Added subtechniques

Author: dlamspl

appserver/static/vendor/mitre/enterprise-attack.json

@@ -2,12 +2,10 @@
 
 [install]
 is_configured = 0
-build = 7dc9706
-install_source_checksum = 45686772837c482f9ef4ffb10fee18da2567dcc7
 
 [launcher]
 description = Splunk Attack range dashboards
-version = 1.0.4
+version = 1.0.5
 author = [email protected]
 
 [ui]

default/app.conf

@@ -1,10 +1,9 @@
 <form theme="dark">
   <search id="BaseSearch">
     <query>`get_attack_data`
-      | sseidenrichment type=mitreid field=Technique 
-      | eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name'
-      |lookup mitre_matrix_list_ar Technique AS mitre_technique_display
-      |table atomic_test, Hostname,mitre_id,mitre_technique_display,mitre_technique_url,Tactic,Technique,"Test Name", Username
+      |lookup enterprise-attack-lookup Technique
+      | eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name' 
+      | table atomic_test, Hostname,mitre_id,mitre_technique_display,mitre_technique_url,Tactic,Technique,"Test Name", Username
     </query>
     <earliest>$time_token.earliest$</earliest>
     <latest>$time_token.latest$</latest>
@@ -253,28 +252,24 @@
       <title>Potential Analytic stories [$story_count$]</title>
       <table>
         <search>
-          
-      <progress>
+          <progress>
             <set token="story_count">$job.resultCount$</set>
-      </progress>          
+          </progress>
           <query>`get_attack_data`
-| sseidenrichment type=mitreid field=Technique 
+|lookup enterprise-attack-lookup Technique
 | eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name'
-|lookup mitre_matrix_list_ar Technique AS mitre_technique_display
 
-
-| join type=left max=0 mitre_technique_display 
+| join type=left max=0 Technique 
    [ | rest /services/configs/conf-analytic_stories splunk_server=local count=0
-|search providing_technologies="*Sysmon*" OR providing_technologies="*Active Directory*" AND providing_technologies!="*AWS*"
-|rex field=mappings ".*,+\s\"mitre_attack\":(?&lt;tactics&gt;.*),+\s\"mitre_technique_id\""
-|rex field=tactics mode=sed "s/\[//g"
-|rex field=tactics mode=sed "s/\]//g"
-| eval tactics=split(tactics, ",")
-|rex field=tactics mode=sed "s/\"//g"
-| mvexpand tactics
-| eval mitre_technique_display=trim(tactics)  
-| where mitre_technique_display!=""
-|fields mitre_technique_display, title]
+|rex field=mappings ".*,+\s\"mitre_attack\":(?&lt;technique&gt;.*),+\s\"nist\""
+|rex field=technique mode=sed "s/\[//g"
+|rex field=technique mode=sed "s/\]//g"
+| eval technique=split(technique, ",")
+|rex field=technique mode=sed "s/\"//g"
+| mvexpand technique
+| eval Technique=trim(technique)  
+| where Technique!=""
+|fields Technique, title]
 
 |eval view="View [ESCU]"
 |eval execute="Execute [ASX]"
@@ -288,6 +283,7 @@
         <option name="dataOverlayMode">none</option>
         <option name="drilldown">row</option>
         <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">true</option>
@@ -306,13 +302,11 @@
     </panel>
     <panel>
       <title>Potential detections [$detection_count$]</title>
- 
       <table>
-
         <search>
-      <progress>
+          <progress>
             <set token="detection_count">$job.resultCount$</set>
-      </progress>
+          </progress>
           <query>`get_attack_data`
 |rename Technique as mitre_technique
 

default/data/ui/views/attack_range_main_dashboard.xml

@@ -59,7 +59,7 @@
         </condition>
       </change>
       <search>
-        <query>|inputlookup mitre_matrix_list_ar|dedup Tactic |fields Tactic</query>
+        <query>|inputlookup enterprise-attack-lookup|dedup Tactic |fields Tactic</query>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </search>
@@ -74,7 +74,7 @@
       <fieldForLabel>Technique</fieldForLabel>
       <fieldForValue>Technique</fieldForValue>
       <search>
-        <query>|inputlookup mitre_matrix_list_ar|dedup Technique |fields Technique</query>
+        <query>|inputlookup enterprise-attack-lookup|dedup Technique |fields Technique</query>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </search>
@@ -195,27 +195,27 @@
           <progress>
             <set token="story_count">$job.resultCount$</set>
           </progress>
-          <query>|rename "Technique #" as Technique
-| sseidenrichment type=mitreid field=Technique 
-| eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name'
-|lookup mitre_matrix_list_ar Technique AS mitre_technique_display
+          <query>| rename "Technique #" as Technique
 
+|lookup enterprise-attack-lookup Technique
+| eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name'
 
-| join type=left max=0 mitre_technique_display 
+| join type=left max=0 Technique 
    [ | rest /services/configs/conf-analytic_stories splunk_server=local count=0
-|search providing_technologies="*Sysmon*" OR providing_technologies="*Active Directory*" AND providing_technologies!="*AWS*"
-|rex field=mappings ".*,+\s\"mitre_attack\":(?&lt;tactics&gt;.*),+\s\"mitre_technique_id\""
-|rex field=tactics mode=sed "s/\[//g"
-|rex field=tactics mode=sed "s/\]//g"
-| eval tactics=split(tactics, ",")
-|rex field=tactics mode=sed "s/\"//g"
-| mvexpand tactics
-| eval mitre_technique_display=trim(tactics)  
-| where mitre_technique_display!=""
-|fields mitre_technique_display, title]
-|search Technique=$technique_token$
-|stats dc(title) by title
-| fields title</query>
+|rex field=mappings ".*,+\s\"mitre_attack\":(?&lt;technique&gt;.*),+\s\"nist\""
+|rex field=technique mode=sed "s/\[//g"
+|rex field=technique mode=sed "s/\]//g"
+| eval technique=split(technique, ",")
+|rex field=technique mode=sed "s/\"//g"
+| mvexpand technique
+| eval Technique=trim(technique)  
+| where Technique!=""
+|fields Technique, title]
+
+|eval view="View [ESCU]"
+|eval execute="Execute [ASX]"
+|stats dc(title) by title, view, execute
+| fields title, view, execute</query>
         </search>
         <option name="count">20</option>
         <option name="dataOverlayMode">none</option>

default/data/ui/views/attack_range_navigator.xml

@@ -1,3 +1,3 @@
 [get_attack_data]
-definition = index="attack" Technique!="Technique" Technique!="" Technique!="T1531" Technique!="T1482" Technique!="T1485" Technique!="T1489" Technique!="T1490" Technique!="T1500" Technique!="T1502" Technique!="T1504" Technique!="T1505" Technique!="T1518" Technique!="T1529"
+definition = index="attack"
 iseval = 0

default/macros.conf

@@ -3,7 +3,7 @@ batch_index_query = 0
 case_sensitive_match = 1
 filename = windows-atomic-red-tests.csv
 
-[mitre_matrix_list_ar]
+[enterprise-attack-lookup]
 batch_index_query = 0
 case_sensitive_match = 1
-filename = mitre_matrix_list_ar.csv
+filename = enterprise-attack.csv