color not showing on navigator about dettect HOT 11 CLOSED

I didn't reinstall DETT&CT, but by using this command python dettect.py ds -fd input/data-sources-new.yaml --local-stix-path input/cti-ATT-CK-v8.2/ --layer to create the JSON file helped and it shows the color mapping on the v8 MITRE Navigator.

Thank you so much!!

from dettect.

When I used my old JSON file, it will show the color. However, when I create a new YAML file with a lot of data sources added and then convert it to a JSON, it will show 1 KB as the file size. Not sure what is going on.

from dettect.

You should be able to get this working by pointing DeTT&CT to a v8 CTI repository and use v1.4.2 (which you are already doing).

• Get the v8.2 release from this URL: https://github.com/mitre/cti/releases/tag/ATT%26CK-v8.2
• Point dettect.py to v8.2. For exampe: python3 dettect.py ge --local-stix-path /prev_attack/cti-ATT-CK-v8.2 -ds

from dettect.

Thanks for your help. I tried that and it load successfully. I tried to create a new yaml file with over 10 data sources which was 8 KB, however, when I convert it from YAML to JSON using python dettect.py ds -fd c.yaml -l it will work. However, again, when I load it into the navigator, it will load correctly, but not color mapping. The JSON file was 1 KB. Previously, the one that worked, had a KB size of 165. Is there anything else I can try?

from dettect.

Just checking:

• This new YAML file contains the old data source names from v8?
• In the command line you provided, I'm missing the following argument: --local-stix-path [path to CTI dir for ATT&CK v8].

I've just done a quick test myself and got it working. See below my steps:

• Setup DeTT&CT v1.4.2 using Docker:
  • Get the image: docker pull rabobankcdc/dettect:v1.4.2
  • Create the container: docker run -p 8080:8080 -v $(pwd)/output:/opt/DeTTECT/output -v $(pwd)/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:v1.4.2 /bin/bash
  • More info on Docker for DeTT&CT here.
• Launched the v1.4.2 Editor from within the Docker container: python dettect.py e
• Within the Editor created a new data source file with only a few ATT&CK v8 data sources.
  • Saved the file from the Editor and placed it within the input directory for the Docker container. (my filename was: data-sources-new.yaml
• Within this same input directory placed a copy of the ATT&CK v8 dir: cti-ATT-CK-v8.2
• From within the container I ran the following command to generate the Navigator layer file: python dettect.py ds -fd input/data-sources-new.yaml --local-stix-path input/cti-ATT-CK-v8.2/ --layer
  • When loading this into the Navigator is showed the right scoring/colouring as expected.

from dettect.

I have come across a similar or the same issue with DeTT&CT v1.4.3. Could it be that the editor is still showing ATT&CK v8?

 $ python3 dettect.py generic -ds -m enterprise
Count  Data Source
--------------------------------------------------
243    Command: Command Execution
197    Process: Process Creation
95     File: File Modification
(...)

from dettect.

@diogo-fernan must be related to the browser cache. Can you try to clear the cache or see if it works when running in a private browsing window?

from dettect.

@marcusbakker that does not seem to be the reason. The editor was already running on a private browsing window, but just retried creating one from scratch now and the data sources seem to be outdated all the same in different browsers. This is a local download and installation of requirements.txt with pip3 by the way!

from dettect.

@diogo-fernan I know what has caused this now. I quickly pushed out the release and not waited long enough for some GitHub Actions to complete. Therefore, the release files on the release page have the old data sources. I've added a new .zip file on the release page: DeTTECT-1.4.3.zip

from dettect.

@marcusbakker that seems to have fixed it. Thanks!

from dettect.

@diogo-fernan good 😄.

from dettect.