v1.4.4

• Fix for unexpected keyword argument skip_revoked_deprecated.

v1.4.3

• Support for new MITRE ATT&CK TAXII server and STIX2.1 objects as described on https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58

v1.3.0

• Sentinel plugin now supports sub-techniques, thanks to @DeSaintJust.
• Enhancement/fix for checking prefix in location field.
• Reading / saving notes field for Group YAML files.
• New sample Group plugin: GroupWeb. Can be used to import data from a web page. It uses a regular expression to fetch techniques and software.

v1.2.0

• Support for DeTT&CT Group YAML files. Including two sample plugins to ingest files with threat intelligence.
• Updated the TechniqueDefenderIdentityRules plugin: now using the new MDI GitHub URL's.
• Results and warnings are now sorted and can be written to a file. #10 Thanks to @marco-vdk.
• Fixed rule location name when checking existing rules. PR #8 Thanks to @Karneades.

v1.1.1

• Small fix: setting detection score to -1 instead of 0 when having no detections

v1.1.0

• Support for data source plugins: it's now possible to use and create plugins for data sources. Out of the box there are plugins for Microsoft Defender for Endpoints, Sysmon and Windows Security Auditing logging which have been based on the OSSEM mappings. There are also plugins to import from CSV and Excel.
• New technique plugins: the following plugins have been added in this release:
  • Splunk: saved searches config
  • Suricata: rules summarized
• Added clean_unused_location_prefix command line argument: previously if you had multiple configurations writing to the same YAML file you would run into trouble when automatically cleaning unused detecions from the YAML. When this argument is specified only items with the same location prefix will be cleaned from the file.
• Overrule applicable_to from plugin: it's not always the case that all detections/ data sources that you import are applicable to the same group of systems that you specify on the command line. It's now possible to yield the 'applicable_to' value from the plugin. If 'None' is yielded, the default value from the command line will be used. This option has not been effectuated in the default plugins yet, but you can already use it when creating your own.

We also of course fixed a number of bugs!

Note: To enable support for data sources we changed the naming scheme of the technique plugins a little bit. The name of these plugins now starts with "Technique" in stead of "Import".

v1.0.0

Dettectinator Release 1.0.0

Dettectinator - The Python library to your DeTT&CT YAML files.

Dettectinator is built to be included in your SOC automation tooling. It can be included as a Python library or it can be used via the command line.

Dettectinator provides plugins to read detections from your SIEM or EDR and create a DeTT&CT YAML for it, so that you can use it to visualize your ATT&CK detection coverage in the ATT&CK Navigator.

Currently de CLI is limited to processing detections through these plugins, the library can also be used for processing data sources.

See the documentation for more information on how to use it.