Skip to content

Help texts

rubinatorz edited this page Nov 7, 2024 · 21 revisions

Below you will find all the help texts present in dettect.py:

Main

python dettect.py -h

usage: dettect.py [-h] [--version]  ...

Detect Tactics, Techniques & Combat Threats

options:
  -h, --help       show this help message and exit
  --version        show program's version number and exit

MODE:
  Select the mode to use. Every mode has its own arguments and help info
  displayed using: {editor, datasource, visibility, detection, group,
  generic} --help

  
    editor (e)     DeTT&CT Editor
    datasource (ds)
                   data source mapping and quality
    visibility (v)
                   visibility coverage mapping based on techniques and data
                   sources
    detection (d)  detection coverage mapping based on techniques
    group (g)      threat actor group mapping
    generic (ge)   includes: statistics on ATT&CK data source and updates on
                   techniques, groups and software

Source: https://github.com/rabobank-cdc/DeTTECT

Editor

python dettect.py editor -h

usage: dettect.py editor [-h] [-p PORT]

Start the DeTT&CT Editor for easy editing the YAML administration files

options:
  -h, --help            show this help message and exit
  -p PORT, --port PORT  port where the webserver listens on (default is 8080)

Datasource

python dettect.py datasource -h

usage: dettect.py datasource [-h] [-ft FILE_TECH] -fd FILE_DS
                             [-a APPLICABLE_TO] [-s SEARCH] [-l] [-e] [-g]
                             [-y] [-ya] [-u] [-of OUTPUT_FILENAME]
                             [-ln LAYER_NAME] [--health]
                             [--local-stix-path LOCAL_STIX_PATH]
                             [--layer-settings LAYER_SETTINGS]

Create a heat map based on data sources, output data sources to Excel or
generate a data source improvement graph.

options:
  -h, --help            show this help message and exit
  -ft FILE_TECH, --file-tech FILE_TECH
                        path to the technique administration YAML file (used
                        with the option '-u, --update' to update the
                        visibility scores)
  -fd FILE_DS, --file-ds FILE_DS
                        path to the data source administration YAML file
  -a APPLICABLE_TO, --applicable-to APPLICABLE_TO
                        specify which data source objects to include by
                        filtering on applicable to value(s) (used to define
                        the type of system). You can provide multiple
                        applicable to values with extra '-a/--applicable-to'
                        arguments
  -s SEARCH, --search SEARCH
                        only include data sources which match the provided EQL
                        query
  -l, --layer           generate a data source layer for the ATT&CK navigator
  -e, --excel           generate an Excel sheet with all data source
  -g, --graph           generate a graph with data sources added through time
  -y, --yaml            generate a technique administration YAML file with
                        visibility scores based on the number of available
                        data sources
  -ya, --yaml-all-techniques
                        include all ATT&CK techniques in the generated YAML
                        file (when the argument -y, --yaml is provided) that
                        apply to the platform(s) specified in the data source
                        YAML file
  -u, --update          update the visibility scores within a technique
                        administration YAML file based on changes within any
                        of the data sources. Past visibility scores are
                        preserved in the 'score_logbook', and manually
                        assigned scores are not updated without your approval.
                        The updated visibility scores are calculated in the
                        same way as with the option: -y, --yaml
  -of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
                        set the output filename
  -ln LAYER_NAME, --layer-name LAYER_NAME
                        set the name of the Navigator layer
  --health              check the YAML file(s) for errors
  --local-stix-path LOCAL_STIX_PATH
                        path to a local STIX repository to use DeTT&CT offline
                        or to use a specific version of STIX objects
  --layer-settings LAYER_SETTINGS
                        specific settings for the Navigator layer. Supported
                        settings: showAggregateScores=True|False,
                        layout=side|flat|mini, showMetadata=True|False,
                        includeTactic=True|False,
                        includeAttackVersion=True|False. Multiple settings can
                        be provided with extra --layer-settings arguments.
                        Example: --layer-settings showAggregateScores=True

Visibility

python dettect.py visibility -h

usage: dettect.py visibility [-h] -ft FILE_TECH [-p PLATFORM]
                             [-sd SEARCH_DETECTION] [-sv SEARCH_VISIBILITY]
                             [--all-scores] [-l] [-e] [-o] [-g]
                             [-of OUTPUT_FILENAME] [-ln LAYER_NAME] [-cd]
                             [--health] [--local-stix-path LOCAL_STIX_PATH]
                             [--layer-settings LAYER_SETTINGS]

Create a heat map based on visibility scores, overlay visibility with
detections, output to Excel or check the health of the technique
administration YAML file.

options:
  -h, --help            show this help message and exit
  -ft FILE_TECH, --file-tech FILE_TECH
                        path to the technique administration YAML file (used
                        to score the level of visibility)
  -p PLATFORM, --platform PLATFORM
                        specify the platform for the Navigator layer file
                        (default = platform(s) specified in the YAML file).
                        Multiple platforms can be provided with extra
                        '-p/--platform' arguments. The available platforms can
                        be listed from the generic mode: 'ge --list-platforms'
  -sd SEARCH_DETECTION, --search-detection SEARCH_DETECTION
                        only include detection objects which match the
                        provided EQL query
  -sv SEARCH_VISIBILITY, --search-visibility SEARCH_VISIBILITY
                        only include visibility objects which match the
                        provided EQL query
  --all-scores          include all 'score' objects from the 'score_logbook'
                        in the EQL search. The default behaviour is to only
                        include the most recent 'score' objects
  -l, --layer           generate a visibility layer for the ATT&CK navigator
  -e, --excel           generate an Excel sheet with all administrated
                        techniques
  -o, --overlay         generate a visibility layer overlaid with detections
                        for the ATT&CK navigator
  -g, --graph           generate a graph with visibility added through time
  -of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
                        set the output filename
  -ln LAYER_NAME, --layer-name LAYER_NAME
                        set the name of the Navigator layer
  -cd, --count-detections
                        Show the number of detections instead of listing all
                        detection locations in Layer metadata (when using an
                        overlay with detection). Location prefix will be used
                        to group detections. Location prefix can be used in
                        the location field, e.g. "EDR: Rule 1".
  --health              check the YAML file for errors
  --local-stix-path LOCAL_STIX_PATH
                        path to a local STIX repository to use DeTT&CT offline
                        or to use a specific version of STIX objects
  --layer-settings LAYER_SETTINGS
                        specific settings for the Navigator layer. Supported
                        settings: showAggregateScores=True|False,
                        layout=side|flat|mini, showMetadata=True|False,
                        includeTactic=True|False,
                        includeAttackVersion=True|False. Multiple settings can
                        be provided with extra --layer-settings arguments.
                        Example: --layer-settings showAggregateScores=True

Detection

python dettect.py detection -h

usage: dettect.py detection [-h] -ft FILE_TECH [-p PLATFORM]
                            [-sd SEARCH_DETECTION] [-sv SEARCH_VISIBILITY]
                            [--all-scores] [-l] [-e] [-o] [-g]
                            [-of OUTPUT_FILENAME] [-ln LAYER_NAME] [-cd]
                            [--health] [--local-stix-path LOCAL_STIX_PATH]
                            [--layer-settings LAYER_SETTINGS]

Create a heat map based on detection scores, overlay detections with
visibility, generate a detection improvement graph, output to Excel or check
the health of the technique administration YAML file.

options:
  -h, --help            show this help message and exit
  -ft FILE_TECH, --file-tech FILE_TECH
                        path to the technique administration YAML file (used
                        to score the level of detection)
  -p PLATFORM, --platform PLATFORM
                        specify the platform for the Navigator layer file
                        (default = platform(s) specified in the YAML file).
                        Multiple platforms can be provided with extra
                        '-p/--platform' arguments. The available platforms can
                        be listed from the generic mode: 'ge --list-platforms'
  -sd SEARCH_DETECTION, --search-detection SEARCH_DETECTION
                        only include detection objects which match the
                        provided EQL query
  -sv SEARCH_VISIBILITY, --search-visibility SEARCH_VISIBILITY
                        only include visibility objects which match the
                        provided EQL query
  --all-scores          include all 'score' objects from the 'score_logbook'
                        in the EQL search. The default behaviour is to only
                        include the most recent 'score' objects
  -l, --layer           generate detection layer for the ATT&CK navigator
  -e, --excel           generate an Excel sheet with all administrated
                        techniques
  -o, --overlay         generate a detection layer overlaid with visibility
                        for the ATT&CK navigator
  -g, --graph           generate a graph with detections added through time
  -of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
                        set the output filename
  -ln LAYER_NAME, --layer-name LAYER_NAME
                        set the name of the Navigator layer
  -cd, --count-detections
                        Show the number of detections instead of listing all
                        detection locations in Layer metadata. Location prefix
                        will be used to group detections. Location prefix can
                        be used in the location field, e.g. "EDR: Rule 1".
  --health              check the YAML file(s) for errors
  --local-stix-path LOCAL_STIX_PATH
                        path to a local STIX repository to use DeTT&CT offline
                        or to use a specific version of STIX objects
  --layer-settings LAYER_SETTINGS
                        specific settings for the Navigator layer. Supported
                        settings: showAggregateScores=True|False,
                        layout=side|flat|mini, showMetadata=True|False,
                        includeTactic=True|False,
                        includeAttackVersion=True|False. Multiple settings can
                        be provided with extra --layer-settings arguments.
                        Example: --layer-settings showAggregateScores=True

Group

python dettect.py group -h

usage: dettect.py group [-h] [-g GROUPS] [-c CAMPAIGNS]
                        [-d {enterprise,ics,mobile}] [-o OVERLAY]
                        [-t {group,campaign,visibility,detection}]
                        [--software | --include-software] [-p PLATFORM]
                        [-sd SEARCH_DETECTION] [-sv SEARCH_VISIBILITY]
                        [--all-scores] [-of OUTPUT_FILENAME] [-ln LAYER_NAME]
                        [-cd] [--health] [--local-stix-path LOCAL_STIX_PATH]
                        [--layer-settings LAYER_SETTINGS]

Create threat actor group heat maps, compare group(s) and compare group(s)
with visibility and detection coverage.

options:
  -h, --help            show this help message and exit
  -g GROUPS, --groups GROUPS
                        specify the ATT&CK Groups to include. A group can be
                        its ID, name or alias. If no group is specified, all
                        groups are used (except when a -c/--campaign is
                        specified). The -g/--groups and -c/--campaign options
                        complement each other. Multiple Groups can be provided
                        with extra -g/--group arguments. Another option is to
                        provide a YAML file with a custom group(s)
  -c CAMPAIGNS, --campaigns CAMPAIGNS
                        specify the ATT&CK Campaigns to include. A campaign
                        can be its ID or name. If no campaign is specified,
                        all campaigns are used (except when a -g/--group is
                        specified). The -c/--campaign and -g/--groups options
                        complement each other. Multiple Campaigns can be
                        provided with extra -c/--campaign arguments.
  -d {enterprise,ics,mobile}, --domain {enterprise,ics,mobile}
                        specify the ATT&CK domain (default = enterprise). This
                        argument is ignored if a domain is specified in the
                        Group YAML file.
  -o OVERLAY, --overlay OVERLAY
                        specify what to overlay: group(s), campaign(s),
                        visibility or detection. Default overlay type is
                        Groups, to change it use -t/--overlay-type. When
                        overlaying a Group: it can be its ATT&CK ID, name or
                        alias. When overlaying a Campaign: it can be its ID or
                        name. Multiple Groups or Campaigns can be provided
                        with extra -o/--overlay arguments. Another option is
                        to provide a YAML file with a custom group(s). When
                        overlaying VISIBILITY or DETECTION provide a YAML with
                        the technique administration.
  -t {group,campaign,visibility,detection}, --overlay-type {group,campaign,visibility,detection}
                        specify the type of overlay (default = group)
  --software            add techniques to the heat map by checking which
                        software is used by groups/campaigns, and hence which
                        techniques the software supports (does not influence
                        the scores). If overlay groups/campaigns are provided,
                        only software related to those groups/campaigns are
                        included. Cannot be used together with --include-
                        software
  --include-software    include techniques that software supports in the
                        scores for groups/campaigns in scope. Cannot be used
                        together with --software
  -p PLATFORM, --platform PLATFORM
                        specify the platform (default = all). Multiple
                        platforms can be provided with extra '-p/--platform'
                        arguments. The available platforms can be listed from
                        the generic mode: 'ge --list-platforms'
  -sd SEARCH_DETECTION, --search-detection SEARCH_DETECTION
                        only include detection objects which match the
                        provided EQL query
  -sv SEARCH_VISIBILITY, --search-visibility SEARCH_VISIBILITY
                        only include visibility objects which match the
                        provided EQL query
  --all-scores          include all 'score' objects from the 'score_logbook'
                        in the EQL search. The default behaviour is to only
                        include the most recent 'score' objects
  -of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
                        set the output filename
  -ln LAYER_NAME, --layer-name LAYER_NAME
                        set the name of the Navigator layer
  -cd, --count-detections
                        Show the number of detections instead of listing all
                        detection locations in Layer metadata (when using an
                        overlay with detection). Location prefix will be used
                        to group detections. Location prefix can be used in
                        the location field, e.g. "EDR: Rule 1".
  --health              check the YAML file(s) for errors
  --local-stix-path LOCAL_STIX_PATH
                        path to a local STIX repository to use DeTT&CT offline
                        or to use a specific version of STIX objects
  --layer-settings LAYER_SETTINGS
                        specific settings for the Navigator layer. Supported
                        settings: showAggregateScores=True|False,
                        layout=side|flat|mini, showMetadata=True|False,
                        includeTactic=True|False,
                        includeAttackVersion=True|False. Multiple settings can
                        be provided with extra --layer-settings arguments.
                        Example: --layer-settings showAggregateScores=True

Generic

python dettect.py generic -h

usage: dettect.py generic [-h] [-ds [{enterprise,ics,mobile}]] [-p PLATFORM]
                          [-m [{enterprise,ics,mobile}]]
                          [--list-platforms [{enterprise,ics,mobile}]]
                          [-u {techniques,groups,software}]
                          [--sort {modified,created}]
                          [--local-stix-path LOCAL_STIX_PATH]

Generic functions which will output to stdout.

options:
  -h, --help            show this help message and exit
  -ds [{enterprise,ics,mobile}], --datasources [{enterprise,ics,mobile}]
                        get a sorted count on how many ATT&CK techniquesare
                        covered by a particular data source (default =
                        enterprise data sources)
  -p PLATFORM, --platform PLATFORM
                        only include data sources for the provided ATT&CK
                        platforms in the '-ds' argument (default = all).
                        Multiple platforms can be provided with extra
                        '-p/--platform' arguments. The available platforms can
                        be listed using '--list-platforms'
  -m [{enterprise,ics,mobile}], --mitigations [{enterprise,ics,mobile}]
                        get a sorted count on how many ATT&CK Enterprise or
                        Mobile techniques are covered by a Mitigation
  --list-platforms [{enterprise,ics,mobile}]
                        list the ATT&CK Enterprise, ICS or Mobile (default =
                        Enterprise) platforms that can be used with the
                        '-p/--platform' argument
  -u {techniques,groups,software}, --updates {techniques,groups,software}
                        get a sorted list for when updates were released for
                        techniques, groups or software
  --sort {modified,created}
                        sorting of the output from '-u/--update' on modified
                        or creation date (default = modified)
  --local-stix-path LOCAL_STIX_PATH
                        path to a local STIX repository to use DeTT&CT offline
                        or to use a specific version of STIX objects
Clone this wiki locally