color not showing on navigator

Question

color not showing on navigator

macarongbadessy opened this issue 3 years ago · 11 comments

Hello. I am having issues with the color not showing on the MITRE Navigator. I have dettect version v1.4.2 and I am using attack-navigator v4.2. However, when I upload the JSON file, it would upload without any issues, but the mapping isn't showing. I would like to continue to use the old version v8 of the MITRE attack. I was in the middle of a project and it will be too much to start over with version 9. Thanks!

Answer 1 · 2021-05-13T19:10:39.000Z

When I used my old JSON file, it will show the color. However, when I create a new YAML file with a lot of data sources added and then convert it to a JSON, it will show 1 KB as the file size. Not sure what is going on.

Answer 2 · 2021-05-14T05:52:26.000Z

You should be able to get this working by pointing DeTT&CT to a v8 CTI repository and use v1.4.2 (which you are already doing).

Get the v8.2 release from this URL: https://github.com/mitre/cti/releases/tag/ATT%26CK-v8.2
Point dettect.py to v8.2. For exampe: python3 dettect.py ge --local-stix-path /prev_attack/cti-ATT-CK-v8.2 -ds

Answer 3 · 2021-05-14T15:09:59.000Z

Thanks for your help. I tried that and it load successfully. I tried to create a new yaml file with over 10 data sources which was 8 KB, however, when I convert it from YAML to JSON using python dettect.py ds -fd c.yaml -l it will work. However, again, when I load it into the navigator, it will load correctly, but not color mapping. The JSON file was 1 KB. Previously, the one that worked, had a KB size of 165. Is there anything else I can try?

Answer 4 · 2021-05-16T08:41:28.000Z

Just checking:

This new YAML file contains the old data source names from v8?
In the command line you provided, I'm missing the following argument: --local-stix-path [path to CTI dir for ATT&CK v8].

I've just done a quick test myself and got it working. See below my steps:

Setup DeTT&CT v1.4.2 using Docker:
- Get the image: docker pull rabobankcdc/dettect:v1.4.2
- Create the container: docker run -p 8080:8080 -v $(pwd)/output:/opt/DeTTECT/output -v $(pwd)/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:v1.4.2 /bin/bash
- More info on Docker for DeTT&CT here.
Launched the v1.4.2 Editor from within the Docker container: python dettect.py e
Within the Editor created a new data source file with only a few ATT&CK v8 data sources.
- Saved the file from the Editor and placed it within the input directory for the Docker container. (my filename was: data-sources-new.yaml
Within this same input directory placed a copy of the ATT&CK v8 dir: cti-ATT-CK-v8.2
From within the container I ran the following command to generate the Navigator layer file: python dettect.py ds -fd input/data-sources-new.yaml --local-stix-path input/cti-ATT-CK-v8.2/ --layer
- When loading this into the Navigator is showed the right scoring/colouring as expected.

Answer 5 · 2021-05-16T20:24:55.000Z

I have come across a similar or the same issue with DeTT&CT v1.4.3. Could it be that the editor is still showing ATT&CK v8?

 $ python3 dettect.py generic -ds -m enterprise
Count  Data Source
--------------------------------------------------
243    Command: Command Execution
197    Process: Process Creation
95     File: File Modification
(...)

Answer 6 · 2021-05-16T21:07:25.000Z

I didn't reinstall DETT&CT, but by using this command python dettect.py ds -fd input/data-sources-new.yaml --local-stix-path input/cti-ATT-CK-v8.2/ --layer to create the JSON file helped and it shows the color mapping on the v8 MITRE Navigator.

Thank you so much!!

Answer 7 · 2021-05-17T06:59:12.000Z

@diogo-fernan must be related to the browser cache. Can you try to clear the cache or see if it works when running in a private browsing window?

Answer 8 · 2021-05-17T08:29:06.000Z

@marcusbakker that does not seem to be the reason. The editor was already running on a private browsing window, but just retried creating one from scratch now and the data sources seem to be outdated all the same in different browsers. This is a local download and installation of requirements.txt with pip3 by the way!

Answer 9 · 2021-05-17T09:04:49.000Z

@diogo-fernan I know what has caused this now. I quickly pushed out the release and not waited long enough for some GitHub Actions to complete. Therefore, the release files on the release page have the old data sources. I've added a new .zip file on the release page: DeTTECT-1.4.3.zip

Answer 10 · 2021-05-17T10:15:56.000Z

@marcusbakker that seems to have fixed it. Thanks!

Answer 11 · 2021-05-17T10:17:33.000Z

@diogo-fernan good 😄.