siriussecurity / dettectinator

Dettectinator - The Python library to your DeTT&CT YAML files.
GNU General Public License v3.0
104 stars 12 forks source link

Dettectinator

Dettectinator - The Python library to your DeTT&CT YAML files.

DeTT&CT is a framework that helps blue teams in using MITRE ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All administration is done in YAML files which can be editted via the DeTT&CT Editor. But what if you want to automate the generation and modification of these YAML files? That's were Dettectinator comes in!

Dettectinator is built to be included in your SOC automation tooling. It can be included as a Python library (pip install dettectinator) or it can be used via the command line (python dettectinator.py -h).

Dettectinator also provides plugins to read detections and data sources from your SIEM or EDR and create a DeTT&CT YAML for it, so that you can use it to visualize your ATT&CK data source and detection coverage in the ATT&CK Navigator.

Currently for detections, we have plugins for the following tools:

For data sources, you can use the following plugins:

In the latest version we have also added support for importing attack groups data. The way that you import that data will depend on how you get your CTI data delivered. We added 2 sample plugins that you can use to create your own tailored plugins:

It's easy to create your own Dettectinator plugins or edit the ones we've provided to cover additional scenario's.

More information on how to use Dettectinator and how to use and create plugins can be found in the wiki.