rabobank-cdc / DeTTECT

Detect Tactics, Techniques & Combat Threats
GNU General Public License v3.0
2.07k stars 336 forks source link

Old versions of DeTTECT #102

Closed palevelmode closed 1 year ago

palevelmode commented 1 year ago

Is there a way to install old versions of DeTTECT? I can't find download link to old version. I am overwhelmed by this new version of Mitre ATT&CK framework. But since there's a possibility to use the attack navigator up to old version 4. I'd like to start mapping our datasources/visibility using DeTTECT using mitre attack old version just to start simpler using previous DeTTECT version.

rubinatorz commented 1 year ago

@palevelmode

Sure, you can find all releases on the release page: https://github.com/rabobank-cdc/DeTTECT/releases

palevelmode commented 1 year ago

Sorry, I'm not sure if this can be resolve or not. Seems like error reaching Mitre API? old detek

rubinatorz commented 1 year ago

@palevelmode That's an issue with the MITRE server indeed, but I think due to version mismatch. So you can't run that DeTT&CT version against the current MITRE TAXII version. We have a possibility to use a local STIX collection, but that option is introduced in version 1.4.3 and that's the version that includes revamped data sources which you are trying to avoid. So I think you'd better try to adopt the new data sources :-)

palevelmode commented 1 year ago

Thanks, I guess there's no other option then. I really like the old version of Mitre ATT&CLK framework as they are much simpler than the convoluted new version.

BY any chance do you guys here in DeTTECT have available documentation regarding what kind of security devices, linux logs, windows logs, etc are going to produce particular mitre data sources?

For example:

Perimeter FW = What kind of data source can produce?

  1. Where can I find data sources or tactics/techniques for network devices such as:
    • intrusion detection/intrusion prevention systems
    • network/perimeter firewall (e.g fortinet, palo alto, checkpoint, etc)
    • web application firewall like Imperva
    • Anti DDoS like akamai

Does DeTTECT have this kind of documents/resource available?

Thank you for kind reply, I really appreciate it.

rubinatorz commented 1 year ago

hi @palevelmode

I'm not aware of documentation that maps logs of security devices to ATT&CK data sources. That's very specific and vendor dependent. However, when looking at Windows Event Logs, Syslog, Defender for Endpoint, you can have a look at the OSSEM project at https://github.com/OTRF/OSSEM. There you'll find a mapping between event ID's and ATT&CK data sources.