Add additional validation of TTPs to core code

f-bader · Nov 17, 2023 · 0c8ca61 · 0c8ca61
1 parent 419e2e6
commit 0c8ca61
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/src/public/Convert-SentinelARYamlToArm.ps1 b/src/public/Convert-SentinelARYamlToArm.ps1
@@ -258,6 +258,21 @@ function Convert-SentinelARYamlToArm {
             }
         }
 
+        # Remove any subtechniques from the techniques array
+        if ($ARMTemplate.techniques) {
+            $ARMTemplate.techniques = $ARMTemplate.techniques -replace "(T\d{4})\.\d{3}", '$1'
+        }
+
+        # Remove any invalid or non-existent techniques from the techniques array
+        if ($ARMTemplate.techniques) {
+            $ARMTemplate.techniques = $ARMTemplate.techniques | Where-Object { Test-MITRETechnique $_ }
+        }
+
+        # Remove any invalid or non-existent tactics from the tactics array
+        if ($ARMTemplate.tactics) {
+            $ARMTemplate.tactics = $ARMTemplate.tactics | Where-Object { Test-MITRETactic $_ }
+        }
+
         # Convert hashtable to JSON
         $JSON = $ARMTemplate | ConvertTo-Json -Depth 99
         # Use ISO8601 format for timespan values