siriussecurity / dettectinator Goto Github PK

Hi,

Thank you for the good work with Dettectinator.
The title pretty much sums it up.
We're trying to implement Dettectinator with QRadar, I think that with the CVS import we can do something, but maybe you've faced this already in the past.
Thank you!

Hi

Thanks for the awesome addition to DeTT&CT! Really cool library and cli tool!

It was unclear to me based on https://github.com/siriussecurity/dettectinator/wiki/Dettectinator-as-a-CLI-tool#checkclean-unused-detections--ch---check_unused--cl---clean_unused and the --help (optional arguments:) that I have to provide both, -ch and -cl, to remove unused detections. I only used the clean-switch and had a hard time figuring out (digging into the source code), to find out that both are needed.

Proposal: Improve wording to clearly state that for removing unused detections one must provide both of these switches.

If I missed reading the right section in the help, then sorry for the trouble ;)

Hi there 👋,

Following #4, I am creating a techniques admin from DeTT&CK using --yaml --yaml-all-techniques. This way, I have all the techniques referenced and empty.

I am now able to use dettectinator to update the technique admin file but, I get errors when using DeTT&CK to generate a layer of detection. The error I have is the following:

dettect.py d -ft techniques_dash.yaml -l
[!] Possible error in YAML file at: T1018. Error: '>' not supported between instances of 'datetime.date' and 'NoneType'

The reason may that as the detection is created with null dates, it is not replaced by dettectinator.

- technique_id: T1018
  technique_name: Remote System Discovery
  detection:
    applicable_to:
    - all
    location:
    - ''
    comment: ''
    score_logbook:
    - date: 
      score: -1
      comment: ''
  visibility:
  - applicable_to:
    - default
    comment: ''
    score_logbook:
    - date: 2023-01-30 16:42:10.026048
      score: 0
      comment: ''
      auto_generated: true
  - applicable_to:
    - Windows
    comment: ''
    score_logbook:
    - date: 2023-01-30 16:42:10.026048
      score: 3
      comment: ''
      auto_generated: true

- technique_id: T1018
    technique_name: Remote System Discovery
    detection:
      - applicable_to:
          - all
        location:
          - ''
          - 'Rule1
          - 'Rule2'
        comment: ''
        score_logbook:
          - date: null
            score: -1
            comment: ''
          - date: 2023-01-30T00:00:00.000Z
            score: -1
            comment: 'Auto added by Dettectinator. TODO: Check score. Detection rule added: Rule1, Rule2'
    visibility:
      - applicable_to:
          - default
        comment: ''
        score_logbook:
          - date: 2023-01-30 16:42:10.026048
            score: 0
            comment: ''
            auto_generated: true
      - applicable_to:
          - Windows
        comment: ''
        score_logbook:
          - date: 2023-01-30 16:42:10.026048
            score: 3
            comment: ''
            auto_generated: true

Note: An empty value is left before Rule1 and Rule2, not sure if this will create additional issues.

The import seem successful and the health of the YAML is fine. Do you observe the same issue? I should have checked before validate the issue #4, sorry.

Hi,

I am experiencing an issue when I am trying to update an existing technique administration file using the plugin TechniqueSigmaRules. However, it works fine when I am generating a new administration file (dettect = DettectTechniquesAdministration()). The technique administration file is standard and was generated using DeTTECT.

Do you happen to have the same issue?

Code:

import_sigma = TechniqueSigmaRules(parameters)
techniques = import_sigma.get_attack_techniques(['Windows', 'all'])
print(json.dumps(techniques, indent=4))
#dettect = DettectTechniquesAdministration()
dettect = DettectTechniquesAdministration('test.yaml')
dettect.update_detections(techniques, False, False, '', False, False)
#dettect.save_yaml_file('hi.yaml')

Content of techniques:

{
    "Accesschk Usage To Check Privileges": {
        "applicable_to": [
            "Windows",
            "all"
        ],
        "location_prefix": "",
        "techniques": [
            "T1069.001"
        ]
    }
}

Error:

  File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 303, in update_detections
    warnings, results = self._add_rules(detection_rules, date_today)
  File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in _add_rules
    applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
  File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in <listcomp>
    applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
TypeError: string indices must be integers

By doing so, scoring (which stays a manual burden) can be executed much quicker by using the DeTT&CT Editor in combination with the button. Especially in cases when many techniques have been changed one doesn't have to go criss-cross through the yaml file.

It is not possible for dettectinator to connect to the taxii server from mitre. The script cannot create yaml files anymore because of this.