modify an att&ck navigator json

modify-attackjson.ps1

$orcacomplianceframework = @"
Collection - Automated Collection - T1119
Collection - Data from Cloud Storage - T1530
Collection - Data from Information Repositories - T1213
Collection - Data Staged - T1074
Collection - Email Collection - T1114
Credential Access - Brute Force - T1110
Credential Access - Forge Web Credentials - T1606
Credential Access - Modify Authentication Process - T1556
Credential Access - Multi-Factor Authentication Request Generation - T1621
Credential Access - Network Sniffing - T1040
Credential Access - Steal Application Access Token - T1528
Credential Access - Steal Web Session Cookie - T1539
Credential Access - Unsecured Credentials - T1552
Credential Access - Steal or Forge Authentication Certificates - T1649
Defense Evasion - Domain Policy Modification - T1484
Defense Evasion - Hide Artifacts - T1564
Defense Evasion - Impair Defenses - T1562
Defense Evasion - Indicator Removal - T1070
Defense Evasion - Modify Authentication Process - T1556
Defense Evasion - Modify Cloud Compute Infrastructure - T1578
Defense Evasion - Unused/Unsupported Cloud Regions - T1535
Defense Evasion - Use Alternate Authentication Material - T1550
Defense Evasion - Valid Accounts - T1078
Discovery - Account Discovery - T1087
Discovery - Cloud Infrastructure Discovery - T1580
Discovery - Cloud Service Discovery - T1526
Discovery - Cloud Storage Object Discovery - T1619
Discovery - Container and Resource Discovery - T1613
Discovery - Network Service Discovery - T1046
Discovery - Network Sniffing - T1040
Discovery - Password Policy Discovery - T1201
Discovery - Permission Groups Discovery - T1069
Discovery - Software Discovery  - T1518
Discovery - System Information Discovery - T1082
Discovery - System Location Discovery - T1614
Discovery - System Network Connections Discovery - T1049
Execution - Serverless Execution - T1648
Execution - User Execution - T1204
Exfiltration - Transfer Data to Cloud Account - T1537
Impact - Account Access Removal - T1531
Impact - Data Destruction - T1485
Impact - Data Encrypted for Impact - T1486 
Impact - Defacement - T1491
Impact - Endpoint Denial of Service - T1499
Impact - Network Denial of Service - T1498
Impact - Resource Hijacking - T1496
Initial Access - Drive-by Compromise - T1189
Initial Access - Exploit Public-Facing Application - T1190
Initial Access - Phishing - T1566
Initial Access - Trusted Relationship - T1199
Initial Access - Valid Accounts - T1078
Lateral Movement - Exploitation of Remote Services - T1210
Lateral Movement - Internal Spearphishing - T1534
Lateral Movement - Lateral Tool Transfer - T1570
Lateral Movement - Taint Shared Content - T1080
Lateral Movement - Use Alternate Authentication Material - T1550
Persistence - Account Manipulation - T1098
Persistence - Create Account - T1136
Persistence - Event Triggered Execution - T1546
Persistence - Implant Internal Image - T1525
Persistence - Modify Authentication Process - T1556
Persistence - Office Application Startup - T1137
Persistence - Valid Accounts - T1078
Privilege Escalation - Domain Policy Modification - T1484
Privilege Escalation - Event Triggered Execution - T1546
Privilege Escalation - Valid Accounts - T1078
"@ -split "`n"

$techniquenamesinorcaframework = ($orcacomplianceframework | % {$_ -match "- (?<techname>T\d{4})" | out-null; $matches.techname})



$attacklayerjson = get-content "C:\Users\mattb\Downloads\layer1 (1).json" | convertfrom-json

$techniques = @()

foreach ($technique in $attacklayerjson.techniques | ? {$techniquenamesinorcaframework -contains $_.techniqueid } ) {
  #change the color to #0080ff
  $technique.color = "#000080ff"
  
  #change the score to 1
  $technique.score = 1
  
  $techniques += , $technique
}

$attacklayerjson.techniques = $techniques

$attacklayerjson | convertto-json -depth 100 | set-content "C:\Users\mattb\projects\log gap analysis\attack nav layers\detect__orca_compliance.json"