center-for-threat-informed-defense · mehaase · Feb 27, 2024 · Feb 21, 2024 · Feb 26, 2024 · Feb 26, 2024
diff --git a/mappings/aws/attack-9.0/aws-09.21.2021/enterprise/aws-09.21.2021_attack-9.0-enterprise.json b/mappings/aws/attack-9.0/aws-09.21.2021/enterprise/aws-09.21.2021_attack-9.0-enterprise.json
@@ -2403,7 +2403,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control is not mappable because it does not provide any security capabilities other than allowing for use of security features contained within AWS Organizations and AWS Identity and Access Management.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -4010,7 +4010,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control is not mappable because it does not provide any detection of malicious techniques. It primarily provides a way to log and record events within AWS which then can be piped to other security controls to determine if malicious activity has occurred.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -4024,7 +4024,7 @@
       "status": "non_mappable"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped because it is primarily acting as a connector for Microsoft Active Directory with AWS services and does not provide any security functions other than allowing use of other AWS security controls.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -4038,7 +4038,7 @@
       "status": "non_mappable"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped because AWS Artifact provides access to reports and information but does not protect against any ATT&CK techniques. All protections against ATT&CK techniques are provided by the lower-level services evaluated by and referenced in those reports.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -5214,7 +5214,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "Although this service can be scored as a Response control (Minimal/Data Enrichment/Forensics), due to the generic nature of its functionality, currently it does not look to be reasonably mappable to specific (sub-)techniques of MITRE ATT&CK.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -5914,7 +5914,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped because AWS Firewall Manager is simply a management service for other AWS security services. It does not inherently protect against any ATT&CK (sub-)techniques. All protections against ATT&CK (sub-)techniques are provided by the lower-level services that it manages (e.g., AWS WAF, AWS Network Firewall, etc.).  This is evident by the fact that to use firewall rules or security groups, they must first be configured in the respective lower-level services. ",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -6110,7 +6110,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped because AWS Certificate Manager simply issues certificates for use in other AWS services such as Elastic Load Balancing, Amazon CloudFront, AWS Elastic Beanstalk, Amazon API Gateway, AWS Nitro Enclaves, and AWS CloudFormation. It does not inherently protect against any ATT&CK techniques as it cannot be used to deploy certificates to other AWS services. That must be done either manually or with services integrated into AWS Certificate Manager.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -7082,7 +7082,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped because AWS Audit Manager is used to aggregate evidence from other services in order to produce audit-ready reports, not provide protection against any ATT&CK techniques or adversary behaviors. All protections against ATT&CK techniques are provided by the lower-level services used for the evidence collection, which are assessed in different mappings.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,

diff --git a/...ings/gcp/attack-10.0/gcp-06.28.2022/enterprise/gcp-06.28.2022_attack-10.0-enterprise.json b/...ings/gcp/attack-10.0/gcp-06.28.2022/enterprise/gcp-06.28.2022_attack-10.0-enterprise.json
@@ -67,7 +67,7 @@
   },
   "mapping_objects": [
     {
-      "comments": null,
+      "comments": "Siemplify primarily acts as a layer for alerts generated by other controls to be collected and trigger mitigation and remediation actions to be taken by other controls provided by the Google Cloud Platform. On its own, Siemplify does not provide additional coverage of Attack techniques and is not mappable.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -171,7 +171,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This is not a security control and the controls that fall under the Hybrid Connectivity umbrella have their own mapping files.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -185,7 +185,7 @@
       "status": "non_mappable"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped because Deployment Manager   does not provide a security capability as a stand-alone tool and would require a 3rd party tool (e.g., Terraform) to mitigate denial of service type of cyber-attacks.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -215,7 +215,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control is not mappable because it does not provide significant detection of malicious techniques. Some of the other security controls that this control maps to are Azure DNS Analytics, AWS CloudTrail, AWS S3, and AWS Audit Manager. The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -769,7 +769,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped because the Data Catalog service isn't considered a security control capable of defending against MITRE's ATT&CK techniques, and would require the use of a secondary product, such as DLP, for cyber defense.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -1106,7 +1106,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This tool provides the functional ability to clone traffic, but is not considered a stand-alone security control as it requires a secondary security tool (e.g., IDS/IPS) to enable cyber defense and digital forensics.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -1120,7 +1120,7 @@
       "status": "non_mappable"
     },
     {
-      "comments": null,
+      "comments": "Assure workloads doesn't appear to provide any specific mitigation for TTPs. Rather, it focuses on enabling customers to apply other security controls in ways to support regulatory compliance. As a result, we have not mapped any TTPs to this control.\t",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -1948,7 +1948,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "In its current state, this control was scored as not mappable as it does not look reasonable to correlate to specific (sub-) techniques of MITRE\u2019s ATT&CK.\n\nWhile Terraform provides some security capabilities specific to Terraform processes (encryption between Terraform Clients, encrypting workspace variables, \nIsolation between Terraform executions and Cloud tenants) the capabilities don't necessarily benefit the entire organization. Terraform's primary function is to support the provisioning of Google resources with configuration management. Therefore, this control has been identified as not-mappable.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -2172,7 +2172,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control doesn't appear to provide coverage for any ATT&CK Techniques.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,
@@ -5806,7 +5806,7 @@
       "status": "complete"
     },
     {
-      "comments": null,
+      "comments": "This control was not mapped as it is not considered a security control but rather an alternative to deploying and managing Google Cloud.",
       "attack_object_id": null,
       "attack_object_name": null,
       "references": null,

diff --git a/src/mapex_convert/parse_security_stack_mappings.py b/src/mapex_convert/parse_security_stack_mappings.py
@@ -60,7 +60,7 @@ def configure_security_stack_mappings(data, parsed_mappings):
             ] = data["name"]
         parsed_mappings["mapping_objects"].append(
             {
-                "comments": None,
+                "comments": data["comments"],
                 "attack_object_id": None,
                 "attack_object_name": None,
                 "references": None,