Help with dynamic json via api and using that data

I am looking for someone to help me with manipulating data, I’ll explain what I am trying to achieve.

I am querying a sandbox and getting results back, such as:

[
{
"job_id": "623f655707a42579976dd735",
"environment_id": 100,
"environment_description": "Windows 7 32 bit",
"size": 1098240,
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"type_short": [
"peexe",
"executable"
],
"target_url": null,
"state": "SUCCESS",
"error_type": null,
"error_origin": null,
"submit_name": "e1511e934906072c0717e68c0a05b04c61846f7ad15ce323b61f854a24c86b15.exe",
"md5": "33f7000fc6b18aee48d787e09ddcd768",
"sha1": "65af9f145a741dc3bfde2309ad9d1e0a37bfde11",
"sha256": "e1511e934906072c0717e68c0a05b04c61846f7ad15ce323b61f854a24c86b15",
"sha512": "fc738725c7aecc7f71586e1c54141f85154bbeff3276c059e07213cf4f50fab5f09bd8d9755c071e4d592bf4a23a516742999204249d2d46fbd0cd0b11171b90",
"ssdeep": "24576:521pHZkUu40eoX4zuROs5obLOfkAnMNMo+C0OW/WS7H1S:qHZzu40ecUuFobafkaMNMo+plj7k",
"imphash": "ed1b2792ced7a8e7bb849a84d01e5fcb",
"av_detect": 52,
"vx_family": "Trojan.Crypt",
"url_analysis": false,
"analysis_start_time": "2022-03-26T19:11:23+00:00",
"threat_score": 100,
"interesting": false,
"threat_level": 2,
"verdict": "malicious",
"certificates": [
],
"domains": [
"v.beahh.com"
],
"classification_tags": [
],
"compromised_hosts": [
],
"hosts": [
],
"total_network_connections": 0,
"total_processes": 1,
"total_signatures": 15,
"extracted_files": [
],
"file_metadata": {
"file_compositions": [
"1 .OBJ Files (COFF) linked with LINK.EXE 9.00 (Visual Studio 2008) (build: 21022)",
"1 .RES Files linked with CVTRES.EXE 9.00 (Visual Studio 2008) (build: 21022)",
"1 .CPP Files (with LTCG) compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 21022)"
],
"imported_objects": [
"5 .LIB Files generated with LIB.EXE 8.00 (Visual Studio 2005) (build: 50727)",
"90 .C Files compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 21022)",
"20 .ASM Files assembled with MASM 9.00 (Visual Studio 2008) (build: 21022)",
"29 .CPP Files compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 21022)"
],
"file_analysis": [
"File contains C++ code",
"File appears to contain raw COFF/OMF content",
"File was optimized using LTCG and/or POGO",
"File is the product of a small codebase (1 files)"
],
"total_file_compositions_imports": 123
},
"processes": [
{
"uid": "00000000-00002792",
"parentuid": null,
"name": "e1511e934906072c0717e68c0a05b04c61846f7ad15ce323b61f854a24c86b15.exe",
"normalized_path": "C:\e1511e934906072c0717e68c0a05b04c61846f7ad15ce323b61f854a24c86b15.exe",
"command_line": null,
"sha256": "e1511e934906072c0717e68c0a05b04c61846f7ad15ce323b61f854a24c86b15",
"av_label": "Trojan.Crypt",
"av_matched": 26,
"av_total": 70,
"pid": null,
"icon": null,
"file_accesses": [
],
"created_files": [
],
"registry": [
],
"mutants": [
],
"handles": [
],
"streams": [
],
"script_calls": [
],
"process_flags": [
]
}
],
"tags": [
],
"mitre_attcks": [
{
"tactic": "Defense Evasion",
"technique": "Software Packing",
"attck_id": "T1027.002",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027/002",
"malicious_identifiers_count": 0,
"malicious_identifiers": [
],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [
],
"informative_identifiers_count": 1,
"informative_identifiers": [
],
"parent": {
"technique": "Obfuscated Files or Information",
"attck_id": "T1027",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027"
}
},
{
"tactic": "Credential Access",
"technique": "Credential API Hooking",
"attck_id": "T1056.004",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004",
"malicious_identifiers_count": 0,
"malicious_identifiers": [
],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [
],
"informative_identifiers_count": 0,
"informative_identifiers": [
],
"parent": {
"technique": "Input Capture",
"attck_id": "T1056",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056"
}
},
{
"tactic": "Discovery",
"technique": "System Information Discovery",
"attck_id": "T1082",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082",
"malicious_identifiers_count": 0,
"malicious_identifiers": [
],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [
],
"informative_identifiers_count": 1,
"informative_identifiers": [
],
"parent": null
},
{
"tactic": "Collection",
"technique": "Credential API Hooking",
"attck_id": "T1056.004",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004",
"malicious_identifiers_count": 0,
"malicious_identifiers": [
],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [
],
"informative_identifiers_count": 0,
"informative_identifiers": [
],
"parent": {
"technique": "Input Capture",
"attck_id": "T1056",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056"
}
}
],
"submissions": [
{
"submission_id": "623f655707a42579976dd736",
"filename": "e1511e934906072c0717e68c0a05b04c61846f7ad15ce323b61f854a24c86b15.exe",
"url": null,
"created_at": "2022-03-26T19:11:19+00:00"
}
],
"network_mode": "default",
"machine_learning_models": [
]
}
]

one I have that data, I am trying to map the att&ck section to align with the MITRE Att&ck JSON layout such as:

{
	"name": "layer",
	"versions": {
		"attack": "10",
		"navigator": "4.5.5",
		"layer": "4.3"
	},
	"domain": "enterprise-attack",
	"description": "",
	"filters": {
		"platforms": [
			"Linux",
			"macOS",
			"Windows",
			"Azure AD",
			"Office 365",
			"SaaS",
			"IaaS",
			"Google Workspace",
			"PRE",
			"Network",
			"Containers"
		]
	},
	"sorting": 0,
	"layout": {
		"layout": "side",
		"aggregateFunction": "average",
		"showID": false,
		"showName": true,
		"showAggregateScores": false,
		"countUnscored": false
	},
	"hideDisabled": false,
	"techniques": [
		{
			"techniqueID": "T1546",
			"tactic": "privilege-escalation",
			"color": "#e60d0d",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": false
		},
		{
			"techniqueID": "T1546",
			"tactic": "persistence",
			"color": "#e60d0d",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": false
		},
		{
			"techniqueID": "T1498",
			"tactic": "impact",
			"color": "",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": true
		},
		{
			"techniqueID": "T1498.002",
			"tactic": "impact",
			"color": "#e60d0d",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": false
		},
		{
			"techniqueID": "T1053",
			"tactic": "execution",
			"color": "",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": true
		},
		{
			"techniqueID": "T1053.002",
			"tactic": "execution",
			"color": "#e60d0d",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": false
		},
		{
			"techniqueID": "T1053.002",
			"tactic": "persistence",
			"color": "#e60d0d",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": false
		},
		{
			"techniqueID": "T1053.002",
			"tactic": "privilege-escalation",
			"color": "#e60d0d",
			"comment": "",
			"enabled": true,
			"metadata": [],
			"links": [],
			"showSubtechniques": false
		}
	],
	"gradient": {
		"colors": [
			"#ff6666ff",
			"#ffe766ff",
			"#8ec843ff"
		],
		"minValue": 0,
		"maxValue": 100
	},
	"legendItems": [],
	"metadata": [],
	"links": [],
	"showTacticRowBackground": false,
	"tacticRowBackground": "#dddddd",
	"selectTechniquesAcrossTactics": true,
	"selectSubtechniquesWithParent": false
}

What I am unable to do, is take the dynamic data from the sandbox and get it to the correct mitre att&ck format on the fly as I don’t know how many results will come from the sandbox. Any ideas how to do this?

fields such as "techniqueID": "T1053.002", "tactic": "privilege-escalation",

If I knew it was always 1 or two I can use the set node, but this isn’t the case.

The second section of code will need to be dynamically filled out with the techniques from the sandbox. This will then get POST to a blog as a new post if that makes sense.

@RedPacketSec do you have an example of a mitre att&ck json file?

@RedPacketSec I just took a look at both JSON structures, and I’m trying to figure out what needs to go where. Is “mitre_attacks” going to be “techniques”? And “attack_id” “techniqueID”? And where do color and comment need to come from?

BTW: your results JSON is not valid. You can validate JSON via https://jsonlint.com

AttackID → TechniqueID

The Colour will be static
Comment: Not sure yet, will probably find something else to go in there to map across that is useful.

So what happens is once this has been mapped and the json file has been created, it then will be used to create a Mitre Att&ck SVG layer file that will look something like this

https://mitre-attack.github.io/attack-navigator/

might have been a bad copy and paste.

@RedPacketSec do I understand it correctly, that you basically want to convert mitre_attackes/attck_id’s to techniques/techniqueID’s ?

yeah basically, need to translate them over