Add mitre tags (#3)

Priyanka-Chatterjee-2000 · web-flow · commit 58297ad97962 · 2025-03-03T19:24:19.000+05:30
diff --git a/dashboards/activity_dashboard.pp b/dashboards/activity_dashboard.pp
@@ -102,14 +102,14 @@
 
   sql = <<-EOQ
     select
-      split_part(log_name, '%2F', 2) as "Type",
+      split_part(replace(log_name, '%2F', '/'),'/', 5) as "Type",
       count(*) as "Logs"
     from
       gcp_audit_log
     where
-      split_part(log_name, '%2F', 2) is not null
+      split_part(replace(log_name, '%2F', '/'),'/', 5) is not null
     group by
-      split_part(log_name, '%2F', 2)
+      split_part(replace(log_name, '%2F', '/'),'/', 5)
     order by
       count(*) desc
     limit 10;
diff --git a/detections/access_context_manager.pp b/detections/access_context_manager.pp
@@ -27,7 +27,9 @@
   query           = query.access_context_manager_policy_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.access_context_manager_common_tags
+  tags = merge(local.access_context_manager_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "access_context_manager_access_level_deleted" {
@@ -38,7 +40,9 @@
   query           = query.access_context_manager_access_level_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.access_context_manager_common_tags
+  tags = merge(local.access_context_manager_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 query "access_context_manager_policy_deleted" {
diff --git a/detections/apigee.pp b/detections/apigee.pp
@@ -25,7 +25,9 @@
   query           = query.apigee_security_action_disabled
   display_columns = local.detection_display_columns
 
-  tags = local.apigee_common_tags
+  tags = merge(local.apigee_common_tags, {
+    mitre_attack_ids = "TA0005:T1562.001"
+  })
 }
 
 query "apigee_security_action_disabled" {
diff --git a/detections/app_engine.pp b/detections/app_engine.pp
@@ -27,7 +27,9 @@
   query           = query.app_engine_firewall_ingress_rule_created
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "app_engine_firewall_ingress_rule_updated" {
@@ -38,7 +40,9 @@
   query           = query.app_engine_firewall_ingress_rule_updated
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "app_engine_firewall_ingress_rule_deleted" {
@@ -49,7 +53,9 @@
   query           = query.app_engine_firewall_ingress_rule_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 query "app_engine_firewall_ingress_rule_created" {
diff --git a/detections/artifact_registry.pp b/detections/artifact_registry.pp
@@ -26,7 +26,9 @@
   query           = query.artifact_registry_repository_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.artifact_registry_common_tags
+  tags = merge(local.artifact_registry_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.003"
+  })
 }
 
 detection "artifact_registry_package_deleted" {
@@ -36,7 +38,9 @@
   severity      = "low"
   query         = query.artifact_registry_package_deleted
 
-  tags = local.artifact_registry_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.003"
+  })
 }
 
 query "artifact_registry_package_deleted" {
diff --git a/detections/cloud_run.pp b/detections/cloud_run.pp
@@ -25,7 +25,9 @@
   query           = query.cloud_run_function_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.cloud_run_function_common_tags
+  tags = merge(local.cloud_run_function_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.004"
+  })
 }
 
 query "cloud_run_function_deleted" {
diff --git a/detections/compute.pp b/detections/compute.pp
@@ -32,7 +32,9 @@
   query           = query.compute_vpn_tunnel_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = " TA0005:T1578.003"
+  })
 }
 
 detection "compute_firewall_rule_deleted" {
@@ -43,7 +45,9 @@
   query           = query.compute_firewall_rule_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_image_iam_policy_set" {
@@ -54,7 +58,9 @@
   query           = query.compute_image_iam_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_disk_iam_policy_set" {
@@ -65,7 +71,9 @@
   query           = query.compute_disk_iam_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_snapshot_iam_policy_set" {
@@ -76,7 +84,9 @@
   query           = query.compute_snapshot_iam_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "compute_instance_with_public_network_interface" {
@@ -87,7 +97,9 @@
   query           = query.compute_instance_with_public_network_interface
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0001:T1133"
+  })
 }
 
 detection "compute_subnetwork_flow_logs_disabled" {
@@ -98,7 +110,9 @@
   query           = query.compute_subnetwork_flow_logs_disabled
   display_columns = local.detection_display_columns
 
-  tags = local.compute_common_tags
+  tags = merge(local.compute_common_tags, {
+    mitre_attack_ids = "TA0005:T1562.001"
+  })
 }
 
 query "compute_firewall_rule_deleted" {
diff --git a/detections/dlp.pp b/detections/dlp.pp
@@ -25,7 +25,9 @@
   query           = query.dlp_reidentify_content
   display_columns = local.detection_display_columns
 
-  tags = local.dlp_common_tags
+  tags = merge(local.dlp_common_tags, {
+    mitre_attack_ids = "TA0005:T1140"
+  })
 }
 
 query "dlp_reidentify_content" {
diff --git a/detections/dns.pp b/detections/dns.pp
@@ -29,7 +29,9 @@
   query           = query.dns_managed_zone_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 detection "dns_managed_zone_updated" {
@@ -40,7 +42,9 @@
   query           = query.dns_managed_zone_updated
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 detection "dns_record_set_updated" {
@@ -51,7 +55,9 @@
   query           = query.dns_record_set_updated
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 detection "dns_record_set_deleted" {
@@ -62,7 +68,9 @@
   query           = query.dns_record_set_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.dns_common_tags
+  tags = merge(local.dns_common_tags, {
+    mitre_attack_ids = "TA0040:T1565.001"
+  })
 }
 
 query "dns_managed_zone_deleted" {
diff --git a/detections/iam.pp b/detections/iam.pp
@@ -47,7 +47,7 @@
   display_columns = local.detection_display_columns
 
   tags = merge(local.iam_common_tags, {
-    mitre_attack_ids = "TA0001:T1078,TA0003:T1098,TA0003:T1136"
+    mitre_attack_ids = "TA0001:T1078.004,TA0003:T1098,TA0003:T1136"
   })
 }
 
@@ -60,7 +60,7 @@
   display_columns = local.detection_display_columns
 
   tags = merge(local.iam_common_tags, {
-    mitre_attack_ids = "TA0001:T1078,TA0003:T1098"
+    mitre_attack_ids = "TA0001:T1078.004,TA0003:T1098"
   })
 }
 
@@ -72,7 +72,9 @@
   query           = query.iam_service_account_disabled
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0040:T1490"
+  })
 }
 
 detection "iam_service_account_token_creator_role_assigned" {
@@ -83,7 +85,9 @@
   query           = query.iam_service_account_token_creator_role_assigned
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0003:T1136,TA0005:T1548"
+  })
 }
 
 detection "iam_organization_policy_updated" {
@@ -94,7 +98,9 @@
   query           = query.iam_organization_policy_updated
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0005:T1562"
+  })
 }
 
 detection "iam_service_account_access_token_generated" {
@@ -105,7 +111,9 @@
   query           = query.iam_service_account_access_token_generated
   display_columns = local.detection_display_columns
 
-  tags = local.iam_common_tags
+  tags = merge(local.iam_common_tags, {
+    mitre_attack_ids = "TA0005:T1550, TA0002:T1651"
+  })
 }
 
 detection "iam_service_account_key_deleted" {
@@ -127,7 +135,9 @@
   query           = query.iam_owner_role_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.resourcemanager_common_tags
+  tags = merge(local.resourcemanager_common_tags, {
+    mitre_attack_ids = "TA0003:T1098"
+  })
 }
 
 query "iam_service_account_created" {
@@ -273,4 +283,4 @@
     order by
       timestamp desc;
   EOQ
-}
+}
diff --git a/detections/logging.pp b/detections/logging.pp
@@ -26,7 +26,9 @@
   query           = query.logging_sink_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.logging_common_tags
+  tags = merge(local.logging_common_tags, {
+    mitre_attack_ids = "TA0005:T1562"
+  })
 }
 
 detection "logging_bucket_deleted" {
@@ -37,7 +39,9 @@
   query           = query.logging_bucket_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.logging_common_tags
+  tags = merge(local.logging_common_tags, {
+    mitre_attack_ids = "TA0040:T1485"
+  })
 }
 
 query "logging_sink_deleted" {
diff --git a/detections/monitoring.pp b/detections/monitoring.pp
@@ -25,7 +25,9 @@
   query           = query.monitoring_metric_descriptor_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.monitoring_common_tags
+  tags = merge(local.monitoring_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "monitoring_alert_policy_deleted" {
@@ -36,7 +38,9 @@
   query           = query.monitoring_alert_policy_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.monitoring_common_tags
+  tags = merge(local.monitoring_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 query "monitoring_metric_descriptor_deleted" {
diff --git a/detections/resource_manager.pp b/detections/resource_manager.pp
@@ -24,7 +24,10 @@
   query           = query.resource_manager_iam_policy_set
   display_columns = local.detection_display_columns
 
-  tags = local.resourcemanager_common_tags
+  
+  tags = merge(local.resourcemanager_common_tags, {
+    mitre_attack_ids = "TA0005:T1211"
+  })
 }
 
 query "resource_manager_iam_policy_set" {
diff --git a/detections/security_command_center.pp b/detections/security_command_center.pp
@@ -25,7 +25,9 @@
   query           = query.security_command_center_notification_config_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.security_command_center_common_tags
+  tags = merge(local.security_command_center_common_tags, {
+    mitre_attack_ids = "TA0005:T1211"
+  })
 }
 
 query "security_command_center_notification_config_deleted" {
diff --git a/detections/sql.pp b/detections/sql.pp
diff --git a/detections/storage.pp b/detections/storage.pp

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,9 @@`
`25`	`25`	`query = query.apigee_security_action_disabled`
`26`	`26`	`display_columns = local.detection_display_columns`
`27`	`27`
`28`		`- tags = local.apigee_common_tags`
	`28`	`+ tags = merge(local.apigee_common_tags, {`
	`29`	`+ mitre_attack_ids = "TA0005:T1562.001"`
	`30`	`+ })`
`29`	`31`	`}`
`30`	`32`
`31`	`33`	`query "apigee_security_action_disabled" {`