-
Notifications
You must be signed in to change notification settings - Fork 336
Help texts
rubinatorz edited this page Nov 7, 2024
·
21 revisions
Below you will find all the help texts present in dettect.py
:
python dettect.py -h
usage: dettect.py [-h] [--version] ...
Detect Tactics, Techniques & Combat Threats
options:
-h, --help show this help message and exit
--version show program's version number and exit
MODE:
Select the mode to use. Every mode has its own arguments and help info
displayed using: {editor, datasource, visibility, detection, group,
generic} --help
editor (e) DeTT&CT Editor
datasource (ds)
data source mapping and quality
visibility (v)
visibility coverage mapping based on techniques and data
sources
detection (d) detection coverage mapping based on techniques
group (g) threat actor group mapping
generic (ge) includes: statistics on ATT&CK data source and updates on
techniques, groups and software
Source: https://github.com/rabobank-cdc/DeTTECT
python dettect.py editor -h
usage: dettect.py editor [-h] [-p PORT]
Start the DeTT&CT Editor for easy editing the YAML administration files
options:
-h, --help show this help message and exit
-p PORT, --port PORT port where the webserver listens on (default is 8080)
python dettect.py datasource -h
usage: dettect.py datasource [-h] [-ft FILE_TECH] -fd FILE_DS
[-a APPLICABLE_TO] [-s SEARCH] [-l] [-e] [-g]
[-y] [-ya] [-u] [-of OUTPUT_FILENAME]
[-ln LAYER_NAME] [--health]
[--local-stix-path LOCAL_STIX_PATH]
[--layer-settings LAYER_SETTINGS]
Create a heat map based on data sources, output data sources to Excel or
generate a data source improvement graph.
options:
-h, --help show this help message and exit
-ft FILE_TECH, --file-tech FILE_TECH
path to the technique administration YAML file (used
with the option '-u, --update' to update the
visibility scores)
-fd FILE_DS, --file-ds FILE_DS
path to the data source administration YAML file
-a APPLICABLE_TO, --applicable-to APPLICABLE_TO
specify which data source objects to include by
filtering on applicable to value(s) (used to define
the type of system). You can provide multiple
applicable to values with extra '-a/--applicable-to'
arguments
-s SEARCH, --search SEARCH
only include data sources which match the provided EQL
query
-l, --layer generate a data source layer for the ATT&CK navigator
-e, --excel generate an Excel sheet with all data source
-g, --graph generate a graph with data sources added through time
-y, --yaml generate a technique administration YAML file with
visibility scores based on the number of available
data sources
-ya, --yaml-all-techniques
include all ATT&CK techniques in the generated YAML
file (when the argument -y, --yaml is provided) that
apply to the platform(s) specified in the data source
YAML file
-u, --update update the visibility scores within a technique
administration YAML file based on changes within any
of the data sources. Past visibility scores are
preserved in the 'score_logbook', and manually
assigned scores are not updated without your approval.
The updated visibility scores are calculated in the
same way as with the option: -y, --yaml
-of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
set the output filename
-ln LAYER_NAME, --layer-name LAYER_NAME
set the name of the Navigator layer
--health check the YAML file(s) for errors
--local-stix-path LOCAL_STIX_PATH
path to a local STIX repository to use DeTT&CT offline
or to use a specific version of STIX objects
--layer-settings LAYER_SETTINGS
specific settings for the Navigator layer. Supported
settings: showAggregateScores=True|False,
layout=side|flat|mini, showMetadata=True|False,
includeTactic=True|False,
includeAttackVersion=True|False. Multiple settings can
be provided with extra --layer-settings arguments.
Example: --layer-settings showAggregateScores=True
python dettect.py visibility -h
usage: dettect.py visibility [-h] -ft FILE_TECH [-p PLATFORM]
[-sd SEARCH_DETECTION] [-sv SEARCH_VISIBILITY]
[--all-scores] [-l] [-e] [-o] [-g]
[-of OUTPUT_FILENAME] [-ln LAYER_NAME] [-cd]
[--health] [--local-stix-path LOCAL_STIX_PATH]
[--layer-settings LAYER_SETTINGS]
Create a heat map based on visibility scores, overlay visibility with
detections, output to Excel or check the health of the technique
administration YAML file.
options:
-h, --help show this help message and exit
-ft FILE_TECH, --file-tech FILE_TECH
path to the technique administration YAML file (used
to score the level of visibility)
-p PLATFORM, --platform PLATFORM
specify the platform for the Navigator layer file
(default = platform(s) specified in the YAML file).
Multiple platforms can be provided with extra
'-p/--platform' arguments. The available platforms can
be listed from the generic mode: 'ge --list-platforms'
-sd SEARCH_DETECTION, --search-detection SEARCH_DETECTION
only include detection objects which match the
provided EQL query
-sv SEARCH_VISIBILITY, --search-visibility SEARCH_VISIBILITY
only include visibility objects which match the
provided EQL query
--all-scores include all 'score' objects from the 'score_logbook'
in the EQL search. The default behaviour is to only
include the most recent 'score' objects
-l, --layer generate a visibility layer for the ATT&CK navigator
-e, --excel generate an Excel sheet with all administrated
techniques
-o, --overlay generate a visibility layer overlaid with detections
for the ATT&CK navigator
-g, --graph generate a graph with visibility added through time
-of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
set the output filename
-ln LAYER_NAME, --layer-name LAYER_NAME
set the name of the Navigator layer
-cd, --count-detections
Show the number of detections instead of listing all
detection locations in Layer metadata (when using an
overlay with detection). Location prefix will be used
to group detections. Location prefix can be used in
the location field, e.g. "EDR: Rule 1".
--health check the YAML file for errors
--local-stix-path LOCAL_STIX_PATH
path to a local STIX repository to use DeTT&CT offline
or to use a specific version of STIX objects
--layer-settings LAYER_SETTINGS
specific settings for the Navigator layer. Supported
settings: showAggregateScores=True|False,
layout=side|flat|mini, showMetadata=True|False,
includeTactic=True|False,
includeAttackVersion=True|False. Multiple settings can
be provided with extra --layer-settings arguments.
Example: --layer-settings showAggregateScores=True
python dettect.py detection -h
usage: dettect.py detection [-h] -ft FILE_TECH [-p PLATFORM]
[-sd SEARCH_DETECTION] [-sv SEARCH_VISIBILITY]
[--all-scores] [-l] [-e] [-o] [-g]
[-of OUTPUT_FILENAME] [-ln LAYER_NAME] [-cd]
[--health] [--local-stix-path LOCAL_STIX_PATH]
[--layer-settings LAYER_SETTINGS]
Create a heat map based on detection scores, overlay detections with
visibility, generate a detection improvement graph, output to Excel or check
the health of the technique administration YAML file.
options:
-h, --help show this help message and exit
-ft FILE_TECH, --file-tech FILE_TECH
path to the technique administration YAML file (used
to score the level of detection)
-p PLATFORM, --platform PLATFORM
specify the platform for the Navigator layer file
(default = platform(s) specified in the YAML file).
Multiple platforms can be provided with extra
'-p/--platform' arguments. The available platforms can
be listed from the generic mode: 'ge --list-platforms'
-sd SEARCH_DETECTION, --search-detection SEARCH_DETECTION
only include detection objects which match the
provided EQL query
-sv SEARCH_VISIBILITY, --search-visibility SEARCH_VISIBILITY
only include visibility objects which match the
provided EQL query
--all-scores include all 'score' objects from the 'score_logbook'
in the EQL search. The default behaviour is to only
include the most recent 'score' objects
-l, --layer generate detection layer for the ATT&CK navigator
-e, --excel generate an Excel sheet with all administrated
techniques
-o, --overlay generate a detection layer overlaid with visibility
for the ATT&CK navigator
-g, --graph generate a graph with detections added through time
-of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
set the output filename
-ln LAYER_NAME, --layer-name LAYER_NAME
set the name of the Navigator layer
-cd, --count-detections
Show the number of detections instead of listing all
detection locations in Layer metadata. Location prefix
will be used to group detections. Location prefix can
be used in the location field, e.g. "EDR: Rule 1".
--health check the YAML file(s) for errors
--local-stix-path LOCAL_STIX_PATH
path to a local STIX repository to use DeTT&CT offline
or to use a specific version of STIX objects
--layer-settings LAYER_SETTINGS
specific settings for the Navigator layer. Supported
settings: showAggregateScores=True|False,
layout=side|flat|mini, showMetadata=True|False,
includeTactic=True|False,
includeAttackVersion=True|False. Multiple settings can
be provided with extra --layer-settings arguments.
Example: --layer-settings showAggregateScores=True
python dettect.py group -h
usage: dettect.py group [-h] [-g GROUPS] [-c CAMPAIGNS]
[-d {enterprise,ics,mobile}] [-o OVERLAY]
[-t {group,campaign,visibility,detection}]
[--software | --include-software] [-p PLATFORM]
[-sd SEARCH_DETECTION] [-sv SEARCH_VISIBILITY]
[--all-scores] [-of OUTPUT_FILENAME] [-ln LAYER_NAME]
[-cd] [--health] [--local-stix-path LOCAL_STIX_PATH]
[--layer-settings LAYER_SETTINGS]
Create threat actor group heat maps, compare group(s) and compare group(s)
with visibility and detection coverage.
options:
-h, --help show this help message and exit
-g GROUPS, --groups GROUPS
specify the ATT&CK Groups to include. A group can be
its ID, name or alias. If no group is specified, all
groups are used (except when a -c/--campaign is
specified). The -g/--groups and -c/--campaign options
complement each other. Multiple Groups can be provided
with extra -g/--group arguments. Another option is to
provide a YAML file with a custom group(s)
-c CAMPAIGNS, --campaigns CAMPAIGNS
specify the ATT&CK Campaigns to include. A campaign
can be its ID or name. If no campaign is specified,
all campaigns are used (except when a -g/--group is
specified). The -c/--campaign and -g/--groups options
complement each other. Multiple Campaigns can be
provided with extra -c/--campaign arguments.
-d {enterprise,ics,mobile}, --domain {enterprise,ics,mobile}
specify the ATT&CK domain (default = enterprise). This
argument is ignored if a domain is specified in the
Group YAML file.
-o OVERLAY, --overlay OVERLAY
specify what to overlay: group(s), campaign(s),
visibility or detection. Default overlay type is
Groups, to change it use -t/--overlay-type. When
overlaying a Group: it can be its ATT&CK ID, name or
alias. When overlaying a Campaign: it can be its ID or
name. Multiple Groups or Campaigns can be provided
with extra -o/--overlay arguments. Another option is
to provide a YAML file with a custom group(s). When
overlaying VISIBILITY or DETECTION provide a YAML with
the technique administration.
-t {group,campaign,visibility,detection}, --overlay-type {group,campaign,visibility,detection}
specify the type of overlay (default = group)
--software add techniques to the heat map by checking which
software is used by groups/campaigns, and hence which
techniques the software supports (does not influence
the scores). If overlay groups/campaigns are provided,
only software related to those groups/campaigns are
included. Cannot be used together with --include-
software
--include-software include techniques that software supports in the
scores for groups/campaigns in scope. Cannot be used
together with --software
-p PLATFORM, --platform PLATFORM
specify the platform (default = all). Multiple
platforms can be provided with extra '-p/--platform'
arguments. The available platforms can be listed from
the generic mode: 'ge --list-platforms'
-sd SEARCH_DETECTION, --search-detection SEARCH_DETECTION
only include detection objects which match the
provided EQL query
-sv SEARCH_VISIBILITY, --search-visibility SEARCH_VISIBILITY
only include visibility objects which match the
provided EQL query
--all-scores include all 'score' objects from the 'score_logbook'
in the EQL search. The default behaviour is to only
include the most recent 'score' objects
-of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
set the output filename
-ln LAYER_NAME, --layer-name LAYER_NAME
set the name of the Navigator layer
-cd, --count-detections
Show the number of detections instead of listing all
detection locations in Layer metadata (when using an
overlay with detection). Location prefix will be used
to group detections. Location prefix can be used in
the location field, e.g. "EDR: Rule 1".
--health check the YAML file(s) for errors
--local-stix-path LOCAL_STIX_PATH
path to a local STIX repository to use DeTT&CT offline
or to use a specific version of STIX objects
--layer-settings LAYER_SETTINGS
specific settings for the Navigator layer. Supported
settings: showAggregateScores=True|False,
layout=side|flat|mini, showMetadata=True|False,
includeTactic=True|False,
includeAttackVersion=True|False. Multiple settings can
be provided with extra --layer-settings arguments.
Example: --layer-settings showAggregateScores=True
python dettect.py generic -h
usage: dettect.py generic [-h] [-ds [{enterprise,ics,mobile}]] [-p PLATFORM]
[-m [{enterprise,ics,mobile}]]
[--list-platforms [{enterprise,ics,mobile}]]
[-u {techniques,groups,software}]
[--sort {modified,created}]
[--local-stix-path LOCAL_STIX_PATH]
Generic functions which will output to stdout.
options:
-h, --help show this help message and exit
-ds [{enterprise,ics,mobile}], --datasources [{enterprise,ics,mobile}]
get a sorted count on how many ATT&CK techniquesare
covered by a particular data source (default =
enterprise data sources)
-p PLATFORM, --platform PLATFORM
only include data sources for the provided ATT&CK
platforms in the '-ds' argument (default = all).
Multiple platforms can be provided with extra
'-p/--platform' arguments. The available platforms can
be listed using '--list-platforms'
-m [{enterprise,ics,mobile}], --mitigations [{enterprise,ics,mobile}]
get a sorted count on how many ATT&CK Enterprise or
Mobile techniques are covered by a Mitigation
--list-platforms [{enterprise,ics,mobile}]
list the ATT&CK Enterprise, ICS or Mobile (default =
Enterprise) platforms that can be used with the
'-p/--platform' argument
-u {techniques,groups,software}, --updates {techniques,groups,software}
get a sorted list for when updates were released for
techniques, groups or software
--sort {modified,created}
sorting of the output from '-u/--update' on modified
or creation date (default = modified)
--local-stix-path LOCAL_STIX_PATH
path to a local STIX repository to use DeTT&CT offline
or to use a specific version of STIX objects
- Home
- Introduction
- Installation and requirements
- Getting started / How to
- Changelog
- Future developments
- ICS - Inconsistencies
- Introduction
- DeTT&CT data sources
- Data sources per platform
- Data quality
- Scoring data quality
- Improvement graph