siriussecurity / dettectinator Goto Github PK
View Code? Open in Web Editor NEWDettectinator - The Python library to your DeTT&CT YAML files.
License: GNU General Public License v3.0
Dettectinator - The Python library to your DeTT&CT YAML files.
License: GNU General Public License v3.0
Hi,
Thank you for the good work with Dettectinator.
The title pretty much sums it up.
We're trying to implement Dettectinator with QRadar, I think that with the CVS import we can do something, but maybe you've faced this already in the past.
Thank you!
Hi
Thanks for the awesome addition to DeTT&CT! Really cool library and cli tool!
It was unclear to me based on https://github.com/siriussecurity/dettectinator/wiki/Dettectinator-as-a-CLI-tool#checkclean-unused-detections--ch---check_unused--cl---clean_unused and the --help
(optional arguments:
) that I have to provide both, -ch
and -cl
, to remove unused detections. I only used the clean-switch and had a hard time figuring out (digging into the source code), to find out that both are needed.
Proposal: Improve wording to clearly state that for removing unused detections one must provide both of these switches.
If I missed reading the right section in the help, then sorry for the trouble ;)
Hi there ๐,
Following #4, I am creating a techniques admin from DeTT&CK using --yaml --yaml-all-techniques
. This way, I have all the techniques referenced and empty.
I am now able to use dettectinator to update the technique admin file but, I get errors when using DeTT&CK to generate a layer of detection. The error I have is the following:
dettect.py d -ft techniques_dash.yaml -l
[!] Possible error in YAML file at: T1018. Error: '>' not supported between instances of 'datetime.date' and 'NoneType'
The reason may that as the detection is created with null dates, it is not replaced by dettectinator.
- technique_id: T1018
technique_name: Remote System Discovery
detection:
applicable_to:
- all
location:
- ''
comment: ''
score_logbook:
- date:
score: -1
comment: ''
visibility:
- applicable_to:
- default
comment: ''
score_logbook:
- date: 2023-01-30 16:42:10.026048
score: 0
comment: ''
auto_generated: true
- applicable_to:
- Windows
comment: ''
score_logbook:
- date: 2023-01-30 16:42:10.026048
score: 3
comment: ''
auto_generated: true
- technique_id: T1018
technique_name: Remote System Discovery
detection:
- applicable_to:
- all
location:
- ''
- 'Rule1
- 'Rule2'
comment: ''
score_logbook:
- date: null
score: -1
comment: ''
- date: 2023-01-30T00:00:00.000Z
score: -1
comment: 'Auto added by Dettectinator. TODO: Check score. Detection rule added: Rule1, Rule2'
visibility:
- applicable_to:
- default
comment: ''
score_logbook:
- date: 2023-01-30 16:42:10.026048
score: 0
comment: ''
auto_generated: true
- applicable_to:
- Windows
comment: ''
score_logbook:
- date: 2023-01-30 16:42:10.026048
score: 3
comment: ''
auto_generated: true
Note: An empty value is left before Rule1 and Rule2, not sure if this will create additional issues.
The import seem successful and the health of the YAML is fine. Do you observe the same issue? I should have checked before validate the issue #4, sorry.
Hi,
I am experiencing an issue when I am trying to update an existing technique administration file using the plugin TechniqueSigmaRules
. However, it works fine when I am generating a new administration file (dettect = DettectTechniquesAdministration()
). The technique administration file is standard and was generated using DeTTECT.
Do you happen to have the same issue?
Code:
import_sigma = TechniqueSigmaRules(parameters)
techniques = import_sigma.get_attack_techniques(['Windows', 'all'])
print(json.dumps(techniques, indent=4))
#dettect = DettectTechniquesAdministration()
dettect = DettectTechniquesAdministration('test.yaml')
dettect.update_detections(techniques, False, False, '', False, False)
#dettect.save_yaml_file('hi.yaml')
Content of techniques
:
{
"Accesschk Usage To Check Privileges": {
"applicable_to": [
"Windows",
"all"
],
"location_prefix": "",
"techniques": [
"T1069.001"
]
}
}
Error:
File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 303, in update_detections
warnings, results = self._add_rules(detection_rules, date_today)
File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in _add_rules
applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in <listcomp>
applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
TypeError: string indices must be integers
By doing so, scoring (which stays a manual burden) can be executed much quicker by using the DeTT&CT Editor in combination with the button. Especially in cases when many techniques have been changed one doesn't have to go criss-cross through the yaml file.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.