Skip to content

Commit 642c922

Browse files
dlamspldlamspl
committed
Initial version
1 parent 0a1cf6c commit 642c922

File tree

18 files changed

+122610
-0
lines changed

18 files changed

+122610
-0
lines changed

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,3 +127,6 @@ dmypy.json
127127

128128
# Pyre type checker
129129
.pyre/
130+
131+
# MacOS stuff
132+
.DS_Store

appserver/static/vendor/mitre/enterprise-attack.json

Lines changed: 112241 additions & 0 deletions
Large diffs are not rendered by default.

appserver/static/vendor/mitre/pre-attack.json

Lines changed: 8367 additions & 0 deletions
Large diffs are not rendered by default.

bin/README.md

Whitespace-only changes.

default/app.conf

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
[default]
2+
3+
[install]
4+
is_configured = 0
5+
install_source_checksum = 45686772837c482f9ef4ffb10fee18da2567dcc7
6+
7+
[launcher]
8+
description = Splunk Attack range dashboards
9+
version = 1.0.0
10+
author = Splunk
11+
12+
[ui]
13+
is_visible = 1
14+
label = Attack Range Reporting
15+

default/data/ui/nav/default.xml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
<nav search_view="search">
2+
3+
<!-- Set "attack_range_main_dashboard" as the default page -->
4+
<collection label="Attack Range Dashboards">
5+
6+
<view name="attack_range_main_dashboard" default="true"/>
7+
<view name="attack_range_navigator" />
8+
9+
10+
11+
</collection>
12+
13+
<view name="search" />
14+
<view name="datasets" />
15+
<view name="dashboards" />
16+
17+
18+
19+
</nav>

default/data/ui/views/attack_range_main_dashboard.xml

Lines changed: 338 additions & 0 deletions
Large diffs are not rendered by default.

default/data/ui/views/attack_range_navigator.xml

Lines changed: 247 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,247 @@
1+
<form theme="dark">
2+
<label>Attack Range Navigator</label>
3+
<description>Available atomic red tests and possible mappings between detections</description>
4+
<fieldset submitButton="false" autoRun="true">
5+
<input type="dropdown" token="channel" searchWhenChanged="true">
6+
<label>Source</label>
7+
<choice value="*">All</choice>
8+
<default>*</default>
9+
<initialValue>*</initialValue>
10+
<fieldForLabel>channel</fieldForLabel>
11+
<fieldForValue>channel</fieldForValue>
12+
<search>
13+
<query>| sseanalytics
14+
|stats count by channel
15+
|fields channel</query>
16+
<earliest>-24h@h</earliest>
17+
<latest>now</latest>
18+
</search>
19+
<prefix>"</prefix>
20+
<suffix>"</suffix>
21+
</input>
22+
<input type="dropdown" token="technique_token" searchWhenChanged="true">&gt;<label>Technique</label>
23+
<choice value="*">All</choice>
24+
<prefix>"</prefix>
25+
<suffix>"</suffix>
26+
<fieldForLabel>mitre_technique</fieldForLabel>
27+
<fieldForValue>mitre_technique</fieldForValue>
28+
<search>
29+
<query>| sseanalytics
30+
|mvexpand mitre_technique
31+
|search mitre_technique!="None" mitre_technique!="" mitre_technique!="TA*"
32+
|table name , mitre_technique, channel
33+
|lookup atomic-red-windows-tests "Technique #" AS mitre_technique OUTPUT "Test Name" as atomic_test_name
34+
| eval atomic_test_exists=if(atomic_test_name != "", "1", "0")
35+
| where atomic_test_exists="1"
36+
37+
|dedup mitre_technique</query>
38+
<earliest>-24h@h</earliest>
39+
<latest>now</latest>
40+
</search>
41+
<default>*</default>
42+
<initialValue>*</initialValue>
43+
</input>
44+
</fieldset>
45+
<row>
46+
<panel>
47+
<title># Available tests</title>
48+
<single>
49+
<search>
50+
<query>|inputlookup atomic-red-windows-tests |stats count</query>
51+
<earliest>$earliest$</earliest>
52+
<latest>$latest$</latest>
53+
<sampleRatio>1</sampleRatio>
54+
</search>
55+
<option name="drilldown">all</option>
56+
<option name="refresh.display">progressbar</option>
57+
</single>
58+
</panel>
59+
<panel>
60+
<title># MITRE ATT&amp;CK Tactics</title>
61+
<single>
62+
<search>
63+
<query>|inputlookup atomic-red-windows-tests
64+
|stats dc("Tactic")</query>
65+
<earliest>$earliest$</earliest>
66+
<latest>$latest$</latest>
67+
<sampleRatio>1</sampleRatio>
68+
</search>
69+
<option name="drilldown">none</option>
70+
<option name="refresh.display">progressbar</option>
71+
<option name="trellis.enabled">0</option>
72+
<option name="trellis.scales.shared">1</option>
73+
<option name="trellis.size">medium</option>
74+
</single>
75+
</panel>
76+
<panel>
77+
<title># MITRE ATT&amp;CK Techniques tests</title>
78+
<single>
79+
<search>
80+
<query>|inputlookup atomic-red-windows-tests
81+
|stats dc("Technique #")</query>
82+
<earliest>0</earliest>
83+
<latest></latest>
84+
<sampleRatio>1</sampleRatio>
85+
</search>
86+
<option name="drilldown">none</option>
87+
<option name="rangeColors">["0x53a051","0xf1813f"]</option>
88+
<option name="rangeValues">[10000]</option>
89+
<option name="refresh.display">progressbar</option>
90+
<option name="trellis.enabled">0</option>
91+
<option name="trellis.scales.shared">1</option>
92+
<option name="trellis.size">medium</option>
93+
<option name="useColors">1</option>
94+
<option name="useThousandSeparators">1</option>
95+
</single>
96+
</panel>
97+
<panel>
98+
<title>Atomic test Tactics available</title>
99+
<chart>
100+
<search>
101+
<query>|inputlookup atomic-red-windows-tests
102+
| sseidenrichment type=mitreid field="Technique #"
103+
|stats count by Tactic</query>
104+
<earliest>$earliest$</earliest>
105+
<latest>$latest$</latest>
106+
<sampleRatio>1</sampleRatio>
107+
</search>
108+
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
109+
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
110+
<option name="charting.axisTitleX.visibility">visible</option>
111+
<option name="charting.axisTitleY.visibility">visible</option>
112+
<option name="charting.axisTitleY2.visibility">visible</option>
113+
<option name="charting.axisX.abbreviation">none</option>
114+
<option name="charting.axisX.scale">linear</option>
115+
<option name="charting.axisY.abbreviation">none</option>
116+
<option name="charting.axisY.scale">linear</option>
117+
<option name="charting.axisY2.abbreviation">none</option>
118+
<option name="charting.axisY2.enabled">0</option>
119+
<option name="charting.axisY2.scale">inherit</option>
120+
<option name="charting.chart">pie</option>
121+
<option name="charting.chart.bubbleMaximumSize">50</option>
122+
<option name="charting.chart.bubbleMinimumSize">10</option>
123+
<option name="charting.chart.bubbleSizeBy">area</option>
124+
<option name="charting.chart.nullValueMode">gaps</option>http://3.127.167.74:8000/en-US/app/splunk_attack_range_reporting/attack_range_main_dashboard/editxml#<option name="charting.chart.showDataLabels">none</option>
125+
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
126+
<option name="charting.chart.stackMode">default</option>
127+
<option name="charting.chart.style">shiny</option>
128+
<option name="charting.drilldown">none</option>
129+
<option name="charting.layout.splitSeries">0</option>
130+
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
131+
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
132+
<option name="charting.legend.mode">standard</option>
133+
<option name="charting.legend.placement">right</option>
134+
<option name="charting.lineWidth">2</option>
135+
<option name="refresh.display">progressbar</option>
136+
<option name="trellis.enabled">0</option>
137+
<option name="trellis.scales.shared">1</option>
138+
<option name="trellis.size">medium</option>
139+
</chart>
140+
</panel>
141+
</row>
142+
<row>
143+
<panel>
144+
<title>Possible Analytic stories</title>
145+
<table>
146+
<search>
147+
<query>|inputlookup atomic-red-windows-tests
148+
|rename "Technique #" as Technique
149+
| sseidenrichment type=mitreid field=Technique
150+
| eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name'
151+
|lookup mitre_matrix_list Technique AS mitre_technique_display
152+
153+
154+
| join type=left max=0 mitre_technique_display
155+
[ | rest /services/configs/conf-analytic_stories splunk_server=local count=0
156+
|search providing_technologies="*Sysmon*" OR providing_technologies="*Active Directory*" AND providing_technologies!="*AWS*"
157+
|rex field=mappings ".*,+\s\"mitre_attack\":(?&lt;tactics&gt;.*),+\s\"mitre_technique_id\""
158+
|rex field=tactics mode=sed "s/\[//g"
159+
|rex field=tactics mode=sed "s/\]//g"
160+
| eval tactics=split(tactics, ",")
161+
|rex field=tactics mode=sed "s/\"//g"
162+
| mvexpand tactics
163+
| eval mitre_technique_display=trim(tactics)
164+
| where mitre_technique_display!=""
165+
|fields mitre_technique_display, title]
166+
167+
|stats dc(title) by title
168+
| fields title</query>
169+
<earliest>$earliest$</earliest>
170+
<latest>$latest$</latest>
171+
<sampleRatio>1</sampleRatio>
172+
</search>
173+
<option name="count">20</option>
174+
<option name="dataOverlayMode">none</option>
175+
<option name="drilldown">cell</option>
176+
<option name="percentagesRow">false</option>
177+
<option name="rowNumbers">false</option>
178+
<option name="totalsRow">false</option>
179+
<option name="wrap">true</option>
180+
<drilldown>
181+
<link target="_blank">/app/DA-ESS-ContentUpdate/analytic_story_details?form.analytic_story_name=$row.title$</link>
182+
</drilldown>
183+
</table>
184+
</panel>
185+
<panel>
186+
<title>Detections with Atomic tests mapping</title>
187+
<table>
188+
<search>
189+
<query>| sseanalytics
190+
|mvexpand mitre_technique
191+
|search mitre_technique!="None" mitre_technique!="" mitre_technique!="TA*"
192+
|table name , mitre_technique, channel
193+
|lookup atomic-red-windows-tests "Technique #" AS mitre_technique OUTPUT "Test Name" as atomic_test_name
194+
| eval atomic_test_exists=if(atomic_test_name != "", "1", "0")
195+
| where atomic_test_exists="1"
196+
|search mitre_technique=$technique_token$
197+
|rename mitre_technique as "Candidate Atomic test"
198+
199+
|table name, "Candidate Atomic test", channel</query>
200+
<earliest>$earliest$</earliest>
201+
<latest>$latest$</latest>
202+
<sampleRatio>1</sampleRatio>
203+
</search>
204+
<option name="count">10</option>
205+
<option name="dataOverlayMode">none</option>
206+
<option name="drilldown">cell</option>
207+
<option name="percentagesRow">false</option>
208+
<option name="rowNumbers">false</option>
209+
<option name="totalsRow">false</option>
210+
<option name="wrap">true</option>
211+
<drilldown>
212+
<link target="_blank">/app/$row.channel$/showcase_simple_search?ml_toolkit.dataset=$row.name$</link>
213+
</drilldown>
214+
</table>
215+
</panel>
216+
</row>
217+
<row>
218+
<panel>
219+
<title>Atomic test Techniques available</title>
220+
<viz type="punchcard_app.punchcard">
221+
<search>
222+
<query>|inputlookup atomic-red-windows-tests
223+
| sseidenrichment type=mitreid field="Technique #"
224+
225+
226+
| stats count count("Technique #") by Tactic, "Technique #"
227+
|sort -count</query>
228+
<earliest>$earliest$</earliest>
229+
<latest>$latest$</latest>
230+
<sampleRatio>1</sampleRatio>
231+
</search>
232+
<option name="drilldown">none</option>
233+
<option name="punchcard_app.punchcard.colorMode">categorical</option>
234+
<option name="punchcard_app.punchcard.labelRotation">angle</option>
235+
<option name="punchcard_app.punchcard.maxColor">#3fc77a</option>
236+
<option name="punchcard_app.punchcard.minColor">#d93f3c</option>
237+
<option name="punchcard_app.punchcard.numOfBins">9</option>
238+
<option name="punchcard_app.punchcard.radiusScale">global</option>
239+
<option name="punchcard_app.punchcard.useColors">true</option>
240+
<option name="refresh.display">progressbar</option>
241+
<option name="trellis.enabled">0</option>
242+
<option name="trellis.scales.shared">1</option>
243+
<option name="trellis.size">medium</option>
244+
</viz>
245+
</panel>
246+
</row>
247+
</form>

0 commit comments

Comments
 (0)