Unable to generate Detection overlay with multiple Groups
tailsec opened this issue · 3 comments
I'm unable to create a Detection overlay despite being able to feed in multiple Group layers:
(venv) user@ubuntu:/opt/DeTTECT$ python dettect.py g -g sample-data/groups.yaml -g ~/Downloads/20220322-RedCanary.yaml -o sample-data/techniques-administration-endpoints.yaml -t detection
File written: output/attack_red-team-(scenario-1)-overlay_detection_5.json
The resulting output file doesn't feature any of the Red Canary Techniques, despite there being multiple overlaps:
attack_red-team-(scenario-1)-overlay_detection_5.json.txt
e.g. both group layers feature PowerShell, but only the Red Team layer TTPs are present:
For reference - the second group file:
20220322-RedCanary.yaml.txt
Is this not a supported function? If so, it would be a useful one to have, e.g. if asked to provide an overview of Detections for Chinese-affiliated actors, you could overlay Detections with APT27, APT41, etc.
I've tested this with Data Sources too and have encountered the same issue. The use case I was attempting to test was where we had multiple Data Source layers for different asset classes but wanted to visualise our coverage of.
The command I ran:
(venv) user@ubuntu:/opt/DeTTECT$ python dettect.py ds -fd ~/Downloads/data-sources-Corporate-SOE.yaml -fd ~/Downloads/data-sources-Legacy-SOE.yaml -l
File written: output/data_sources_legacy-soe.json
The files I used:
data-sources-Corporate-SOE.yaml.txt
data-sources-Legacy-SOE.yaml.txt
Attempting to filter by Applicable-to seemed to confirm it's only processing the last file passed:
(venv) user@ubuntu:/opt/DeTTECT$ python dettect.py ds -fd ~/Downloads/data-sources-Corporate-SOE.yaml -fd ~/Downloads/data-sources-Legacy-SOE.yaml -a 'Corporate SOE - Windows' -a 'DMZ Servers - Windows' -a 'DMZ Workstations' -a 'DEV Servers - Windows' -l
[!] 'Corporate SOE - Windows' is an unknown applicable to value.
Known values are: dmz servers - linux, dev servers - linux, dev servers - windows, dmz servers - windows, dmz workstations
hi @tailsec
The -g within the groups mode only supports one group yaml file. It supports multiple ATT&CK group names/id's, but that doesn't work for multiple group yaml files.
The -ds within the data source mode only supports one yaml file (also the same for -ft in detection/visibility mode). You can't combine multiple data source /technique yaml files.
@rubinatorz would I be able to raise this as a Feature Request? I feel like this would be a very common use case for many users of the project - both for the Data Source layers, and Group layers.