https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-cortex-with-dettect-and-dettectinator/m-p/580850#M6348 <P>You'll need the API keys to a functioning Cortex XDR (appID and secret), as well as the workspace URL. Have a look in the configuration file example in the repo: <A href="https://github.com/themyops/pa_dettectinator/blob/main/examples/pa_datasource_config_example.json" target="_blank">https://github.com/themyops/pa_dettectinator/blob/main/examples/pa_datasource_config_example.json</A>. Then run the dettectinator with the config file and it will generate the yaml file. These can be further edited with the DeTTeCT editor.</P> Mon, 18 Mar 2024 21:58:49 GMT Hinne.Hettema 2024-03-18T21:58:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-cortex-with-dettect-and-dettectinator/m-p/580140#M6312 <P>I am using the DeTTeCT approach to assessing our coverage against ATT&amp;CK:&nbsp;<A href="https://github.com/rabobank-cdc/DeTTECT" target="_blank">GitHub - rabobank-cdc/DeTTECT: Detect Tactics, Techniques &amp; Combat Threats</A>. In this approach, you need to start with a set of yaml files that have your datasources and detections.</P> <P>&nbsp;</P> <P>I have recently completed a set of PA plugins for the dettectinator project here&nbsp;<A href="https://github.com/themyops/pa_dettectinator" target="_blank">GitHub - themyops/pa_dettectinator: Dettectinator - The Python library to your DeTT&amp;CT YAML files.</A>. This is a fork of the original dettectinator project here&nbsp;<A href="https://github.com/siriussecurity/dettectinator" target="_blank">GitHub - siriussecurity/dettectinator: Dettectinator - The Python library to your DeTT&amp;CT YAML files.</A>&nbsp;which has two specific Cortex XDR modules added</P> <P>&nbsp;</P> <P>1. The datasources module goes through the datalake event logs and itemizes all the detected EventIDs, maps them to the OSSEM framework and gives you an inital DeTTeCT yaml file.</P> <P>2. The techniques module goes through the datalake and gets the techniques from the alerts tables. There are some optional parameters that will allow for a selection of fields as well as a start date.</P> <P>&nbsp;</P> <P>This approach can help to get the initial yaml files from what is already available in the datalake.</P> Wed, 13 Mar 2024 00:27:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-cortex-with-dettect-and-dettectinator/m-p/580140#M6312 Hinne.Hettema 2024-03-13T00:27:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-cortex-with-dettect-and-dettectinator/m-p/580743#M6345 <P>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/218344771">@Hinne.Hettema</a>&nbsp;,&nbsp;</P> <P>&nbsp;</P> <P>Hope you are doing well and thank you for reaching out to the Live Community. I would like to thank you for your detail explanation on how to get&nbsp;<SPAN>yaml files. Your knowledge sharing is greatly appreciated. Thank you.&nbsp;</SPAN></P> Mon, 18 Mar 2024 07:56:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-cortex-with-dettect-and-dettectinator/m-p/580743#M6345 abdrahman 2024-03-18T07:56:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-cortex-with-dettect-and-dettectinator/m-p/580850#M6348 <P>You'll need the API keys to a functioning Cortex XDR (appID and secret), as well as the workspace URL. Have a look in the configuration file example in the repo: <A href="https://github.com/themyops/pa_dettectinator/blob/main/examples/pa_datasource_config_example.json" target="_blank">https://github.com/themyops/pa_dettectinator/blob/main/examples/pa_datasource_config_example.json</A>. Then run the dettectinator with the config file and it will generate the yaml file. These can be further edited with the DeTTeCT editor.</P> Mon, 18 Mar 2024 21:58:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-cortex-with-dettect-and-dettectinator/m-p/580850#M6348 Hinne.Hettema 2024-03-18T21:58:49Z