read_events: Read in ATT&CK events from a file
In hrbrmstr/attckr: Analyze Adversary Tactics and Techniques Using the MITRE ATT&CK CTI Corpus
Description
Usage
Arguments
Details
Examples
Description
This is a convenience wrapper for readr::read_csv() that sets up
a contract to read in incident events with some pre-determined expectations.
See Details for more information.
Usage
1
read_events(path, matrix = c("enterprise", "mobile", "pre"), ...)
Arguments
path
path to a CSV file that contains ATT&CK events. This will be path.expand()ed.
matrix
which matrix are the events associated with?
...
passed on to readr::read_csv()
Details
While sufficient metadata and helpers have been provided with this package
to enable customized use of the ATT&CK matricies sometimes you just want
to get stuff done quickly and for that we need to establish some ground rules.
This function defines and "incident event" record as something that
contains the fields:
-
event_id: a unique identifier for this event
-
incident_id: the associated incident for the event_id; again, a unique
identifier for each incident
-
event_ts: the timestamp for when the event occurred (anything date-like)
-
detection_ts: the timestamp for when the event was detected (anything date-like)
-
tactic: the ATT&CK Tactic; can be in "id" format (dashed lowercase), "pretty"
(spaces, titlecase), or "newline" (newlines, titlecase)
-
technique: the ATT&CK Technique id or precise spelling if spelled out
-
discovery_source: free text field (it should still be "identifier-ish")
that helps pinpoint which control/logging source enabled discovery of the
event.
-
reporting_source: free text field (it should still be "identifier-ish")
that identifies what did the reporting for the discovery_source.
-
responder_id the id of the incident reponder associated with this
combination of event_id and incident_id.
You can think of discovery_source & reporting_source this way: say
the Windows Event Log captured the evidence of a failed (or successful)
local admin logon event. It passes that on to your centralized logging
facility and/or your SIEM. You can make discovery_source "Windows Event Log"
and reporting_source whichever technology you used.
Any column not-present will be turned into NA. Columns not matching the
above names will be removed from the object returned.
Examples
1
read_events(system.file("extdat/sample-incidents.csv.gz", package = "attckr"))
hrbrmstr/attckr documentation built on Aug. 13, 2020, 11:49 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Description Usage Arguments Details Examples
Description
This is a convenience wrapper for readr::read_csv() that sets up
a contract to read in incident events with some pre-determined expectations.
See Details for more information.
Usage
1 | read_events(path, matrix = c("enterprise", "mobile", "pre"), ...)
|
Arguments
path |
path to a CSV file that contains ATT&CK events. This will be |
matrix |
which matrix are the events associated with? |
... |
passed on to |
Details
While sufficient metadata and helpers have been provided with this package to enable customized use of the ATT&CK matricies sometimes you just want to get stuff done quickly and for that we need to establish some ground rules.
This function defines and "incident event" record as something that contains the fields:
-
event_id: a unique identifier for this event -
incident_id: the associated incident for theevent_id; again, a unique identifier for each incident -
event_ts: the timestamp for when the event occurred (anything date-like) -
detection_ts: the timestamp for when the event was detected (anything date-like) -
tactic: the ATT&CK Tactic; can be in "id" format (dashed lowercase), "pretty" (spaces, titlecase), or "newline" (newlines, titlecase) -
technique: the ATT&CK Technique id or precise spelling if spelled out -
discovery_source: free text field (it should still be "identifier-ish") that helps pinpoint which control/logging source enabled discovery of the event. -
reporting_source: free text field (it should still be "identifier-ish") that identifies what did the reporting for thediscovery_source. -
responder_idthe id of the incident reponder associated with this combination ofevent_idandincident_id.
You can think of discovery_source & reporting_source this way: say
the Windows Event Log captured the evidence of a failed (or successful)
local admin logon event. It passes that on to your centralized logging
facility and/or your SIEM. You can make discovery_source "Windows Event Log"
and reporting_source whichever technology you used.
Any column not-present will be turned into NA. Columns not matching the
above names will be removed from the object returned.
Examples
1 | read_events(system.file("extdat/sample-incidents.csv.gz", package = "attckr"))
|
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.