ f"{ i ['external_id' ]} { i ['tactic' ]} for i in sorted ( tactics , key = lambda x : x [ "external_id" ])
9579 )
9680 if techniques := meta_info .mitre_attack .get ("techniques" ):
9781 rule ["observationPipeline" ]["metadataFields" ]["threat.mitre_technique" ] = ", " .join (
98- f"{ i ['technique_id' ]} { i ['technique' ]} for i in techniques
82+ f"{ i ['technique_id' ]} { i ['technique' ]} for i in sorted ( techniques , key = lambda x : x [ "technique_id" ])
9983 )
10084 if meta_info .fields :
10185 rule ["observationPipeline" ]["pattern" ]["operations" ][0 ]["logObserved" ]["groupByFields" ] = [
0 commit comments