Go to file

Kitos 52d230628d feat: Phase 6 - Automated intel scanning (T-021, T-022)

- Add intel_service.py: RSS feed scanner for threat intelligence
  Searches CISA, NIST NVD, SANS ISC, BleepingComputer, The Hacker News,
  Krebs on Security for mentions of MITRE technique IDs and names
- New intel items stored in intel_items table with URL deduplication
- Techniques with new intel flagged with review_required=True
- Add POST /system/run-intel-scan endpoint (admin only)
- Register weekly intel scan job in APScheduler (every 7 days)
- Audit log records each scan execution with summary stats
- Update README with new endpoint and project structure

2026-02-06 15:48:57 +01:00

backend

feat: Phase 6 - Automated intel scanning (T-021, T-022)

2026-02-06 15:48:57 +01:00

frontend

feat: Phase 0 - Infrastructure and scaffolding (T-001 to T-003)

2026-02-06 11:28:30 +01:00

.gitignore

feat: Phase 0 - Infrastructure and scaffolding (T-001 to T-003)

2026-02-06 11:28:30 +01:00

AegisTestPlan.md

feat: Phase 0 - Infrastructure and scaffolding (T-001 to T-003)

2026-02-06 11:28:30 +01:00

docker-compose.yml

feat: Phase 0 - Infrastructure and scaffolding (T-001 to T-003)

2026-02-06 11:28:30 +01:00

README.md

feat: Phase 6 - Automated intel scanning (T-021, T-022)

2026-02-06 15:48:57 +01:00

README.md

Aegis - MITRE ATT&CK Coverage Platform

Aegis is a comprehensive platform for tracking and managing security coverage against the MITRE ATT&CK framework. It enables security teams to document, validate, and visualize their defensive capabilities against known adversary techniques.

Features

MITRE ATT&CK Integration: Automatic synchronization with the MITRE ATT&CK framework via TAXII (with GitHub fallback), scheduled every 24h
Coverage Tracking: Track validation status for each technique (validated, partial, not covered, in progress)
Test Management: Document and manage security tests with full audit trail
Evidence Storage: Secure evidence file storage with SHA256 integrity verification
Role-Based Access Control: Granular permissions for red team, blue team, and leadership roles
Intel Monitoring: Automated scanning for new threat intelligence related to techniques
Metrics Dashboard: Real-time coverage metrics and reporting by tactic

Tech Stack

Backend: FastAPI (Python 3.11)
Database: PostgreSQL 15
Object Storage: MinIO (S3-compatible)
ORM: SQLAlchemy with Alembic migrations
Frontend: React + TypeScript + Vite (coming soon)

Quick Start

Prerequisites

Docker and Docker Compose
Git

Installation

Clone the repository:

git clone <repository-url>
cd Aegis

Start all services:

docker-compose up -d

Run database migrations:

docker exec -w /app aegis-backend-1 alembic upgrade head

Seed the admin user:

docker exec -w /app aegis-backend-1 python -m app.seed

Verify the installation:

# Check backend health
curl http://localhost:8000/health
# Expected: {"status":"ok"}

Authentication

The platform uses JWT-based authentication. After seeding, log in with the default admin credentials:

# Obtain a token
curl -X POST http://localhost:8000/api/v1/auth/login \
  -d "username=admin&password=admin123"

# Use the token to access protected endpoints
curl http://localhost:8000/api/v1/auth/me \
  -H "Authorization: Bearer <your-token>"

Important: Change the default admin123 password and SECRET_KEY in production.

Services

Service	Port	Description
Backend	8000	FastAPI REST API
PostgreSQL	5433	Database (mapped to 5433 to avoid conflicts)
MinIO API	9000	S3-compatible object storage
MinIO Console	9001	MinIO web interface

API Documentation

Once the backend is running, access the interactive API documentation at:

Swagger UI: http://localhost:8000/docs
ReDoc: http://localhost:8000/redoc

API Endpoints

Auth

Method	Route	Auth	Description
POST	`/api/v1/auth/login`	Public	Obtain JWT token
GET	`/api/v1/auth/me`	Authenticated	Current user profile

Techniques

Method	Route	Auth	Description
GET	`/api/v1/techniques`	Authenticated	List all (filters: `?tactic=`, `?status=`, `?review_required=`)
GET	`/api/v1/techniques/{mitre_id}`	Authenticated	Detail with associated tests
POST	`/api/v1/techniques`	Admin	Create technique
PATCH	`/api/v1/techniques/{mitre_id}`	Admin	Update technique fields
PATCH	`/api/v1/techniques/{mitre_id}/review`	Lead, Admin	Mark as reviewed

Tests

Method	Route	Auth	Description
POST	`/api/v1/tests`	Red Tech, Admin	Create test (state=draft)
GET	`/api/v1/tests/{id}`	Authenticated	Detail with evidences
PATCH	`/api/v1/tests/{id}`	Creator, Admin	Update (only draft/rejected)
POST	`/api/v1/tests/{id}/validate`	Lead, Admin	Validate + recalculate technique status
POST	`/api/v1/tests/{id}/reject`	Lead, Admin	Reject test

Evidence

Method	Route	Auth	Description
POST	`/api/v1/tests/{test_id}/evidence`	Authenticated	Upload evidence file (SHA-256 verified)
GET	`/api/v1/evidence/{id}`	Authenticated	Get metadata + presigned download URL

System

Method	Route	Auth	Description
POST	`/api/v1/system/sync-mitre`	Admin	Manually trigger MITRE ATT&CK sync
POST	`/api/v1/system/run-intel-scan`	Admin	Manually trigger threat-intel RSS scan
GET	`/api/v1/system/scheduler-status`	Admin	Background scheduler health & job list

Metrics

Method	Route	Auth	Description
GET	`/api/v1/metrics/summary`	Authenticated	Global coverage summary (counts + percentage)
GET	`/api/v1/metrics/by-tactic`	Authenticated	Coverage breakdown per MITRE tactic

Project Structure

Aegis/
├── docker-compose.yml          # Docker services configuration
├── backend/
│   ├── Dockerfile              # Backend container definition
│   ├── requirements.txt        # Python dependencies
│   ├── alembic.ini             # Alembic configuration
│   ├── alembic/                # Database migrations
│   │   ├── env.py
│   │   ├── versions/           # Migration files
│   │   └── ...
│   └── app/
│       ├── __init__.py
│       ├── main.py             # FastAPI application entry point
│       ├── config.py           # Application settings
│       ├── database.py         # SQLAlchemy configuration
│       ├── auth.py             # Password hashing & JWT utilities
│       ├── seed.py             # Admin seed script (python -m app.seed)
│       ├── models/             # SQLAlchemy models
│       │   ├── user.py         # User authentication model
│       │   ├── technique.py    # MITRE ATT&CK techniques
│       │   ├── test.py         # Security tests
│       │   ├── evidence.py     # Test evidence files
│       │   ├── intel.py        # Threat intelligence items
│       │   ├── audit.py        # Audit logging
│       │   └── enums.py        # Shared enumerations
│       ├── storage.py          # MinIO/S3 client (upload, presigned URLs)
│       ├── schemas/            # Pydantic request/response schemas
│       │   ├── auth.py         # LoginRequest, TokenResponse, UserOut
│       │   ├── technique.py    # TechniqueCreate/Update/Out/Summary
│       │   ├── test.py         # TestCreate/Update/Out/Validate
│       │   └── evidence.py     # EvidenceOut
│       ├── routers/            # API endpoint routers
│       │   ├── auth.py         # POST /auth/login, GET /auth/me
│       │   ├── techniques.py   # CRUD techniques (list, detail, create, update, review)
│       │   ├── tests.py        # CRUD tests (create, detail, update, validate, reject)
│       │   ├── evidence.py     # Upload evidence, presigned download
│       │   ├── system.py       # MITRE sync trigger, scheduler status
│       │   └── metrics.py      # Coverage summary & per-tactic breakdown
│       ├── dependencies/       # FastAPI dependencies (DI)
│       │   └── auth.py         # get_current_user, require_role, require_any_role
│       ├── jobs/               # Background scheduled jobs
│       │   └── mitre_sync_job.py  # APScheduler: MITRE sync (24h) + Intel scan (7d)
│       └── services/           # Business logic services
│           ├── audit_service.py
│           ├── status_service.py  # Recalculate technique status from tests
│           ├── mitre_sync_service.py  # MITRE ATT&CK sync via TAXII / GitHub
│           └── intel_service.py   # Automated intel scan via RSS feeds
└── frontend/                   # React frontend (coming soon)

Database Schema

The platform uses the following data models:

Table	Description
`users`	User accounts with role-based access
`techniques`	MITRE ATT&CK techniques with coverage status
`tests`	Security tests validating technique coverage
`evidences`	File evidence attached to tests (stored in MinIO)
`intel_items`	Threat intelligence items linked to techniques
`audit_logs`	System-wide audit trail for all actions

Configuration

The application can be configured via environment variables:

Variable	Default	Description
`DATABASE_URL`	`postgresql://postgres:postgres@postgres:5432/attackdb`	PostgreSQL connection string
`SECRET_KEY`	`change-me-in-production`	JWT signing key
`ALGORITHM`	`HS256`	JWT signing algorithm
`ACCESS_TOKEN_EXPIRE_MINUTES`	`60`	JWT token lifetime in minutes
`MINIO_ENDPOINT`	`minio:9000`	MinIO server endpoint
`MINIO_ACCESS_KEY`	`minioadmin`	MinIO access key
`MINIO_SECRET_KEY`	`minioadmin`	MinIO secret key
`MINIO_BUCKET`	`evidence`	Bucket for evidence files

Development

Running Migrations

# Generate a new migration after model changes
docker exec -w /app aegis-backend-1 alembic revision --autogenerate -m "description"

# Apply migrations
docker exec -w /app aegis-backend-1 alembic upgrade head

# Rollback one migration
docker exec -w /app aegis-backend-1 alembic downgrade -1

# Check current migration
docker exec -w /app aegis-backend-1 alembic current

Accessing Services

MinIO Console: http://localhost:9001 (login: minioadmin / minioadmin)
PostgreSQL: psql -h localhost -p 5433 -U postgres -d attackdb

User Roles

Role	Description
`admin`	Full system access
`red_tech`	Red team technician - can create and edit tests
`blue_tech`	Blue team technician - can create and edit tests
`red_lead`	Red team lead - can validate tests
`blue_lead`	Blue team lead - can validate tests
`viewer`	Read-only access

License

Contributing

Please read the contribution guidelines before submitting pull requests.

Languages

Python 65.1%

TypeScript 33.1%

Shell 1%

HTML 0.5%

CSS 0.2%