Closed palevelmode closed 1 year ago
@palevelmode
Sure, you can find all releases on the release page: https://github.com/rabobank-cdc/DeTTECT/releases
Sorry, I'm not sure if this can be resolve or not. Seems like error reaching Mitre API?
@palevelmode That's an issue with the MITRE server indeed, but I think due to version mismatch. So you can't run that DeTT&CT version against the current MITRE TAXII version. We have a possibility to use a local STIX collection, but that option is introduced in version 1.4.3 and that's the version that includes revamped data sources which you are trying to avoid. So I think you'd better try to adopt the new data sources :-)
Thanks, I guess there's no other option then. I really like the old version of Mitre ATT&CLK framework as they are much simpler than the convoluted new version.
BY any chance do you guys here in DeTTECT have available documentation regarding what kind of security devices, linux logs, windows logs, etc are going to produce particular mitre data sources?
For example:
Perimeter FW = What kind of data source can produce?
Does DeTTECT have this kind of documents/resource available?
Thank you for kind reply, I really appreciate it.
hi @palevelmode
I'm not aware of documentation that maps logs of security devices to ATT&CK data sources. That's very specific and vendor dependent. However, when looking at Windows Event Logs, Syslog, Defender for Endpoint, you can have a look at the OSSEM project at https://github.com/OTRF/OSSEM. There you'll find a mapping between event ID's and ATT&CK data sources.
Is there a way to install old versions of DeTTECT? I can't find download link to old version. I am overwhelmed by this new version of Mitre ATT&CK framework. But since there's a possibility to use the attack navigator up to old version 4. I'd like to start mapping our datasources/visibility using DeTTECT using mitre attack old version just to start simpler using previous DeTTECT version.