tailsec
commented
1 year ago I've tested this with Data Sources too and have encountered the same issue. The use case I was attempting to test was where we had multiple Data Source layers for different asset classes but wanted to visualise our coverage of.
The command I ran:
(venv) user@ubuntu:/opt/DeTTECT$ python dettect.py ds -fd ~/Downloads/data-sources-Corporate-SOE.yaml -fd ~/Downloads/data-sources-Legacy-SOE.yaml -l
File written: output/data_sources_legacy-soe.jsonThe files I used: data-sources-Corporate-SOE.yaml.txt data-sources-Legacy-SOE.yaml.txt
Attempting to filter by Applicable-to seemed to confirm it's only processing the last file passed:
(venv) user@ubuntu:/opt/DeTTECT$ python dettect.py ds -fd ~/Downloads/data-sources-Corporate-SOE.yaml -fd ~/Downloads/data-sources-Legacy-SOE.yaml -a 'Corporate SOE - Windows' -a 'DMZ Servers - Windows' -a 'DMZ Workstations' -a 'DEV Servers - Windows' -l
[!] 'Corporate SOE - Windows' is an unknown applicable to value.
Known values are: dmz servers - linux, dev servers - linux, dev servers - windows, dmz servers - windows, dmz workstations
rubinatorz
I'm unable to create a Detection overlay despite being able to feed in multiple Group layers:
The resulting output file doesn't feature any of the Red Canary Techniques, despite there being multiple overlaps: attack_red-team-(scenario-1)-overlay_detection_5.json.txt
e.g. both group layers feature PowerShell, but only the Red Team layer TTPs are present:
For reference - the second group file: 20220322-RedCanary.yaml.txt
Is this not a supported function? If so, it would be a useful one to have, e.g. if asked to provide an overview of Detections for Chinese-affiliated actors, you could overlay Detections with APT27, APT41, etc.