-
Notifications
You must be signed in to change notification settings - Fork 12
Using plugins
Martijn Veken edited this page May 5, 2023
·
9 revisions
Dettectinator comes with a rich set of plugins for common detection systems and data source platforms, and you can even create new ones to accomodate your own flow.
On this page you will find an overview of all current data import plugins for both detections and data sources.
| Plugin | Description |
|---|---|
| DatasourceCsv | Import data sources from a CSV file. The file should be formatted like: Datasource,Product. |
| DatasourceDefenderEndpoints | Import data source information for Microsoft Defender for Endpoints tables. It uses OSSEM to generate the overview. |
| DatasourceExcel | Import data sources from an Excel file. It uses the first two columns of the first worksheet. The first column should contain the Datasource, the second column the Product. |
| DatasourceWindowsSecurityAuditing | Import data source information for Windows Security Auditing event logging. Uses the event ID's logged in the last 30 days and OSSEM to generate the overview. |
| DatasourceWindowsSysmon | Import data source information for Sysmon. It uses your Sysmon config file and OSSEM to generate the overview. |
| Plugin | Description |
|---|---|
| TechniqueCsv | Import detections from a CSV file. The file should be formatted like: TechniqueId,UseCase. |
| TechniqueDefenderAlerts | Import alerts and techniques from the Microsoft Defender API. |
| TechniqueDefenderIdentityRules | Import rules for Microsoft Defender for Identity from their Github webpage: https://github.com/MicrosoftDocs/ATADocs/tree/master/ATPDocs. More info can be found on: https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview |
| TechniqueElasticSecurityRules | Import Elastic Security rules with ATT&CK technique mapping. |
| TechniqueExcel | Import detections from an Excel file. It uses the first two columns of the first worksheet. The first column should contain TechniqueId, the second column the UseCase. |
| TechniqueSentinelAlertRules | Import Analytics Rules from the Sentinel API. |
| TechniqueSigmaRules | Import rules from a folder with Sigma rules. |
| TechniqueSplunkConfigSearches | Import detections from a Splunk config that contains saved searches (savedsearches.conf). It uses the action.correlationsearch.annotations attribute to get the mitre_attack techniques: action.correlationsearch.annotations = {"mitre_attack": ["T1560.001", "T1560"]}. Searches that contain an action.correlationsearch.label and don't have disabled=1 are included. |
| TechniqueSuricataRules | Import detections from a Suricata rules file. It expects a metadata meta-setting containing a field with the name mitre_technique_id containing the ATT&CK technique ID.alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Phishing - Form submitted to submit-form Form Hosting"; flow:established,to_server; http.method; content:"POST"; http.host; content:"submit-form.com"; endswith; classtype:credential-theft; sid:2030707; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_20, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)Source: Emerging Threats. |
| TechniqueSuricataRulesSummarized | Import detections from a Suricata rules file. This plugin summarizes all rules instead of naming all rules like in TechniqueSuricataRules plugin. |
| TechniqueTaniumSignals | Import signals with ATT&CK technique mapping from Tanium. |
| Plugin | Description |
|---|---|
| GroupExcel | Example plugin to import group data from an Excel file. In Excel create a tab for each group and list all techniques in the first column. |
| GroupPdf | Example plugin to import group data from a PDF file. It uses regexes to find Technique and Software ID's in a PDF document |