[Improvement] - Having multiple engagements on one instance, tag re-use, template for events #18
Comments
TH3xACE
changed the title
|
Thanks for reaching out. The tool started off life with the ambition of holding multiple assessments, but as it matured there were concerns around aggregating data and therefore the "per job" deployment model is currently preferred to a) allow archiving of a job's data alongside other data such as report output with a single ACL and b) limit the impact of a system breach. That said, the tag export/import sounds like a good work around. From a quick search, it looks like https://github.com/django-import-export/django-import-export is quite fully featured so I will investigate integrating that. I don't know if you've seen the new yara rules used for suggesting MITRE techniques based on matches in the "raw evidence" field. I wonder if extending this to also populate/suggest the description would work? It would mean tasks such as phishing would need a consistent "raw evidence" (not always true if done manually via a UI) but it feels like there's value in this idea - thoughts? |
|
Thanks for your response. Yes I do understand the reason behind having an instance per mission/engagement. The import/export feature sounds interesting, I will check it out. The workaround that I found was to create an instance create the tags then save and use that database for each new deployment/mission. I have also use docker with an image then I can create either a new container for each deployment or use a custom script to switch database. It would be nice to have a TTP/Vuln database that can be used for the events… |
|
Following fed48f6 you can now use the UI to import and export users, webhooks and tags. I think they are the main things you'd want to carry between instances, but I'm open to suggestions for other model classes. The import/export can be done via the Model names you can use are:
|
|
Great! Thanks |
First of all, thank you for providing this solution. I was wondering if it would be possible to have several engagement on the same instance and thus allowing to shift let say from RT-03-2024 engagement to RT-06-2024. This will prevent from creating an instance for each engagement.
Why it would be great ? Because that will allow tag re-use because I have created a list of tag and would like to use it on other engagement without having to create them for each new engagment.
Alternative, would be to give the possibility to export tags and maybe also a list of template for some events....
lets say having a short description for phishing, dump lsass or any type of TTPs that you tend to use on different engagement and thus not having to rewrite for each engagement.
The text was updated successfully, but these errors were encountered: