Glad it was helpful!

Thank you very much!

One thought is how do you apply it one model matrix system? Windows servers, linux servers other OS or applications or overall one model

I will try my best. More to come soon.

More to come!

Awesome! Thank you!

My pleasure!

You're welcome

Glad you liked it!

The sigma colors of yellow, orange, and red represents how many rules cover a given technique. Yellow means one. Orange means 2. Red means 3+. For dettect imports, the shade of purple represents how much coverage you have by data source to technique. The darker the color the better the coverage

@@HASecuritySolutions Many thanks for reply. How did you get those JSON files? Sorry I am new to this.

@@jaikisan3393 No worries at all. The data source json files came from using the tool DeTTect which I cover here: kzbin.info/www/bejne/e4nRpqeKgbCGa9E and the alert json files come from the Sigma Generic Signatures project when using sigma2attack. I probably should make a video for Sigma :)

That file was created from using DeTTECT. I created a data source file stating I have built-in Windows channels, Sysinternals Sysmon coverage, and other Windows channels that there are common community rulesets such as from Sigma Generic Signatures. I then used the DeTTECT command-line script to convert it to a navigator JSON layer that I could upload to MITRE Navigator.

@@HASecuritySolutions Probably didn't explain myself right, but I was wondering how the YAML was created (the coverage), please correct me if I am wrong but if we want to include Sysmon as a data source in DeTTECT or any other data source we MUST go to the vendor documentation and manually identify which techniques they provide some coverage according to their capabilities and use that intel in DeTTECT, right? I was under the impression that maybe there is a repository with the most common data sources already mapped, it sounds more like a community project as there are so many data sources out there (just thinking out loud here sorry)

@@mauriciozp84 I think I understand your question now. For this, I did go to learn.microsoft.com/en-us/sysinternals/downloads/sysmon to look at all the event IDs generated and what they are for. Then, I map those to the corresponding MITRE Data sources which is what DeTTECT's data source list is based on (attack.mitre.org/datasources/). That builds the initial YAML file. To my knowledge, there is not a pre-provided list of software to data sources that you can use to build the YAML. However, while there are a ton of attack techniques in MITRE, there's currently only about 50 data sources. So doing the data source mapping does not take that long. For example, I can compare visibility from Sysmon vs an EDR's telemetry logs in about an hour just by mapping what logs I'm provided access to within MITRE Data Sources (within DeTTECT)

@@HASecuritySolutions Got it, I was afraid you will say it was a manual work XD, thanks for the time you took answering our concerns, great video man!!

You're welcome!

Thank you

Mitre navigator let's you create layers. If you assign scores within each layer you can create a layer that combines our subtracts or compares one or more layers together

Thank you so much

I've had multiple requests for this so I think I'll make it happen. Stay tuned

For the YAML to JSON you'll need to use the DeTTECT tool from github.com/rabobank-cdc/DeTTECT. Example below: python /opt/DeTTECT/dettect.py ds -fd input/your_data_source.yaml -l Depending on the version of DeTTECT the command may change.

@@HASecuritySolutions You mean the DeTTECT editor. Followed your example in the video, saved yaml file then used a yaml to json tool. get this error WARNING: Uploaded layer version (1) does not match Navigator's layer version (4.1). The layer configuration may not be fully restored. Thanks for the assistance

@@rv5080 Yes. You are correct. I'll update the video description to clarify my statement that the yaml to JSON is intended to come from the DeTTECT editor's python code.

Thank you

Fantastic. That's the goal.