rubinatorz
commented
2 years ago hi @roboticsea
We don't quite understand what you mean. Can you please elaborate your issue a bit more and include some screenshots?
Closed roboticsea closed 2 years ago
rubinatorz
commented
2 years ago hi @roboticsea
We don't quite understand what you mean. Can you please elaborate your issue a bit more and include some screenshots?
roboticsea
commented
2 years ago It's probably me doing something wrong, but here's what I did to produce a yaml for network share access applicable to Windows. If you look at the converted json layer in Navigator, it colored the right techniques but all the other techniques were annotated as well (with Applicable to Windows)
Thanks!!!
On Tue, Apr 19, 2022 at 5:50 AM Ruben Bouman @.***> wrote:
hi @roboticsea https://github.com/roboticsea
We don't quite understand what you mean. Can you please elaborate your issue a bit more and include some screenshots?
— Reply to this email directly, view it on GitHub https://github.com/rabobank-cdc/DeTTECT/issues/70#issuecomment-1102413666, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJJ3PGN6XRHQKM7M5NJEFXDVFZ6VFANCNFSM5RUHV4UA . You are receiving this because you were mentioned.Message ID: @.***>
marcusbakker
commented
2 years ago Could you share some screenshots?
roboticsea
commented
2 years ago Sorry, I replied with them on this email. Let me attach to the issue
On Wed, Apr 27, 2022, 11:25 AM Marcus Bakker @.***> wrote:
Could you share some screenshots?
— Reply to this email directly, view it on GitHub https://github.com/rabobank-cdc/DeTTECT/issues/70#issuecomment-1111138227, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJJ3PGLRPN7X2EFO7QOIC73VHFL47ANCNFSM5RUHV4UA . You are receiving this because you were mentioned.Message ID: @.***>
roboticsea
commented
2 years ago 
marcusbakker
commented
2 years ago What you are seeing in the Navigator is correct. For example, the metadata shown for T1200 tells you you're missing a data source to have visibility. Hence the score of 0%.
About the yellow underlying, those can be pretty annoying. We currently have no way of influencing that from the .json layer file. However, one solution is to use a different URL for the ATT&CK Navigator, which removes the yellow underlying for annotated techniques.
https://mitre-attack.github.io/attack-navigator/#comment_underline=false
roboticsea
commented
2 years ago Ah, that makes sense.
The reason I was asking is I use these to compare against attack groups layers to find techniques to build detections for. When stuff is annotated like this the comparison layer is skewed. But, you got me in the right direction.
Thanks!!
On Thu, Apr 28, 2022, 5:30 AM Marcus Bakker @.***> wrote:
What you are seeing in the Navigator is correct. For example, the metadata shown for T1200 tells you you're missing a data source to have visibility. Hence the score of 0%.
About the yellow underlying, those can be pretty annoying. We currently have no way of influencing that from the .json layer file. However, one solution is to use a different URL for the ATT&CK Navigator, which removes the yellow underlying for annotated techniques.
https://mitre-attack.github.io/attack-navigator/#comment_underline=false
— Reply to this email directly, view it on GitHub https://github.com/rabobank-cdc/DeTTECT/issues/70#issuecomment-1111972392, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJJ3PGJGRPZ4R2O3VCISFDLVHJLB7ANCNFSM5RUHV4UA . You are receiving this because you were mentioned.Message ID: @.***>
marcusbakker
commented
2 years ago Good to hear that. I will close this issue for now.
Hey there!
Thanks so much for this tool! Really helps me prioritize detections to build.
Maybe I'm doing something wrong, but if I select a data source, for example network connection creation, techniques that do not have that as an available data source are still being annotated by, I believe "applicable to".
If it's a bug in the newest version, I thought I'd submit an issue. If this is user error, I'm really sorry!
-Rob