Data Import
Template Data¶
VECTR template data is intended to be shared and reused within your organization. SRA shares some public VECTR template content, and you may choose to use this content, other shared community content, or share and contribute your own content for other VECTR users.
Since templates can be considered a recipe or pre-planned structure for executing a Purple Team, it makes sense to share and reuse these rather than reinventing the wheel.
Importing Data in VECTR is accomplished by navigating to Library -> Import Data.
SRA Threat Simulation Indexes¶
See topic here: https://docs.vectr.io/user/threat-sim-indexes/
Atomic Red Team YAML¶
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/index.yaml
Template Data Import - Atomic Red Team content is procedurally complete and includes automation specification. A walkthrough of using VECTR's automation is provided here https://docs.vectr.io/vxf/endtoend/
Non-template Data Import - Additionally, VECTR can import live data logs generated from the Invoke-Atomicredteam project if using the ATTiRe logging module https://github.com/SecurityRiskAdvisors/invoke-atomic-attire-logger/
MITRE Enterprise ATT&CK CTI JSON¶
VECTR can import STIX data from the MITRE Enterprise ATT&CK published CTI JSON. https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json
WARNING It is highly recommended you do not import the entire contents of this file. MITRE CTI data is not procedurally complete and will only include a brief description of how attackers have used Techniques. The more MITRE CTI content you import, the more work you are creating for yourself to research and derive Procedures from more detailed threat intelligence that corresponds to the described content.
VECTR Import / Export JSON¶
VECTR can export Assessment and Campaign data from the respective Library screens.
This JSON-formatted content includes a complete representation of Campaigns and possibly Assessments along with all included Test Case templates.
Live Data¶
Live or previously logged data can be imported at the Assessment, Campaign, or Test Case level.
ATTiRe (Attack Tool Timing and Reporting) JSON¶
VECTR's Automation logs to the ATTiRe format. The Invoke-Atomic ATTiRe Logger module can be included when using Invoke-Atomicredteam as well. This content can be imported to VECTR to attach to existing planned Test Cases or record a new record of executed tests. https://github.com/SecurityRiskAdvisors/ATTiRe
Troubleshooting¶
Importing data from an unspecified format is not supported.
Importing data that includes deprecated or invalid MITRE ID Techniques can cause an import failure.