rabobank-cdc/DeTTECT

Issue Generating Heatmaps based on multiple groups

CyberGumShew opened this issue · 1 comments

CyberGumShew commented

I'm having an issue generating a heatmap on multiple group administration files.

Running the group command with multiple -g parameters just generates a heatmap on the first parameter provided, not a combined heatmap.

Example command (1 technique for each .yaml):
python.exe .\dettect.py g -g '.\threat-actor-data\test2.yaml' -g '.\threat-actor-data\test1.yaml'

Generates:
{ "name": "Attack - Linux, Windows, macOS", "versions": { "navigator": "4.5", "layer": "4.3" }, "domain": "enterprise-attack", "description": "stage: attack | platform(s): Linux, Windows, macOS | group(s): Test1 | overlay group(s): ", "filters": { "platforms": [ "Windows", "Linux", "macOS" ] }, "sorting": 3, "layout": { "layout": "flat", "aggregateFunction": "sum", "showAggregateScores": true, "countUnscored": false, "showName": true, "showID": false }, "hideDisable": false, "selectSubtechniquesWithParent": false, "techniques": [ { "techniqueID": "T1218.011", "score": 2380, "metadata": [ { "name": "Group", "value": "Test1" } ] }, { "techniqueID": "T1218", "showSubtechniques": true } ], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "gradient": { "colors": [ "#ffcece", "#ff0000" ], "minValue": 0, "maxValue": 2380 }, "legendItems": [ { "label": "Tech. not often used", "color": "#ffcece" }, { "label": "Tech. used frequently", "color": "#ff0000" }, { "label": "Groups overlay: tech. in group + overlay", "color": "#f9a825" }, { "label": "Groups overlay: tech. in overlay", "color": "#ffee58" }, { "label": "Src. of tech. is only software", "color": "#0d47a1 " }, { "label": "Src. of tech. is group(s)/overlay + software", "color": "#64b5f6 " } ] }

rubinatorz commented

hi @CyberGumShew

Currently there's only support for having 1 group yaml file loaded into the group mode. If you want to combine multiple groups, you can put all groups into one group yaml file. The group yaml file does support multiple groups and multiple campaigns. Please be aware that the "enabled" property is set to true. If you then generate a heatmap, you'll have all the groups included in the heatmap.

We do have an item on our backlog to support multiple group yaml files and also to compare these with ATT&CK groups.

Regards,
Ruben