Update generate_uuid.py

relationships/ip_called_rpc_method.yml

@@ -0,0 +1,30 @@
+name: IP called RPC Method
+contributors:
+- Hamza OUADIÂ @Cyb3rSn0rlax
+attack:
+  data_source: Network Traffic
+  data_component: network connection creation
+behavior:
+  source: ip
+  relationship: called
+  target: rpc method
+security_events:
+- event_id: dce_rpc
+  name: DCE-RPC Log
+  platform: zeek
+  log_source: network-protocols
+  filter_in:
+  - operation: request
+  event_version: ['0']
+- event_id: 5712
+  name: A Remote Procedure Call (RPC) was attempted.
+  platform: windows
+  audit_category: Detailed Tracking
+  audit_sub_category: RPC Events
+  log_source: Microsoft-Windows-Security-Auditing
+  event_version: ['0']
+refenrences:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712
+- https://www.windows-security.org/windows-event-id/5712-a-remote-procedure-call-rpc-was-attempted
+notes:
+- It appears that the event id 5712 event never occurs.

scripts/generate_uuid.py

@@ -1,24 +1,26 @@
 import glob
 import os
 import re
+from datetime import date
 
 current_directory = os.path.dirname(__file__)
 relationships_directory = os.path.join(current_directory, '../relationships')
 max_id=0
-num_id = []
+num_id = dict() # a dictionary with year as key and list of numbers as values
 relationships_files = glob.glob(os.path.join(relationships_directory, "[!_]*.yml"))
 for relationship_file in relationships_files:
     file = open(relationship_file,'r+')
     first_line = file.readlines()[0].rstrip() # read first line
-    if re.search("^relationship_id\:\sREL\-202[\d]{1}\-\d{4}", first_line): # If file already has an ID
-        search = re.search("^relationship_id\:\sREL\-202[\d]{1}\-(.*?)$", first_line) # Grab it
-        num_id.append(search.group(1))
-# Convert strings to integers
-for i in range(0, len(num_id)):
-    num_id[i] = int(num_id[i])
-# Get max ID in list
-for n in num_id:
-    if n > max_id: max_id = n
-# Generate relationship_id
-count = max_id+1
-print('relationship_id: REL-2022-' + '0'*(4 - len(str(count))) + str(count))
+    if re.search("^relationship_id\:\sREL\-[\d]{4}\-\d{4}", first_line): # If file already has an ID
+        search = re.search("^relationship_id\:\sREL\-([\d]{4})\-([\d]{4})$", first_line) # Grab it
+        if search.group(1) not in num_id.keys(): # adding year as key of the dict
+            num_id[search.group(1)] = []
+        num_id[search.group(1)].append(int(search.group(2))) # adding number to corresponding key
+
+current_date = date.today()
+year = str(current_date.year)
+if year not in num_id.keys():
+    print('relationship_id: REL-' + year + '-' + '0001') # First relationship of the year
+else:
+    number = max(num_id[year])+1
+    print('relationship_id: REL-' + year + '-' + '0'*(4 - len(str(number))) + str(number))