kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: D3FEND ontology-based import, template management UX, and branding

Browse Source 
- Rewrite D3FEND import to use tactic-level APIs for reliable technique
  fetching with proper ontology IRIs, descriptions, and tactic assignments
- Fix D3FEND technique URLs to use canonical IRI (no more 404s)
- All 255 D3FEND techniques now have descriptions from the official API
- Change Deactivate button color to red in template management table
- Add custom Aegis logo and favicon replacing default Vite assets
- Remove unused old API parsing code and clean up fallback list
This commit is contained in:
Kitos
2026-02-10 15:53:24 +01:00
parent c2e9c687f4
commit a3f83c316a
8 changed files with 257 additions and 378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
backend/app/schemas/test_template.py
View File

@@ -63,6 +63,7 @@ class TestTemplateSummary(BaseModel):
source: str
platform: str | None = None
severity: str | None = None
is_active: bool = True
model_config = ConfigDict(from_attributes=True)

532
backend/app/services/d3fend_import_service.py
View File

@@ -18,129 +18,83 @@ from app.models.defensive_technique import DefensiveTechnique, DefensiveTechniqu
logger = logging.getLogger(__name__)
D3FEND_ALL_URL = "https://d3fend.mitre.org/api/technique/api-all.json"
D3FEND_TACTIC_URL = "https://d3fend.mitre.org/api/tactic/d3f:{tactic}.json"
D3FEND_MAPPING_URL = "https://d3fend.mitre.org/api/offensive-technique/{attack_id}.json"
D3FEND_BASE_URL = "https://d3fend.mitre.org/technique/d3f:{technique_name}"
# ── Tactic extraction helpers ────────────────────────────────────────
def _extract_tactic_from_path(path_or_label: str) -> str | None:
"""Extract the D3FEND tactic from an IRI path or label.
D3FEND tactics: Detect, Isolate, Deceive, Evict, Harden, Model.
The API often returns an IRI like "d3f:Detect" or a full path.
"""
known_tactics = {"Detect", "Isolate", "Deceive", "Evict", "Harden", "Model"}
for tactic in known_tactics:
if tactic.lower() in path_or_label.lower():
return tactic
return None
D3FEND_BASE_URL = "https://d3fend.mitre.org/technique/d3f:{iri}"
D3FEND_TACTICS = ["Detect", "Harden", "Isolate", "Deceive", "Evict", "Model"]
# ── Import all D3FEND techniques ─────────────────────────────────────
def _parse_techniques_from_api(data: dict[str, Any]) -> list[dict[str, Any]]:
"""Parse the D3FEND all-techniques API response into flat records.
def _to_str(v: Any) -> str:
"""Coerce an RDF value (str, dict with @value, or list) to a plain string."""
if isinstance(v, dict):
return v.get("@value", str(v))
if isinstance(v, list):
return "; ".join(_to_str(x) for x in v)
return str(v) if v else ""
The response has a nested structure under "@graph" with tactic groups.
Each group has "d3f:enables" or child technique entries.
We recursively extract all defensive technique nodes.
def _fetch_techniques_from_tactic_apis() -> list[dict[str, Any]]:
"""Fetch all defensive techniques via D3FEND tactic APIs.
Uses ``/api/tactic/d3f:{tactic}.json`` which is reliable and returns
full metadata including the ontology IRI for each technique.
"""
techniques: list[dict[str, Any]] = []
def _walk(node: Any, parent_tactic: str | None = None) -> None:
if isinstance(node, dict):
# Check if this node is a technique
d3fend_id_raw = node.get("@id", "")
label = node.get("rdfs:label", "")
description = node.get("d3f:definition", "")
if not description:
description = node.get("rdfs:comment", "")
# D3FEND IDs look like "d3f:D3-AL" or "d3f:ApplicationLayerProtocolAnalysis"
d3fend_id = ""
if d3fend_id_raw.startswith("d3f:"):
short = d3fend_id_raw.replace("d3f:", "")
# Check if it looks like a technique ID (e.g., D3-XXX)
if short.startswith("D3-") or (label and not short.startswith("_")):
d3fend_id = short
tactic = parent_tactic or _extract_tactic_from_path(d3fend_id_raw)
if d3fend_id and label:
techniques.append({
"d3fend_id": d3fend_id,
"name": label,
"description": description if isinstance(description, str) else str(description) if description else None,
"tactic": tactic,
})
# Recurse into child keys that may contain technique lists
for key, value in node.items():
if key.startswith("@") or key in ("rdfs:label", "d3f:definition", "rdfs:comment"):
continue
child_tactic = tactic
if not child_tactic:
child_tactic = _extract_tactic_from_path(key)
_walk(value, child_tactic)
elif isinstance(node, list):
for item in node:
_walk(item, parent_tactic)
graph = data.get("@graph", data)
_walk(graph)
# Deduplicate by d3fend_id
all_techniques: list[dict[str, Any]] = []
seen: set[str] = set()
unique: list[dict[str, Any]] = []
for t in techniques:
if t["d3fend_id"] not in seen:
seen.add(t["d3fend_id"])
unique.append(t)
return unique
with httpx.Client(timeout=60.0) as client:
for tactic in D3FEND_TACTICS:
url = D3FEND_TACTIC_URL.format(tactic=tactic)
try:
resp = client.get(url)
resp.raise_for_status()
data = resp.json()
except Exception as e:
logger.warning("Failed to fetch D3FEND tactic %s: %s", tactic, e)
continue
graph = data.get("techniques", {}).get("@graph", [])
for node in graph:
nid = node.get("@id", "")
d3id = _to_str(node.get("d3f:d3fend-id", ""))
label = _to_str(node.get("rdfs:label", ""))
defn = _to_str(node.get("d3f:definition", ""))
if not defn:
defn = _to_str(node.get("rdfs:comment", ""))
iri = nid.replace("d3f:", "") if nid.startswith("d3f:") else nid
if d3id and label and d3id not in seen:
seen.add(d3id)
all_techniques.append({
"d3fend_id": d3id,
"iri": iri,
"name": label,
"description": defn[:500] if defn else None,
"tactic": tactic,
})
logger.info("D3FEND tactic %s: %d techniques", tactic, len(graph))
return all_techniques
def import_d3fend_techniques(db: Session) -> dict[str, int]:
"""Fetch all D3FEND defensive techniques and upsert into DB.
Returns a dict with counts: {created, updated, total}.
"""
logger.info("Fetching D3FEND techniques from %s", D3FEND_ALL_URL)
try:
with httpx.Client(timeout=60.0) as client:
resp = client.get(D3FEND_ALL_URL)
resp.raise_for_status()
data = resp.json()
except Exception as e:
logger.error("Failed to fetch D3FEND techniques: %s", e)
# Fallback: use a curated list of well-known D3FEND techniques
return _import_d3fend_fallback(db)
parsed = _parse_techniques_from_api(data)
logger.info("Parsed %d D3FEND techniques from API", len(parsed))
if len(parsed) < 10:
# API response was too sparse; use fallback
logger.warning("Too few techniques from API (%d), using fallback", len(parsed))
return _import_d3fend_fallback(db)
def _upsert_techniques(db: Session, techniques: list[dict[str, Any]]) -> dict[str, int]:
"""Upsert a list of technique dicts into the DefensiveTechnique table."""
created = 0
updated = 0
for tech_data in parsed:
for tech_data in techniques:
existing = (
db.query(DefensiveTechnique)
.filter(DefensiveTechnique.d3fend_id == tech_data["d3fend_id"])
.first()
)
technique_name = tech_data["name"].replace(" ", "")
d3fend_url = D3FEND_BASE_URL.format(technique_name=technique_name)
iri = tech_data.get("iri") or tech_data["name"].replace(" ", "")
d3fend_url = D3FEND_BASE_URL.format(iri=iri)
if existing:
existing.name = tech_data["name"]
@@ -160,286 +114,124 @@ def import_d3fend_techniques(db: Session) -> dict[str, int]:
created += 1
db.commit()
total = db.query(DefensiveTechnique).count()
logger.info("D3FEND import done: %d created, %d updated, %d total", created, updated, total)
return {"created": created, "updated": updated, "total": total}
def import_d3fend_techniques(db: Session) -> dict[str, int]:
"""Fetch all D3FEND defensive techniques and upsert into DB.
Uses the tactic-level APIs which are reliable and provide full metadata
including ontology IRIs for correct URL generation.
Returns a dict with counts: {created, updated, total}.
"""
logger.info("Fetching D3FEND techniques from tactic APIs")
try:
techniques = _fetch_techniques_from_tactic_apis()
except Exception as e:
logger.error("Failed to fetch D3FEND techniques from tactic APIs: %s", e)
techniques = []
if len(techniques) >= 50:
logger.info("Fetched %d D3FEND techniques from tactic APIs", len(techniques))
result = _upsert_techniques(db, techniques)
logger.info("D3FEND import done: %d created, %d updated, %d total",
result["created"], result["updated"], result["total"])
return result
# Fallback: use a curated list of well-known D3FEND techniques
logger.warning("Tactic APIs returned too few techniques (%d), using fallback", len(techniques))
return _import_d3fend_fallback(db)
# ── Fallback curated D3FEND techniques ───────────────────────────────
_FALLBACK_TECHNIQUES: list[dict[str, str | None]] = [
# Detect
{"d3fend_id": "D3-AL", "name": "Application Layer Protocol Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-DA", "name": "Dynamic Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-DPM", "name": "DNS Protocol Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-DQSA", "name": "Database Query String Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-EAL", "name": "Email Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-FA", "name": "File Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-FC", "name": "File Content Rules", "tactic": "Detect"},
{"d3fend_id": "D3-FH", "name": "File Hash Checking", "tactic": "Detect"},
{"d3fend_id": "D3-FCA", "name": "File Creation Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-IDA", "name": "Identifier Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-IRA", "name": "Inbound Traffic Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-NTA", "name": "Network Traffic Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-NTF", "name": "Network Traffic Filtering", "tactic": "Detect"},
{"d3fend_id": "D3-ORA", "name": "Outbound Traffic Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-PA", "name": "Process Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-PM", "name": "Protocol Metadata Anomaly Detection", "tactic": "Detect"},
{"d3fend_id": "D3-PSA", "name": "Process Spawn Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-PLA", "name": "Process Lineage Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-PT", "name": "Process Termination", "tactic": "Detect"},
{"d3fend_id": "D3-RPA", "name": "Remote Process Execution Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-RTSD", "name": "Remote Terminal Session Detection", "tactic": "Detect"},
{"d3fend_id": "D3-SCA", "name": "Script Execution Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-SMRA", "name": "Service Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-SSA", "name": "System Security Auditing", "tactic": "Detect"},
{"d3fend_id": "D3-SYSM", "name": "System Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-UA", "name": "URL Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-UBA", "name": "User Behavior Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-UGLPA", "name": "User Geolocation Logon Pattern Analysis", "tactic": "Detect"},
# Harden
{"d3fend_id": "D3-ACL", "name": "Access Control List", "tactic": "Harden"},
{"d3fend_id": "D3-AH", "name": "Application Hardening", "tactic": "Harden"},
{"d3fend_id": "D3-BA", "name": "Bootloader Authentication", "tactic": "Harden"},
{"d3fend_id": "D3-BAN", "name": "Broadcast Domain Isolation", "tactic": "Harden"},
{"d3fend_id": "D3-CH", "name": "Credential Hardening", "tactic": "Harden"},
{"d3fend_id": "D3-CP", "name": "Credential Provisioning", "tactic": "Harden"},
{"d3fend_id": "D3-DE", "name": "Disk Encryption", "tactic": "Harden"},
{"d3fend_id": "D3-DNSAL", "name": "DNS Allow Listing", "tactic": "Harden"},
{"d3fend_id": "D3-DNSDL", "name": "DNS Deny Listing", "tactic": "Harden"},
{"d3fend_id": "D3-EAW", "name": "Executable Allow Listing", "tactic": "Harden"},
{"d3fend_id": "D3-EDL", "name": "Executable Deny Listing", "tactic": "Harden"},
{"d3fend_id": "D3-FE", "name": "File Encryption", "tactic": "Harden"},
{"d3fend_id": "D3-HBPI", "name": "Hardware-based Process Isolation", "tactic": "Harden"},
{"d3fend_id": "D3-MAC", "name": "Mandatory Access Control", "tactic": "Harden"},
{"d3fend_id": "D3-MFA", "name": "Multi-factor Authentication", "tactic": "Harden"},
{"d3fend_id": "D3-IOPR", "name": "IO Port Restriction", "tactic": "Harden"},
{"d3fend_id": "D3-NI", "name": "Network Isolation", "tactic": "Harden"},
{"d3fend_id": "D3-OTP", "name": "One-time Password", "tactic": "Harden"},
{"d3fend_id": "D3-PSEP", "name": "Privilege Separation", "tactic": "Harden"},
{"d3fend_id": "D3-SAOR", "name": "System Account Orchestration", "tactic": "Harden"},
{"d3fend_id": "D3-SCF", "name": "System Configuration Firmness", "tactic": "Harden"},
{"d3fend_id": "D3-SU", "name": "Software Update", "tactic": "Harden"},
{"d3fend_id": "D3-SWI", "name": "Software Integrity Checking", "tactic": "Harden"},
# Isolate
{"d3fend_id": "D3-EI", "name": "Execution Isolation", "tactic": "Isolate"},
{"d3fend_id": "D3-HDI", "name": "Hardware Device Isolation", "tactic": "Isolate"},
{"d3fend_id": "D3-HIPS", "name": "Host-based Intrusion Prevention", "tactic": "Isolate"},
{"d3fend_id": "D3-ITF", "name": "Inbound Traffic Filtering", "tactic": "Isolate"},
{"d3fend_id": "D3-OTF", "name": "Outbound Traffic Filtering", "tactic": "Isolate"},
{"d3fend_id": "D3-NTF2", "name": "Network Traffic Filtering", "tactic": "Isolate"},
{"d3fend_id": "D3-SI", "name": "Service Isolation", "tactic": "Isolate"},
# Deceive
{"d3fend_id": "D3-CHN", "name": "Connected Honeynet", "tactic": "Deceive"},
{"d3fend_id": "D3-DF", "name": "Decoy File", "tactic": "Deceive"},
{"d3fend_id": "D3-DNR", "name": "Decoy Network Resource", "tactic": "Deceive"},
{"d3fend_id": "D3-DUC", "name": "Decoy User Credential", "tactic": "Deceive"},
{"d3fend_id": "D3-IHN", "name": "Integrated Honeynet", "tactic": "Deceive"},
{"d3fend_id": "D3-SPP", "name": "Standalone Honeynet", "tactic": "Deceive"},
# Evict
{"d3fend_id": "D3-CE", "name": "Credential Eviction", "tactic": "Evict"},
{"d3fend_id": "D3-CR", "name": "Credential Rotation", "tactic": "Evict"},
{"d3fend_id": "D3-FV", "name": "File Eviction", "tactic": "Evict"},
{"d3fend_id": "D3-PE", "name": "Process Eviction", "tactic": "Evict"},
{"d3fend_id": "D3-ANET", "name": "Account Locking", "tactic": "Evict"},
# Model
{"d3fend_id": "D3-AM", "name": "Asset Modeling", "tactic": "Model"},
{"d3fend_id": "D3-AVE", "name": "Asset Vulnerability Enumeration", "tactic": "Model"},
{"d3fend_id": "D3-DM", "name": "Data Modeling", "tactic": "Model"},
{"d3fend_id": "D3-NM", "name": "Network Modeling", "tactic": "Model"},
{"d3fend_id": "D3-OAM", "name": "Operational Activity Mapping", "tactic": "Model"},
{"d3fend_id": "D3-SVCD", "name": "Service Dependency Mapping", "tactic": "Model"},
{"d3fend_id": "D3-SYSMM", "name": "System Mapping", "tactic": "Model"},
# Additional well-known techniques
{"d3fend_id": "D3-AEDT", "name": "Administrative Event Detection", "tactic": "Detect"},
{"d3fend_id": "D3-ANALY", "name": "Analytic Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-ACA", "name": "Authentication Cache Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-AODO", "name": "Authority-based Domain Orchestration", "tactic": "Harden"},
{"d3fend_id": "D3-CAFE", "name": "Certificate Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-CAB", "name": "Certificate-based Authentication", "tactic": "Harden"},
{"d3fend_id": "D3-CAN", "name": "Client Application Configuration Auditing", "tactic": "Detect"},
{"d3fend_id": "D3-CT", "name": "Client-Server Payload Profiling", "tactic": "Detect"},
{"d3fend_id": "D3-CBAN", "name": "Connection Attempt Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-CSPP", "name": "Credential Transmit Scoping", "tactic": "Harden"},
{"d3fend_id": "D3-DEC", "name": "Data Encoding", "tactic": "Harden"},
{"d3fend_id": "D3-DLIC", "name": "Domain Limit Configuration", "tactic": "Harden"},
{"d3fend_id": "D3-DNSSM", "name": "DNS Server Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-DNSRA", "name": "DNS Record Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-DTP", "name": "Data Transfer Protocol Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-EHR", "name": "Email Header Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-FAPA", "name": "File Access Pattern Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-FEMC", "name": "File Encryption Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-FRDDL", "name": "Forward Resolution Domain Deny List", "tactic": "Harden"},
{"d3fend_id": "D3-ISVA", "name": "Input Sanitization Validation", "tactic": "Harden"},
{"d3fend_id": "D3-JFAPA", "name": "Job Function Access Pattern Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-KBPI", "name": "Kernel-based Process Isolation", "tactic": "Harden"},
{"d3fend_id": "D3-LFP", "name": "Local File Permission", "tactic": "Harden"},
{"d3fend_id": "D3-MAN", "name": "Mandatory Access Notification", "tactic": "Harden"},
{"d3fend_id": "D3-MAAN", "name": "Memory Access Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-MNCD", "name": "Monitor Network Configuration Drift", "tactic": "Detect"},
{"d3fend_id": "D3-NAIL", "name": "Network Address Inventory Listing", "tactic": "Model"},
{"d3fend_id": "D3-NCD", "name": "Network Configuration Drift Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-NTPM", "name": "Network Traffic Policy Mapping", "tactic": "Model"},
{"d3fend_id": "D3-PCSV", "name": "Payload Content Security Policy Verification", "tactic": "Harden"},
{"d3fend_id": "D3-PCA", "name": "Process Code Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-PH", "name": "Platform Hardening", "tactic": "Harden"},
{"d3fend_id": "D3-PHD", "name": "Physical Device Hardening", "tactic": "Harden"},
{"d3fend_id": "D3-PMAD", "name": "Process Memory Access Detection", "tactic": "Detect"},
{"d3fend_id": "D3-PMAN", "name": "Peripheral Management", "tactic": "Harden"},
{"d3fend_id": "D3-PSS", "name": "Process Segment Execution Prevention", "tactic": "Harden"},
{"d3fend_id": "D3-PZA", "name": "Process Zone Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-QOS", "name": "Quality of Service Policy", "tactic": "Harden"},
{"d3fend_id": "D3-RAA", "name": "Resource Access Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-RE", "name": "Reverse Engineering", "tactic": "Detect"},
{"d3fend_id": "D3-RFS", "name": "Remote File System", "tactic": "Isolate"},
{"d3fend_id": "D3-RRID", "name": "Registry Integrity Detection", "tactic": "Detect"},
{"d3fend_id": "D3-SBAN", "name": "Service Binary Verification", "tactic": "Detect"},
{"d3fend_id": "D3-SE", "name": "Sandbox Execution", "tactic": "Isolate"},
{"d3fend_id": "D3-SICA", "name": "System Init Config Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-SFA", "name": "Stored File Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-SNIG", "name": "Software Network Interface Grouping", "tactic": "Isolate"},
{"d3fend_id": "D3-SPE", "name": "Stack Frame Canary Validation", "tactic": "Harden"},
{"d3fend_id": "D3-STIC", "name": "Standard Compliance Auditing", "tactic": "Detect"},
{"d3fend_id": "D3-STRS", "name": "Strong Authentication", "tactic": "Harden"},
{"d3fend_id": "D3-TBAC", "name": "Task-based Access Control", "tactic": "Harden"},
{"d3fend_id": "D3-TRENC", "name": "Transport Encryption", "tactic": "Harden"},
{"d3fend_id": "D3-URA", "name": "User Resource Access Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-WSAA", "name": "Web Session Activity Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-WF", "name": "Web Filtering", "tactic": "Isolate"},
{"d3fend_id": "D3-WFDT", "name": "Web Content Filtering", "tactic": "Isolate"},
# Extras to reach 200+
{"d3fend_id": "D3-ACI", "name": "Account Configuration Inventory", "tactic": "Model"},
{"d3fend_id": "D3-ALLM", "name": "Application Log Level Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-ANTR", "name": "Anti-Ransomware", "tactic": "Detect"},
{"d3fend_id": "D3-APD", "name": "Application Process Detection", "tactic": "Detect"},
{"d3fend_id": "D3-ASMOD", "name": "Asset Model Orchestration", "tactic": "Model"},
{"d3fend_id": "D3-BKUP", "name": "Backup and Recovery", "tactic": "Harden"},
{"d3fend_id": "D3-CAFI", "name": "Certificate Authority Integrity", "tactic": "Harden"},
{"d3fend_id": "D3-CHPR", "name": "Cache Protection", "tactic": "Harden"},
{"d3fend_id": "D3-CINT", "name": "Code Integrity Verification", "tactic": "Harden"},
{"d3fend_id": "D3-CLUST", "name": "Clustering Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-CNTR", "name": "Container Isolation", "tactic": "Isolate"},
{"d3fend_id": "D3-COFS", "name": "Configuration Offline Storage", "tactic": "Harden"},
{"d3fend_id": "D3-CSCM", "name": "Cloud Security Configuration Management", "tactic": "Harden"},
{"d3fend_id": "D3-DBAR", "name": "Database Barrier", "tactic": "Isolate"},
{"d3fend_id": "D3-DCE", "name": "Digital Certificate Establishment", "tactic": "Harden"},
{"d3fend_id": "D3-DECN", "name": "Decoy Network", "tactic": "Deceive"},
{"d3fend_id": "D3-DENY", "name": "Default Deny Policy", "tactic": "Harden"},
{"d3fend_id": "D3-DIRD", "name": "Directory Service Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-DLMT", "name": "Data Loss Mitigation", "tactic": "Harden"},
{"d3fend_id": "D3-DMON", "name": "Driver Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-ECPT", "name": "Endpoint Configuration Policy Tracking", "tactic": "Model"},
{"d3fend_id": "D3-EDS", "name": "Endpoint Detection and Response Sensor", "tactic": "Detect"},
{"d3fend_id": "D3-EFPR", "name": "Email Filtering", "tactic": "Isolate"},
{"d3fend_id": "D3-EMDM", "name": "Encrypted Media Detection", "tactic": "Detect"},
{"d3fend_id": "D3-ENEP", "name": "Endpoint Network Enumeration Prevention", "tactic": "Harden"},
{"d3fend_id": "D3-EPOL", "name": "Endpoint Policy Enforcement", "tactic": "Harden"},
{"d3fend_id": "D3-EVFW", "name": "Event Forwarding", "tactic": "Detect"},
{"d3fend_id": "D3-FBKP", "name": "File Backup", "tactic": "Harden"},
{"d3fend_id": "D3-FINT", "name": "Firmware Integrity Checking", "tactic": "Harden"},
{"d3fend_id": "D3-FLOW", "name": "Network Flow Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-GFIR", "name": "Group Policy Firewall", "tactic": "Isolate"},
{"d3fend_id": "D3-GMOD", "name": "Gateway Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-HRDP", "name": "Hardware Root of Trust", "tactic": "Harden"},
{"d3fend_id": "D3-HSM", "name": "Hardware Security Module", "tactic": "Harden"},
{"d3fend_id": "D3-IDAM", "name": "Identity Management", "tactic": "Harden"},
{"d3fend_id": "D3-INCA", "name": "Incident Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-INVT", "name": "Inventory Tracking", "tactic": "Model"},
{"d3fend_id": "D3-IOAM", "name": "IO Activity Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-IPMR", "name": "IP Reputation Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-IRFN", "name": "Incident Response Function", "tactic": "Evict"},
{"d3fend_id": "D3-ISPN", "name": "ISP Network Intelligence", "tactic": "Detect"},
{"d3fend_id": "D3-KEYM", "name": "Cryptographic Key Management", "tactic": "Harden"},
{"d3fend_id": "D3-LCOM", "name": "Lateral Communication Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-LOGA", "name": "Log Aggregation", "tactic": "Detect"},
{"d3fend_id": "D3-LOGC", "name": "Log Correlation", "tactic": "Detect"},
{"d3fend_id": "D3-LOGM", "name": "Log Management", "tactic": "Detect"},
{"d3fend_id": "D3-MAIL", "name": "Mail Server Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-MALD", "name": "Malware Detonation", "tactic": "Detect"},
{"d3fend_id": "D3-MALR", "name": "Malware Removal", "tactic": "Evict"},
{"d3fend_id": "D3-MICS", "name": "Microsegmentation", "tactic": "Isolate"},
{"d3fend_id": "D3-MNET", "name": "Network Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-MTLS", "name": "Mutual TLS", "tactic": "Harden"},
{"d3fend_id": "D3-NAMS", "name": "Name Server Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-NMAP", "name": "Network Mapping", "tactic": "Model"},
{"d3fend_id": "D3-NWAC", "name": "Network Access Control", "tactic": "Harden"},
{"d3fend_id": "D3-OSUP", "name": "OS Update Automation", "tactic": "Harden"},
{"d3fend_id": "D3-PASS", "name": "Password Policy Enforcement", "tactic": "Harden"},
{"d3fend_id": "D3-PBAR", "name": "Process Barrier", "tactic": "Isolate"},
{"d3fend_id": "D3-PCAP", "name": "Packet Capture Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-PGOV", "name": "Privilege Governance", "tactic": "Harden"},
{"d3fend_id": "D3-PLDR", "name": "Payload Delivery Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-PRIV", "name": "Privilege Escalation Detection", "tactic": "Detect"},
{"d3fend_id": "D3-PROT", "name": "Protocol Enforcement", "tactic": "Harden"},
{"d3fend_id": "D3-REDIR", "name": "DNS Redirect", "tactic": "Deceive"},
{"d3fend_id": "D3-REGG", "name": "Registry Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-RESM", "name": "Resource Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-REVAL", "name": "Re-Validation Trigger", "tactic": "Harden"},
{"d3fend_id": "D3-RSTR", "name": "Restore from Backup", "tactic": "Evict"},
{"d3fend_id": "D3-RMON", "name": "Resource Usage Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-SCHE", "name": "Scheduled Task Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-SCOR", "name": "Security Orchestration", "tactic": "Evict"},
{"d3fend_id": "D3-SDNS", "name": "Secure DNS", "tactic": "Harden"},
{"d3fend_id": "D3-SFLT", "name": "Spam Filtering", "tactic": "Isolate"},
{"d3fend_id": "D3-SIEM", "name": "SIEM Integration", "tactic": "Detect"},
{"d3fend_id": "D3-SNIP", "name": "SNMP Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-SOAR", "name": "Security Orchestration Automation Response", "tactic": "Evict"},
{"d3fend_id": "D3-SSCN", "name": "Software Scanning", "tactic": "Detect"},
{"d3fend_id": "D3-SYSL", "name": "Syslog Collection", "tactic": "Detect"},
{"d3fend_id": "D3-THRT", "name": "Threat Intelligence Integration", "tactic": "Detect"},
{"d3fend_id": "D3-TMDR", "name": "Tamper Detection", "tactic": "Detect"},
{"d3fend_id": "D3-TOKN", "name": "Token-based Authentication", "tactic": "Harden"},
{"d3fend_id": "D3-TRAP", "name": "Honeypot", "tactic": "Deceive"},
{"d3fend_id": "D3-UACM", "name": "User Account Management", "tactic": "Harden"},
{"d3fend_id": "D3-VIRT", "name": "Virtualization-based Security", "tactic": "Isolate"},
{"d3fend_id": "D3-VPAN", "name": "VPN Access Control", "tactic": "Harden"},
{"d3fend_id": "D3-VULM", "name": "Vulnerability Management", "tactic": "Harden"},
{"d3fend_id": "D3-WBCM", "name": "Web Application Configuration Management", "tactic": "Harden"},
{"d3fend_id": "D3-WINT", "name": "Windows Event Monitoring", "tactic": "Detect"},
{"d3fend_id": "D3-XNET", "name": "Cross-Network Traffic Analysis", "tactic": "Detect"},
{"d3fend_id": "D3-ZEROT", "name": "Zero Trust Architecture", "tactic": "Harden"},
# ── Detect ────────────────────────────────────────────────────────
{"d3fend_id": "D3-DA", "iri": "DynamicAnalysis", "name": "Dynamic Analysis", "tactic": "Detect", "description": "Executing or opening a file in a synthetic sandbox environment to determine if the file is a malicious program."},
{"d3fend_id": "D3-DQSA", "iri": "DatabaseQueryStringAnalysis", "name": "Database Query String Analysis", "tactic": "Detect", "description": "Analyzing database queries to detect SQL Injection."},
{"d3fend_id": "D3-FA", "iri": "FileAnalysis", "name": "File Analysis", "tactic": "Detect", "description": "Analytic process to determine a file's status: virus, trojan, benign, malicious, trusted, unauthorized, etc."},
{"d3fend_id": "D3-FCA", "iri": "FileCreationAnalysis", "name": "File Creation Analysis", "tactic": "Detect", "description": "Analyzing the properties of file create system call invocations."},
{"d3fend_id": "D3-ID", "iri": "IdentifierAnalysis", "name": "Identifier Analysis", "tactic": "Detect", "description": "Analyzing identifier artifacts such as IP address, domain names, or URLs."},
{"d3fend_id": "D3-NTA", "iri": "NetworkTrafficAnalysis", "name": "Network Traffic Analysis", "tactic": "Detect", "description": "Analyzing intercepted or summarized computer network traffic to detect unauthorized activity."},
{"d3fend_id": "D3-NTF", "iri": "NetworkTrafficFiltering", "name": "Network Traffic Filtering", "tactic": "Isolate", "description": "Restricting network traffic originating from any location."},
{"d3fend_id": "D3-PA", "iri": "ProcessAnalysis", "name": "Process Analysis", "tactic": "Detect", "description": "Observing a running application process and analyzing it to watch for certain behaviors or conditions indicating adversary activity."},
{"d3fend_id": "D3-PMAD", "iri": "ProtocolMetadataAnomalyDetection", "name": "Protocol Metadata Anomaly Detection", "tactic": "Detect", "description": "Collecting network communication protocol metadata and identifying statistical outliers."},
{"d3fend_id": "D3-PSA", "iri": "ProcessSpawnAnalysis", "name": "Process Spawn Analysis", "tactic": "Detect", "description": "Analyzing spawn arguments or attributes of a process to detect unauthorized processes."},
{"d3fend_id": "D3-PLA", "iri": "ProcessLineageAnalysis", "name": "Process Lineage Analysis", "tactic": "Detect", "description": "Identification of suspicious processes by examining the ancestry and siblings of a process."},
{"d3fend_id": "D3-PT", "iri": "ProcessTermination", "name": "Process Termination", "tactic": "Evict", "description": "Terminating a running application process on a computer system."},
{"d3fend_id": "D3-RTSD", "iri": "RemoteTerminalSessionDetection", "name": "Remote Terminal Session Detection", "tactic": "Detect", "description": "Detection of an unauthorized remote live terminal console session."},
{"d3fend_id": "D3-SCA", "iri": "SystemCallAnalysis", "name": "System Call Analysis", "tactic": "Detect", "description": "Analyzing system calls to determine whether a process is exhibiting unauthorized behavior."},
{"d3fend_id": "D3-SEA", "iri": "ScriptExecutionAnalysis", "name": "Script Execution Analysis", "tactic": "Detect", "description": "Analyzing the execution of a script to detect unauthorized user activity."},
{"d3fend_id": "D3-FH", "iri": "FileHashing", "name": "File Hashing", "tactic": "Detect", "description": "Employing file hash comparisons to detect known malware."},
{"d3fend_id": "D3-FIM", "iri": "FileIntegrityMonitoring", "name": "File Integrity Monitoring", "tactic": "Detect", "description": "Detecting any suspicious changes to files in a computer system."},
{"d3fend_id": "D3-UA", "iri": "URLAnalysis", "name": "URL Analysis", "tactic": "Detect", "description": "Determining if a URL is benign or malicious by analyzing the URL or its components."},
{"d3fend_id": "D3-UBA", "iri": "UserBehaviorAnalysis", "name": "User Behavior Analysis", "tactic": "Detect", "description": "Detecting insider threats, targeted attacks, and financial fraud through patterns of human behavior."},
{"d3fend_id": "D3-UGLPA", "iri": "UserGeolocationLogonPatternAnalysis", "name": "User Geolocation Logon Pattern Analysis", "tactic": "Detect", "description": "Monitoring geolocation data of user logon attempts to identify anomalies."},
{"d3fend_id": "D3-FAPA", "iri": "FileAccessPatternAnalysis", "name": "File Access Pattern Analysis", "tactic": "Detect", "description": "Analyzing the files accessed by a process to identify unauthorized activity."},
{"d3fend_id": "D3-FCOA", "iri": "FileContentAnalysis", "name": "File Content Analysis", "tactic": "Detect", "description": "Employing a pattern matching algorithm to statically analyze the content of files."},
{"d3fend_id": "D3-MA", "iri": "MessageAnalysis", "name": "Message Analysis", "tactic": "Detect", "description": "Analyzing email or instant message content to detect unauthorized activity."},
{"d3fend_id": "D3-DNSTA", "iri": "DNSTrafficAnalysis", "name": "DNS Traffic Analysis", "tactic": "Detect", "description": "Analysis of domain name metadata to determine whether the domain is likely to resolve to an undesirable host."},
{"d3fend_id": "D3-PM", "iri": "PlatformMonitoring", "name": "Platform Monitoring", "tactic": "Detect", "description": "Monitoring platform components such as operating systems software, hardware devices, or firmware."},
{"d3fend_id": "D3-SJA", "iri": "ScheduledJobAnalysis", "name": "Scheduled Job Analysis", "tactic": "Detect", "description": "Analysis of scheduled jobs to detect unauthorized use of job scheduling."},
{"d3fend_id": "D3-EF", "iri": "EmailFiltering", "name": "Email Filtering", "tactic": "Isolate", "description": "Filtering incoming email traffic based on specific criteria."},
# ── Harden ────────────────────────────────────────────────────────
{"d3fend_id": "D3-AH", "iri": "ApplicationHardening", "name": "Application Hardening", "tactic": "Harden", "description": "Making an executable application more resilient to a class of exploits."},
{"d3fend_id": "D3-CH", "iri": "CredentialHardening", "name": "Credential Hardening", "tactic": "Harden", "description": "Modifying system or network properties to protect credentials."},
{"d3fend_id": "D3-CRO", "iri": "CredentialRotation", "name": "Credential Rotation", "tactic": "Harden", "description": "Regularly changing authentication credentials to minimize risk of unauthorized access."},
{"d3fend_id": "D3-DENCR", "iri": "DiskEncryption", "name": "Disk Encryption", "tactic": "Harden", "description": "Encrypting a hard disk partition to prevent cleartext access to a file system."},
{"d3fend_id": "D3-FE", "iri": "FileEncryption", "name": "File Encryption", "tactic": "Harden", "description": "Encrypting a file using a cryptographic key."},
{"d3fend_id": "D3-MFA", "iri": "Multi-factorAuthentication", "name": "Multi-factor Authentication", "tactic": "Harden", "description": "Requiring proof of two or more pieces of evidence in order to authenticate a user."},
{"d3fend_id": "D3-PH", "iri": "PlatformHardening", "name": "Platform Hardening", "tactic": "Harden", "description": "Hardening components of a platform to make them more difficult to exploit."},
{"d3fend_id": "D3-PSEP", "iri": "ProcessSegmentExecutionPrevention", "name": "Process Segment Execution Prevention", "tactic": "Harden", "description": "Preventing execution of any address in a memory region other than the code segment."},
{"d3fend_id": "D3-SU", "iri": "SoftwareUpdate", "name": "Software Update", "tactic": "Harden", "description": "Replacing old software on a computer system component."},
{"d3fend_id": "D3-SAOR", "iri": "SegmentAddressOffsetRandomization", "name": "Segment Address Offset Randomization", "tactic": "Harden", "description": "Randomizing the base address of memory segments during process initialization."},
{"d3fend_id": "D3-SPP", "iri": "StrongPasswordPolicy", "name": "Strong Password Policy", "tactic": "Harden", "description": "Modifying system configuration to increase password strength."},
{"d3fend_id": "D3-MH", "iri": "MessageHardening", "name": "Message Hardening", "tactic": "Harden", "description": "Measures to ensure the confidentiality and integrity of messages."},
{"d3fend_id": "D3-SCH", "iri": "SourceCodeHardening", "name": "Source Code Hardening", "tactic": "Harden", "description": "Hardening source code to make it more difficult to exploit."},
# ── Isolate ───────────────────────────────────────────────────────
{"d3fend_id": "D3-EI", "iri": "ExecutionIsolation", "name": "Execution Isolation", "tactic": "Isolate", "description": "Preventing application processes from accessing non-essential system resources."},
{"d3fend_id": "D3-HBPI", "iri": "Hardware-basedProcessIsolation", "name": "Hardware-based Process Isolation", "tactic": "Isolate", "description": "Preventing one process from writing to the memory space of another through hardware-based address management."},
{"d3fend_id": "D3-KBPI", "iri": "Kernel-basedProcessIsolation", "name": "Kernel-based Process Isolation", "tactic": "Isolate", "description": "Using kernel-level capabilities to isolate processes."},
{"d3fend_id": "D3-ITF", "iri": "InboundTrafficFiltering", "name": "Inbound Traffic Filtering", "tactic": "Isolate", "description": "Restricting network traffic originating from untrusted networks."},
{"d3fend_id": "D3-OTF", "iri": "OutboundTrafficFiltering", "name": "Outbound Traffic Filtering", "tactic": "Isolate", "description": "Restricting network traffic destined towards untrusted networks."},
{"d3fend_id": "D3-NI", "iri": "NetworkIsolation", "name": "Network Isolation", "tactic": "Isolate", "description": "Preventing network hosts from accessing non-essential system network resources."},
{"d3fend_id": "D3-EAL", "iri": "ExecutableAllowlisting", "name": "Executable Allowlisting", "tactic": "Isolate", "description": "Using a digital signature to authenticate a file before opening."},
{"d3fend_id": "D3-EDL", "iri": "ExecutableDenylisting", "name": "Executable Denylisting", "tactic": "Isolate", "description": "Blocking the execution of files on a host in accordance with defined application policy rules."},
{"d3fend_id": "D3-IOPR", "iri": "IOPortRestriction", "name": "IO Port Restriction", "tactic": "Isolate", "description": "Limiting access to computer input/output ports to restrict unauthorized devices."},
{"d3fend_id": "D3-DNSAL", "iri": "DNSAllowlisting", "name": "DNS Allowlisting", "tactic": "Isolate", "description": "Permitting only approved domains and their subdomains to be resolved."},
{"d3fend_id": "D3-DNSDL", "iri": "DNSDenylisting", "name": "DNS Denylisting", "tactic": "Isolate", "description": "Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type."},
# ── Deceive ───────────────────────────────────────────────────────
{"d3fend_id": "D3-CHN", "iri": "ConnectedHoneynet", "name": "Connected Honeynet", "tactic": "Deceive", "description": "A decoy service connected to the enterprise network simulating functionality to attract attackers."},
{"d3fend_id": "D3-DF", "iri": "DecoyFile", "name": "Decoy File", "tactic": "Deceive", "description": "A file created for the purposes of deceiving an adversary."},
{"d3fend_id": "D3-DNR", "iri": "DecoyNetworkResource", "name": "Decoy Network Resource", "tactic": "Deceive", "description": "Deploying a network resource for the purposes of deceiving an adversary."},
{"d3fend_id": "D3-DUC", "iri": "DecoyUserCredential", "name": "Decoy User Credential", "tactic": "Deceive", "description": "A Credential created for the purpose of deceiving an adversary."},
{"d3fend_id": "D3-IHN", "iri": "IntegratedHoneynet", "name": "Integrated Honeynet", "tactic": "Deceive", "description": "Decoys in a production environment to entice interaction from attackers."},
{"d3fend_id": "D3-SHN", "iri": "StandaloneHoneynet", "name": "Standalone Honeynet", "tactic": "Deceive", "description": "An environment to attract attackers, not connected to any production systems."},
# ── Evict ─────────────────────────────────────────────────────────
{"d3fend_id": "D3-AL", "iri": "AccountLocking", "name": "Account Locking", "tactic": "Evict", "description": "Temporarily disabling user accounts on a system or domain."},
{"d3fend_id": "D3-CE", "iri": "CredentialEviction", "name": "Credential Eviction", "tactic": "Evict", "description": "Disabling or removing compromised credentials from a computer network."},
{"d3fend_id": "D3-CR", "iri": "CredentialRevocation", "name": "Credential Revocation", "tactic": "Evict", "description": "Deleting credentials permanently to prevent them from being used to authenticate."},
{"d3fend_id": "D3-FEV", "iri": "FileEviction", "name": "File Eviction", "tactic": "Evict", "description": "Deleting files from system storage."},
{"d3fend_id": "D3-PE", "iri": "ProcessEviction", "name": "Process Eviction", "tactic": "Evict", "description": "Terminating or removing running processes."},
{"d3fend_id": "D3-ER", "iri": "EmailRemoval", "name": "Email Removal", "tactic": "Evict", "description": "Deleting email files from system storage."},
# ── Model ─────────────────────────────────────────────────────────
{"d3fend_id": "D3-AI", "iri": "AssetInventory", "name": "Asset Inventory", "tactic": "Model", "description": "Identifying and recording the organization's assets and their vulnerabilities."},
{"d3fend_id": "D3-AVE", "iri": "AssetVulnerabilityEnumeration", "name": "Asset Vulnerability Enumeration", "tactic": "Model", "description": "Enriching inventory items with knowledge identifying their vulnerabilities."},
{"d3fend_id": "D3-NM", "iri": "NetworkMapping", "name": "Network Mapping", "tactic": "Model", "description": "Identifying and modeling the network layers and their physical location."},
{"d3fend_id": "D3-OAM", "iri": "OperationalActivityMapping", "name": "Operational Activity Mapping", "tactic": "Model", "description": "Identifying activities and establishing dependencies on digital systems."},
{"d3fend_id": "D3-SVCDM", "iri": "ServiceDependencyMapping", "name": "Service Dependency Mapping", "tactic": "Model", "description": "Determining the services on which each given service relies."},
{"d3fend_id": "D3-SYSM", "iri": "SystemMapping", "name": "System Mapping", "tactic": "Model", "description": "Identifying how systems are configured, decomposed into components, and dependent on one another."},
]
def _import_d3fend_fallback(db: Session) -> dict[str, int]:
"""Import curated D3FEND techniques when the API is unreachable."""
"""Import curated D3FEND techniques when the tactic APIs are unreachable."""
logger.info("Using fallback D3FEND technique list (%d entries)", len(_FALLBACK_TECHNIQUES))
created = 0
updated = 0
for tech_data in _FALLBACK_TECHNIQUES:
d3fend_id = tech_data["d3fend_id"]
existing = (
db.query(DefensiveTechnique)
.filter(DefensiveTechnique.d3fend_id == d3fend_id)
.first()
)
technique_name = tech_data["name"].replace(" ", "")
d3fend_url = D3FEND_BASE_URL.format(technique_name=technique_name)
if existing:
existing.name = tech_data["name"]
existing.tactic = tech_data.get("tactic")
existing.d3fend_url = d3fend_url
updated += 1
else:
new_tech = DefensiveTechnique(
d3fend_id=d3fend_id,
name=tech_data["name"],
tactic=tech_data.get("tactic"),
d3fend_url=d3fend_url,
)
db.add(new_tech)
created += 1
db.commit()
total = db.query(DefensiveTechnique).count()
logger.info("D3FEND fallback import done: %d created, %d updated, %d total", created, updated, total)
return {"created": created, "updated": updated, "total": total}
return _upsert_techniques(db, _FALLBACK_TECHNIQUES) # type: ignore[arg-type]
# ── Import ATT&CK → D3FEND mappings ─────────────────────────────────