Techniques being annotated even when a selected data source not part of the yaml

Question

Techniques being annotated even when a selected data source not part of the yaml

roboticsea opened this issue 2 years ago · 8 comments

Hey there!

Thanks so much for this tool! Really helps me prioritize detections to build.

Maybe I'm doing something wrong, but if I select a data source, for example network connection creation, techniques that do not have that as an available data source are still being annotated by, I believe "applicable to".

If it's a bug in the newest version, I thought I'd submit an issue. If this is user error, I'm really sorry!

-Rob

Answer 1 · 2022-04-19T09:49:59.000Z

hi @roboticsea

We don't quite understand what you mean. Can you please elaborate your issue a bit more and include some screenshots?

Answer 2 · 2022-04-27T15:20:22.000Z

It's probably me doing something wrong, but here's what I did to produce a yaml for network share access applicable to Windows. If you look at the converted json layer in Navigator, it colored the right techniques but all the other techniques were annotated as well (with Applicable to Windows) Thanks!!!

…

On Tue, Apr 19, 2022 at 5:50 AM Ruben Bouman ***@***.***> wrote: hi @roboticsea <https://github.com/roboticsea> We don't quite understand what you mean. Can you please elaborate your issue a bit more and include some screenshots? — Reply to this email directly, view it on GitHub <#70 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJJ3PGN6XRHQKM7M5NJEFXDVFZ6VFANCNFSM5RUHV4UA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 3 · 2022-04-27T15:24:52.000Z

Could you share some screenshots?

Answer 4 · 2022-04-27T15:44:48.000Z

Sorry, I replied with them on this email. Let me attach to the issue

…

On Wed, Apr 27, 2022, 11:25 AM Marcus Bakker ***@***.***> wrote: Could you share some screenshots? — Reply to this email directly, view it on GitHub <#70 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJJ3PGLRPN7X2EFO7QOIC73VHFL47ANCNFSM5RUHV4UA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 5 · 2022-04-27T15:47:32.000Z

roboticsea commented 2 years ago

Answer 6 · 2022-04-28T09:29:56.000Z

What you are seeing in the Navigator is correct. For example, the metadata shown for T1200 tells you you're missing a data source to have visibility. Hence the score of 0%.

About the yellow underlying, those can be pretty annoying. We currently have no way of influencing that from the .json layer file. However, one solution is to use a different URL for the ATT&CK Navigator, which removes the yellow underlying for annotated techniques.

https://mitre-attack.github.io/attack-navigator/#comment_underline=false

Answer 7 · 2022-04-28T11:05:59.000Z

Ah, that makes sense. The reason I was asking is I use these to compare against attack groups layers to find techniques to build detections for. When stuff is annotated like this the comparison layer is skewed. But, you got me in the right direction. Thanks!!

…

On Thu, Apr 28, 2022, 5:30 AM Marcus Bakker ***@***.***> wrote: What you are seeing in the Navigator is correct. For example, the metadata shown for T1200 tells you you're missing a data source to have visibility. Hence the score of 0%. About the yellow underlying, those can be pretty annoying. We currently have no way of influencing that from the .json layer file. However, one solution is to use a different URL for the ATT&CK Navigator, which removes the yellow underlying for annotated techniques. https://mitre-attack.github.io/attack-navigator/#comment_underline=false — Reply to this email directly, view it on GitHub <#70 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJJ3PGJGRPZ4R2O3VCISFDLVHJLB7ANCNFSM5RUHV4UA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 8 · 2022-04-28T11:07:20.000Z

Good to hear that. I will close this issue for now.