fix(rt-import): require Blue Lead validation before coverage counts
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
RT tests are created in 'in_review' state (not validated): - red_validation_status = 'approved' (RT confirmed execution) - blue_validation_status = null (pending Blue Lead review) - detection_result is pre-filled from the import JSON Blue Lead sees these in their normal validation queue and confirms or rejects the detection result. Only after Blue Lead approval does the technique coverage update to validated/not_covered/partial. This gives Blue Lead oversight over RT findings rather than auto- accepting external engagement results as ground truth.
This commit is contained in:
kitos
@@ -820,7 +820,9 @@ def import_rt(
|
|||||||
parts.append(f"\n{entry.notes}")
|
parts.append(f"\n{entry.notes}")
|
||||||
red_summary_text = "\n".join(parts)
|
red_summary_text = "\n".join(parts)
|
||||||
|
|
||||||
# Create Test directly in validated state
|
# RT pre-validates the Red side (they ran it), but Blue Lead
|
||||||
|
# must still validate the detection result before it counts.
|
||||||
|
# State = in_review so it appears in the Blue Lead's validation queue.
|
||||||
test = Test(
|
test = Test(
|
||||||
technique_id=technique.id,
|
technique_id=technique.id,
|
||||||
name=test_name,
|
name=test_name,
|
||||||
@@ -828,18 +830,17 @@ def import_rt(
|
|||||||
platform=entry.platform,
|
platform=entry.platform,
|
||||||
procedure_text=entry.notes,
|
procedure_text=entry.notes,
|
||||||
created_by=current_user.id,
|
created_by=current_user.id,
|
||||||
state=TestState.validated,
|
state=TestState.in_review,
|
||||||
# Red team fields
|
# Red team — approved by the RT operator
|
||||||
attack_success=entry.attack_success,
|
attack_success=entry.attack_success,
|
||||||
red_summary=red_summary_text,
|
red_summary=red_summary_text,
|
||||||
red_validation_status="approved",
|
red_validation_status="approved",
|
||||||
red_validated_by=current_user.id,
|
red_validated_by=current_user.id,
|
||||||
red_validated_at=datetime.utcnow(),
|
red_validated_at=datetime.utcnow(),
|
||||||
# Blue team fields
|
# Blue team — pre-fill the detection result but leave
|
||||||
|
# validation_status pending so Blue Lead must confirm
|
||||||
detection_result=detection_result,
|
detection_result=detection_result,
|
||||||
blue_validation_status="approved",
|
blue_validation_status=None,
|
||||||
blue_validated_by=current_user.id,
|
|
||||||
blue_validated_at=datetime.utcnow(),
|
|
||||||
# Timing
|
# Timing
|
||||||
execution_date=exec_date_str,
|
execution_date=exec_date_str,
|
||||||
created_at=datetime.utcnow(),
|
created_at=datetime.utcnow(),
|
||||||
|
|||||||
@@ -145,8 +145,9 @@ export default function ImportRTPage() {
|
|||||||
Import Red Team Results
|
Import Red Team Results
|
||||||
</h1>
|
</h1>
|
||||||
<p className="mt-1 text-sm text-gray-400">
|
<p className="mt-1 text-sm text-gray-400">
|
||||||
Upload findings from a real Red Team engagement. Each technique becomes a validated test
|
Upload findings from a real Red Team engagement. Each technique creates a test in
|
||||||
with its detection result, maintaining full coverage history.
|
<span className="text-blue-400"> In Review</span> state — Red side is pre-approved by the RT,
|
||||||
|
Blue Lead must still validate the detection result before it counts as coverage.
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user