Nice High Level talks are always beneficial for wrapping up your knowledge as I did here. Thanks H & A security solutions. Worth watching a couple of times...
Thanks for the awesome explanation!! Quick question, around minute 4:00 you uploaded to the Navigator the JSON file of Sysmon, from where that file came from? Was that file generated by DeTTECT? How? That file clearly had more coverage than regular Windows logs, but am wondering how that mapping was done, thanks.
That file was created from using DeTTECT. I created a data source file stating I have built-in Windows channels, Sysinternals Sysmon coverage, and other Windows channels that there are common community rulesets such as from Sigma Generic Signatures. I then used the DeTTECT command-line script to convert it to a navigator JSON layer that I could upload to MITRE Navigator.
@@HASecuritySolutions Probably didn't explain myself right, but I was wondering how the YAML was created (the coverage), please correct me if I am wrong but if we want to include Sysmon as a data source in DeTTECT or any other data source we MUST go to the vendor documentation and manually identify which techniques they provide some coverage according to their capabilities and use that intel in DeTTECT, right? I was under the impression that maybe there is a repository with the most common data sources already mapped, it sounds more like a community project as there are so many data sources out there (just thinking out loud here sorry)
@@mauriciozp84 I think I understand your question now. For this, I did go to learn.microsoft.com/en-us/sysinternals/downloads/sysmon to look at all the event IDs generated and what they are for. Then, I map those to the corresponding MITRE Data sources which is what DeTTECT's data source list is based on (attack.mitre.org/datasources/). That builds the initial YAML file. To my knowledge, there is not a pre-provided list of software to data sources that you can use to build the YAML. However, while there are a ton of attack techniques in MITRE, there's currently only about 50 data sources. So doing the data source mapping does not take that long. For example, I can compare visibility from Sysmon vs an EDR's telemetry logs in about an hour just by mapping what logs I'm provided access to within MITRE Data Sources (within DeTTECT)
@@HASecuritySolutions Got it, I was afraid you will say it was a manual work XD, thanks for the time you took answering our concerns, great video man!!
Thanks for taking the time and answering our concerns!! I am trying to learn a little bit about this framework, am wondering how would you map an EDR, which is a blackbox, like Falcon from Crowdstrike? Or which will be your approach, thanks man.
The sigma colors of yellow, orange, and red represents how many rules cover a given technique. Yellow means one. Orange means 2. Red means 3+. For dettect imports, the shade of purple represents how much coverage you have by data source to technique. The darker the color the better the coverage
@@jaikisan3393 No worries at all. The data source json files came from using the tool DeTTect which I cover here: th-cam.com/video/EXnutTLKS5o/w-d-xo.html and the alert json files come from the Sigma Generic Signatures project when using sigma2attack. I probably should make a video for Sigma :)
Mitre navigator let's you create layers. If you assign scores within each layer you can create a layer that combines our subtracts or compares one or more layers together
how do we go about taking sample data into DeTT&CT and run it from a VM should we not have real data to play around with or a real environment . Could you possibly do a more detailed video on DeTT&CT ? how do we take that YAML file to JSON using python script via DeTT&CT ? could you consider showing that process in a short video please
For the YAML to JSON you'll need to use the DeTTECT tool from github.com/rabobank-cdc/DeTTECT. Example below: python /opt/DeTTECT/dettect.py ds -fd input/your_data_source.yaml -l Depending on the version of DeTTECT the command may change.
@@HASecuritySolutions You mean the DeTTECT editor. Followed your example in the video, saved yaml file then used a yaml to json tool. get this error WARNING: Uploaded layer version (1) does not match Navigator's layer version (4.1). The layer configuration may not be fully restored. Thanks for the assistance
@@rv5080 Yes. You are correct. I'll update the video description to clarify my statement that the yaml to JSON is intended to come from the DeTTECT editor's python code.
brilliant thank you . Followed . one of the best explanations i have heard
Glad it was helpful!
Magnificent!! Super cool high level details amazingly put. Thank you very much
Thank you very much!
Thank you so much for the content, seeing application is what helps me learn
One thought is how do you apply it one model matrix system? Windows servers, linux servers other OS or applications or overall one model
This is a great video! Much appreciated
Very nice video, very well done... would like to see more such short videos and learn.
I will try my best. More to come soon.
Great video, eagerly awaiting the next.
More to come!
Nice High Level talks are always beneficial for wrapping up your knowledge as I did here. Thanks H & A security solutions.
Worth watching a couple of times...
Great video and nice message at the end. I will definitely pay it forward!
Awesome! Thank you!
Thanks for the awesome explanation!! Quick question, around minute 4:00 you uploaded to the Navigator the JSON file of Sysmon, from where that file came from? Was that file generated by DeTTECT? How? That file clearly had more coverage than regular Windows logs, but am wondering how that mapping was done, thanks.
That file was created from using DeTTECT. I created a data source file stating I have built-in Windows channels, Sysinternals Sysmon coverage, and other Windows channels that there are common community rulesets such as from Sigma Generic Signatures. I then used the DeTTECT command-line script to convert it to a navigator JSON layer that I could upload to MITRE Navigator.
@@HASecuritySolutions Probably didn't explain myself right, but I was wondering how the YAML was created (the coverage), please correct me if I am wrong but if we want to include Sysmon as a data source in DeTTECT or any other data source we MUST go to the vendor documentation and manually identify which techniques they provide some coverage according to their capabilities and use that intel in DeTTECT, right? I was under the impression that maybe there is a repository with the most common data sources already mapped, it sounds more like a community project as there are so many data sources out there (just thinking out loud here sorry)
@@mauriciozp84 I think I understand your question now. For this, I did go to learn.microsoft.com/en-us/sysinternals/downloads/sysmon to look at all the event IDs generated and what they are for. Then, I map those to the corresponding MITRE Data sources which is what DeTTECT's data source list is based on (attack.mitre.org/datasources/). That builds the initial YAML file. To my knowledge, there is not a pre-provided list of software to data sources that you can use to build the YAML. However, while there are a ton of attack techniques in MITRE, there's currently only about 50 data sources. So doing the data source mapping does not take that long. For example, I can compare visibility from Sysmon vs an EDR's telemetry logs in about an hour just by mapping what logs I'm provided access to within MITRE Data Sources (within DeTTECT)
@@HASecuritySolutions Got it, I was afraid you will say it was a manual work XD, thanks for the time you took answering our concerns, great video man!!
That's a great video 👏
Great video thank you!
My pleasure!
Thanks for taking the time and answering our concerns!! I am trying to learn a little bit about this framework, am wondering how would you map an EDR, which is a blackbox, like Falcon from Crowdstrike? Or which will be your approach, thanks man.
This was really useful. Thank you.
Thank you, this is very useful.
You're welcome
Really good 👍
Great video! Thanks!!
You're welcome!
Brilliant indeed! Thanks
Glad you liked it!
Amazing insight!! Keep it up. May I know what those colors indicate when you upload JSON file to designer?
The sigma colors of yellow, orange, and red represents how many rules cover a given technique. Yellow means one. Orange means 2. Red means 3+.
For dettect imports, the shade of purple represents how much coverage you have by data source to technique. The darker the color the better the coverage
@@HASecuritySolutions Many thanks for reply. How did you get those JSON files? Sorry I am new to this.
@@jaikisan3393 No worries at all. The data source json files came from using the tool DeTTect which I cover here: th-cam.com/video/EXnutTLKS5o/w-d-xo.html and the alert json files come from the Sigma Generic Signatures project when using sigma2attack. I probably should make a video for Sigma :)
Very cool.
Thank you
My use cases are not in yaml files they are just searches. Should I create them in yaml format and use sigma2attack to properly map them?
Hi, you say you use to use another window to sum up the attacks. Can you elaborate on this?
Mitre navigator let's you create layers. If you assign scores within each layer you can create a layer that combines our subtracts or compares one or more layers together
Hi, is there a way to guess which hacking group is attacking me via a phishing or password brute force attack?
Thanks
❤
Amazing
Thank you so much
how do we go about taking sample data into DeTT&CT and run it from a VM should we not have real data to play around with or a real environment . Could you possibly do a more detailed video on DeTT&CT ?
how do we take that YAML file to JSON using python script via DeTT&CT ? could you consider showing that process in a short video please
I've had multiple requests for this so I think I'll make it happen. Stay tuned
great video yaml to json doesnt work
For the YAML to JSON you'll need to use the DeTTECT tool from github.com/rabobank-cdc/DeTTECT. Example below:
python /opt/DeTTECT/dettect.py ds -fd input/your_data_source.yaml -l
Depending on the version of DeTTECT the command may change.
@@HASecuritySolutions You mean the DeTTECT editor. Followed your example in the video, saved yaml file then used a yaml to json tool. get this error WARNING: Uploaded layer version (1) does not match Navigator's layer version (4.1). The layer configuration may not be fully restored. Thanks for the assistance
@@rv5080 Yes. You are correct. I'll update the video description to clarify my statement that the yaml to JSON is intended to come from the DeTTECT editor's python code.
+
Thank you
Well explained, i say short and damn SWEET 🧁🎂🎂???
Fantastic. That's the goal.