Comments (15)
hi Nitin,
That error raises because one of the score entries of the detection node in de techniques YAML file is not a valid number (between -1 and 5). For example:
- technique_id: T1173
technique_name: Dynamic Data Exchange
detection:
applicable_to: [all]
location:
- 'My SIEM'
comment: ''
score_logbook:
- date: 2020-05-11
score: null
comment: ''
...
This score of null
will result in the error you got. Maybe there are more invalid values. So I would suggest to look for detection scores that are not a valid number between -1 and 5.
Regards,
Ruben
from dettect.
Hello Ruben,
I don't find the error as all detection score lies between -1 and 5. How to troubleshoot the issue ?
Regards,
Nitin
Regards,
Nitin
from dettect.
Hi Nitin,
An easy way to find out in which technique the error resides, is by adding the following line to technique_mapping.py just above line 303:
print(technique_id)
Run your dettect command again. A list with technique ID's will be printed and the last technique ID is the one with the error in the score.
Please let us know if you found it, or share the YAML portion of the technique with the error (please remove any sensitive information).
Regards,
Ruben
from dettect.
Hi Ruben,
Please find the below output. FYI- I filled the technique file using DeTT&ct Editor so there is no way I could've given null or a wrong value.
Output
T1001
T1002
T1003
T1004
T1005
Traceback (most recent call last):
File "dettect.py", line 309, in
_menu(_init_menu())
File "dettect.py", line 233, in _menu
generate_visibility_layer(file_tech, args.file_ds, True)
File "/home/admin1/DeTTECT/technique_mapping.py", line 46, in generate_visibility_layer
mapped_techniques_both = _map_and_colorize_techniques_for_overlaid(my_techniques, my_data_sources, platform)
File "/home/admin1/DeTTECT/technique_mapping.py", line 304, in _map_and_colorize_techniques_for_overlaid
tcnt = len([d for d in technique_data['detection'] if get_latest_score(d) >= 0])
File "/home/admin1/DeTTECT/technique_mapping.py", line 304, in
tcnt = len([d for d in technique_data['detection'] if get_latest_score(d) >= 0])
TypeError: '>=' not supported between instances of 'NoneType' and 'int'
Yaml portion of T1005
echnique_id: T1005
technique_name: Data from Local System
detection:
- applicable_to:
- all
location:
- ''
comment: ''
score_logbook: []
visibility:
- applicable_to:
- all
comment:
score_logbook:
- date: 2020-05-06T00:00:00.000Z
score: 3
comment: ''
auto_generated: true
Regards,
Nitin
from dettect.
Hi Nitin,
The problem is the empty score_logbook item under the detection node:
score_logbook: []
Try changing this to:
score_logbook:
- date:
score: -1
comment: ''
And that should work. Or maybe more entries with empty score_logbook are there.
One other question: did you edit the YAML file in a text editor or did you use the DeTT&CT Editor?
Cheers,
Ruben
from dettect.
Hi Ruben,
I used the DeTT&ct editor and I left the detection score logbook as it is where detection is not there for the respective technique. Meaning the score_logbook set as -1 as default. There are many techniques for which I've not set the score logbook and left those as it is.
from dettect.
Hi Nitin,
I will look into that, I guess the DeTT&CT Editor is not filling the score_logbook for detection and the CLI is not accepting this kind of YAML content. Give me some time to investigate it. I'll come back on this asap.
Regards,
Ruben
from dettect.
Sure Ruben, look forward for the fix. You guys are doing a fantastic job.
from dettect.
Hi Nitin,
I investigated the issue and found the problem. The DeTT&CT Editor that was removing empty score_logbook entries (for sanity reasons), while it should keep 1 empty item. I fixed this in the master branch. If you are running the Editor locally, just do a git pull
. I also deployed a new version of the online Editor at: https://rabobank-cdc.github.io/dettect-editor/. If it doesn't work directly, remove your browser cache because depending on your browser a lot of stuff is cached.
Regards,
Ruben
from dettect.
Thanks Ruben, it worked. Just one feedback, it would be great if we can have a range of Detection and Visibility scores in legends. For ex there is a legend for Detection and Visibility which is applied to a detection which has scored 2 out of 5. So if we can have range of Detection and Visibility scores in legends then it will be useful.
from dettect.
Hi Nitin,
Could you explain this a bit further? The description per detection or visibility score is described on the Wiki, scoring table xlsx sheet and can be viewed in the Editor. Or is that not the kind of info you are looking for?
Regards,
Marcus
from dettect.
Hi Marcus, I referred to "Visibility and detection coverage" comparison where we have legends such as 'Visibility', 'Detection' and "Visibility and Detection". What I'm missing is to have range of score for "Visibility and Detection" so that we can identify the techniques for which we have low detection and visibility rate.
You will need to add two line items in the legends
Detection score 4-5, Visibility score 4-5 | Detection and Visibility
Detection score 1-3 Visibility score 2-5 | Detection and Visibility
Hope it clears.
from dettect.
Thanks, that clears things up. Coincidentally, this was already on the roadmap for the next release :-). So, it's coming.
from dettect.
hi @robotbond,
We just released a new version of DeTT&CT where we included different shades of colours in overlays. Hope you liked it.
Regards,
Ruben
from dettect.
Hi Ruben,
I downloaded the new version and found what was requested. Thanks for including different shades, it makes the reader job easy.
Regards,
Nitin
from dettect.
Related Issues (20)
- Feature Request: Export what's missing from Visibility or Detection HOT 3
- Receiving an error when converting data sources to json HOT 5
- Old versions of DeTTECT HOT 5
- unable to open jupyter notebook HOT 5
- error in connecting to MITRE's CTI TAXII server when convert yaml to json HOT 1
- Cannot connect to MITRE's CTI TAXII server HOT 1
- Unable to connect to Mitre Taxii Server HOT 2
- Feature request: add support for ATT&CK Version 14 HOT 2
- Some confusion about the "group" option HOT 1
- Duplicate value for applicable_to HOT 1
- arm64 docker image HOT 2
- Missing Data Sources By Technique
- Seeing some strangeness HOT 2
- Cannot connect to MITRE's CTI TAXII server HOT 2
- Current built mechnism broken - image likely outdated
- Latest techniques not appearing in editor HOT 1
- Feature request: Detection & Visibility overlay, highlighting where Visibility > Detection
- Question regarding detection rules/scoring HOT 1
- Question: How to handle non-mappable types of event? HOT 2
- Windows event log is not available while adding data source option. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dettect.