Comments (3)
Hi Sriram,
We have put a short instruction on the Wiki on how to get started with the docker instance :-).
When you refer to "the detection map", you are referring to this picture? The command python3 dettect.py ds -f sample-data/data-sources-endpoints.yaml -y
will provide you with a YAML technique administration file. In this file, detections are left blank. Only visibility is filled in based on your data sources (data-sources-endpoints.yaml
). The result is YAML file with a rough overview of your visibility coverage. In the file techniques-administration-endpoints.yaml
we choose the manually score the visibility of some of the techniques. If I understand you correctly, that will explain the difference in the score of the visibility.
Regarding the relation between visibility and detection. These are two separate things. Visibility tells you something about what you could potentially detect. When you want to use DeTT&CT for your Linux fleet it can be a good idea to:
- start with creating a data source administration file
- use that file to draft a tech. admin. YAML file
- the visibility scores within this file a rough estimation
- manually start scoring your detection per technique in this tech. admin. YAML file
- where it makes sense or where it is of value, you can then manually score the visibility of a technique. There can be multiple reasons why this is necessary. See: Score visibility.
- have a look at the scoring tables to help you. Use the score that fits best.
Does the above answer your questions and helps you to get started?
Regards,
Marcus
from dettect.
Thanks Marcus, I think I see your perspective on this now.
However, I'm presuming you have also explored the concept of how Organisational protection policies implemented on these technologies may map against the MITRE ATT&CK f/w. Prima facie, it would have to be a sub set of the feature set advertised by a vendor product. How did that experience go, if I may ask?
from dettect.
Yes, we have. That part is not, yet, integrated with DeTT&CT (it is on the list for Future Developments). Besides having preventive or protective measures provided by a vendor as a subset of the features they offer or being their primary functionality. We could of course also have taken for example measures within an OS (like enabling credential guard in Windows).
from dettect.
Related Issues (20)
- Feature Request: Export what's missing from Visibility or Detection HOT 3
- Receiving an error when converting data sources to json HOT 5
- Old versions of DeTTECT HOT 5
- unable to open jupyter notebook HOT 5
- error in connecting to MITRE's CTI TAXII server when convert yaml to json HOT 1
- Cannot connect to MITRE's CTI TAXII server HOT 1
- Unable to connect to Mitre Taxii Server HOT 2
- Feature request: add support for ATT&CK Version 14 HOT 2
- Some confusion about the "group" option HOT 1
- Duplicate value for applicable_to HOT 1
- arm64 docker image HOT 2
- Missing Data Sources By Technique
- Seeing some strangeness HOT 2
- Cannot connect to MITRE's CTI TAXII server HOT 2
- Current built mechnism broken - image likely outdated
- Percentage score calculation with numerical
- Feature request: Detection & Visibility overlay, highlighting where Visibility > Detection
- Question regarding detection rules/scoring HOT 1
- Question: How to handle non-mappable types of event? HOT 2
- Windows event log is not available while adding data source option. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dettect.