search

rabobank-cdc / DeTTECT

Detect Tactics, Techniques & Combat Threats
GNU General Public License v3.0
2.04k stars 331 forks source link

Issue Generating Heatmaps based on multiple groups #72

Open CyberGumShew opened 2 years ago

CyberGumShew commented 2 years ago

I'm having an issue generating a heatmap on multiple group administration files.

Running the group command with multiple -g parameters just generates a heatmap on the first parameter provided, not a combined heatmap.

Example command (1 technique for each .yaml): python.exe .\dettect.py g -g '.\threat-actor-data\test2.yaml' -g '.\threat-actor-data\test1.yaml'

Generates: { "name": "Attack - Linux, Windows, macOS", "versions": { "navigator": "4.5", "layer": "4.3" }, "domain": "enterprise-attack", "description": "stage: attack | platform(s): Linux, Windows, macOS | group(s): Test1 | overlay group(s): ", "filters": { "platforms": [ "Windows", "Linux", "macOS" ] }, "sorting": 3, "layout": { "layout": "flat", "aggregateFunction": "sum", "showAggregateScores": true, "countUnscored": false, "showName": true, "showID": false }, "hideDisable": false, "selectSubtechniquesWithParent": false, "techniques": [ { "techniqueID": "T1218.011", "score": 2380, "metadata": [ { "name": "Group", "value": "Test1" } ] }, { "techniqueID": "T1218", "showSubtechniques": true } ], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "gradient": { "colors": [ "#ffcece", "#ff0000" ], "minValue": 0, "maxValue": 2380 }, "legendItems": [ { "label": "Tech. not often used", "color": "#ffcece" }, { "label": "Tech. used frequently", "color": "#ff0000" }, { "label": "Groups overlay: tech. in group + overlay", "color": "#f9a825" }, { "label": "Groups overlay: tech. in overlay", "color": "#ffee58" }, { "label": "Src. of tech. is only software", "color": "#0d47a1 " }, { "label": "Src. of tech. is group(s)/overlay + software", "color": "#64b5f6 " } ] }

rubinatorz commented 2 years ago

hi @CyberGumShew

Currently there's only support for having 1 group yaml file loaded into the group mode. If you want to combine multiple groups, you can put all groups into one group yaml file. The group yaml file does support multiple groups and multiple campaigns. Please be aware that the "enabled" property is set to true. If you then generate a heatmap, you'll have all the groups included in the heatmap.

We do have an item on our backlog to support multiple group yaml files and also to compare these with ATT&CK groups.

Regards, Ruben