Some changes for PurpleOps after internal PoC

[fxai]

Hello CyberCX Team

We are looking for a lightweight documentation platform for our Purple Team engagements and came across PurpleOps. I have modified some aspects of PurpleOps for an internal PoC that I think might be of interest to you. Feel free to pick and choose the changes you like.

7ed1118

Added autoescaping for exported docx format to avoid breaking the docx XML structure.

0146f9d

Two new fields added:

• preventionsource
• detectionsource

The general idea is to provide a means of reporting where something has been prevented (e.g. firewall) and where something has been alerted (actually this might be better called alertsource).

4583a36

Added two new time fields:

• preventtime
• alerttime

Idea is to have a means of reporting when an alert or prevention mechanism was triggered. Can be useful to identify large drifts. E.g. something was blocked immediately after execution, but the alert was generated x time later.

e24284e

Added a new outcome "Prevented and Alerted" as we often have the case that something is prevented but no alerts are generated.

dca502c

I have reworked the mitre attack navigator export function to include the Prevented and Alerted state. I have also changed the logic of how the output is generated. This now allows exports to be generated where a single technique is not selected in every tactic, but only in the specified tactic. So now you can have a T1078.002 in initial access that does not affect the colour/outcome of a T1078.002 test in persistence.

b697a4c

Added a new field:

• expectedalertseverity

The red team can now define what kind of alert severity they expect from a particular test. This helps to detect drifts between expected and actual alerts. I also added the priority, priorityurgency and expectedalertseverity to the exports/templates functions. So when you define a test, you can set the expected result in the template.

2153343

Adapts the wording in the testcase_blue files to the idea above.

thats it

I hope this helps.
Let me know if something is unclear

Cheers and thanks for the great tool!

[Zamanry]

My employer is also trying this tool out. This merge request is incredible!!! Thank you so much for the contribution!!!

[cyb3rjerry]

Same situation here, absolutely love this PR

[turnernator1]

Hey there @fxai,

Wow - thanks for contribution to PurpleOps!

We are aiming to merge this ASAP - just doing some internal reviewing and seeing how everything will fit into our next big update.

Cheers

[fxai]

Hey, PurpleOps team!

We've made a lot of changes to PurpleOps, updated the dependencies, fixed some things, added new features — including a dark mode — and kept the spelling of 'colour'.

Check out our fork:
https://github.com/CompassSecurity/PurpleOps.

We would be happy to contribute to the official PurpleOps repository to help maintain it. Please let us know how we can help.