Added additional widget on main dashboard showing deetections

Update of the app for submit

Author: dlamspl

appserver/static/docs/attack_range_dashboard_beta.json

@@ -6,10 +6,20 @@ install_source_checksum = 45686772837c482f9ef4ffb10fee18da2567dcc7
 
 [launcher]
 description = Splunk Attack range dashboards
-version = 1.0.2
-author = Splunk
+version = 1.0.3
+author = [email protected]
 
 [ui]
 is_visible = 1
 label = Attack Range Reporting
 
+[package]
+id = splunk_attack_range_reporting
+check_for_updates = true
+
+[[email protected]]
+email = [email protected]
+company = Splunk
+
+[install]
+build = 1

default/app.conf

@@ -0,0 +1 @@
+Add all the views that your app needs in this directory

default/data/ui/views/README

@@ -231,9 +231,31 @@
   </row>
   <row>
     <panel>
-      <title>Possible Analytic stories</title>
+      <title>Executed simulations</title>
+      <table>
+        <search base="BaseSearch">
+          <query>|table atomic_test, Hostname,mitre_id,mitre_technique_display,mitre_technique_url,Tactic,Technique,"Test Name", Username
+        </query>
+        </search>
+        <option name="count">5</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="percentagesRow">false</option>
+        <option name="rowNumbers">false</option>
+        <option name="totalsRow">false</option>
+        <option name="wrap">true</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Potential Analytic stories [$story_count$]</title>
       <table>
         <search>
+          
+      <progress>
+            <set token="story_count">$job.resultCount$</set>
+      </progress>          
           <query>`get_attack_data`
 | sseidenrichment type=mitreid field=Technique 
 | eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name'
@@ -281,19 +303,33 @@
         </drilldown>
       </table>
     </panel>
-  </row>
-  <row>
     <panel>
-      <title>Executed simulations</title>
+      <title>Potential detections [$detection_count$]</title>
+ 
       <table>
-        <search base="BaseSearch">
-          <query>
-|table atomic_test, Hostname,mitre_id,mitre_technique_display,mitre_technique_url,Tactic,Technique,"Test Name", Username</query>
+
+        <search>
+      <progress>
+            <set token="detection_count">$job.resultCount$</set>
+      </progress>
+          <query>`get_attack_data`
+|rename Technique as mitre_technique
+
+| join type=left max=0 mitre_technique
+[| sseanalytics
+|search mitre_technique!="None"
+|mvexpand mitre_technique]
+|stats dc(name) by name,mitre_technique,channel
+|table name, mitre_technique, channel</query>
+          <earliest>$time_token.earliest$</earliest>
+          <latest>$time_token.latest$</latest>
+          <sampleRatio>1</sampleRatio>
         </search>
-        <option name="count">5</option>
+        <option name="count">10</option>
         <option name="dataOverlayMode">none</option>
         <option name="drilldown">none</option>
         <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
         <option name="rowNumbers">false</option>
         <option name="totalsRow">false</option>
         <option name="wrap">true</option>

local/data/ui/views/attack_range_main_dashboard.xml

@@ -1,4 +1,8 @@
 <form theme="dark">
+  <init>
+    <set token="show_init_tactic"></set>
+    <unset token="show_breakdown_tactic"></unset>
+  </init>
   <search id="AtomicRedLookup">
     <query>|inputlookup atomic-red-windows-tests
     </query>
@@ -10,7 +14,7 @@
   <label>Attack Range Navigator</label>
   <description>Available atomic red tests and possible mappings between detections</description>
   <fieldset submitButton="false" autoRun="true">
-    <input type="dropdown" token="channel" searchWhenChanged="true">
+    <input type="dropdown" token="channel_token" searchWhenChanged="true">
       <label>Content Source</label>
       <choice value="*">All</choice>
       <default>*</default>
@@ -35,6 +39,46 @@
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
+    <input type="dropdown" token="tactic_name_token" searchWhenChanged="true">
+      <label>Tactic Name [Detections]</label>
+      <choice value="*">All</choice>
+      <default>*</default>
+      <prefix>"</prefix>
+      <suffix>"</suffix>
+      <initialValue>*</initialValue>
+      <fieldForLabel>Tactic</fieldForLabel>
+      <fieldForValue>Tactic</fieldForValue>
+      <change>
+        <condition match="$tactic_name_token$!=&quot;*&quot; ">
+          <set token="show_breakdown_tactic"></set>
+          <unset token="show_init_tactic"></unset>
+        </condition>
+        <condition>
+          <unset token="show_breakdown_tactic"></unset>
+          <set token="show_init_tactic"></set>
+        </condition>
+      </change>
+      <search>
+        <query>|inputlookup mitre_matrix_list_ar|dedup Tactic |fields Tactic</query>
+        <earliest>-24h@h</earliest>
+        <latest>now</latest>
+      </search>
+    </input>
+    <input type="dropdown" token="technique_name_token" searchWhenChanged="true">
+      <label>Technique Name [Detections]</label>
+      <choice value="*">All</choice>
+      <default>*</default>
+      <prefix>"*</prefix>
+      <suffix>*"</suffix>
+      <initialValue>*</initialValue>
+      <fieldForLabel>Technique</fieldForLabel>
+      <fieldForValue>Technique</fieldForValue>
+      <search>
+        <query>|inputlookup mitre_matrix_list_ar|dedup Technique |fields Technique</query>
+        <earliest>-24h@h</earliest>
+        <latest>now</latest>
+      </search>
+    </input>
   </fieldset>
   <row>
     <panel>
@@ -148,6 +192,9 @@
       <table>
         <title>(Click to view in ESCU)</title>
         <search base="AtomicRedLookup">
+          <progress>
+            <set token="story_count">$job.resultCount$</set>
+          </progress>
           <query>|rename "Technique #" as Technique
 | sseidenrichment type=mitreid field=Technique 
 | eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name'
@@ -169,9 +216,6 @@
 |search Technique=$technique_token$
 |stats dc(title) by title
 | fields title</query>
-<progress>
-                 <set token="story_count">$job.resultCount$</set>
-           </progress>
         </search>
         <option name="count">20</option>
         <option name="dataOverlayMode">none</option>
@@ -186,24 +230,24 @@
         </drilldown>
       </table>
     </panel>
-    <panel>
+    <panel depends="$show_breakdown_tactic$">
       <title>Detections with possible Atomic tests mapping [$detection_count$]</title>
       <table>
+        <title>*Tactic Name and Technique Name field applies only here</title>
         <search base="SSEAnalytics">
-          <query>
-|mvexpand mitre_technique 
+          <progress>
+            <set token="detection_count">$job.resultCount$</set>
+          </progress>
+          <query>| mvexpand mitre_technique 
 |search mitre_technique!="None" mitre_technique!="" mitre_technique!="TA*" 
-|table name , mitre_technique, channel
+
 |lookup atomic-red-windows-tests "Technique #" AS mitre_technique OUTPUT "Test Name" as atomic_test_name
+| mvexpand mitre_tactic_display
 | eval atomic_test_exists=if(atomic_test_name != "", "1", "0")
+| eval "Candidate Atomic test"=mitre_technique
 | where atomic_test_exists="1"
-|search mitre_technique=$technique_token$
-|rename mitre_technique as "Candidate Atomic test"
-
-|table name, "Candidate Atomic test", channel</query>
-            <progress>
-                 <set token="detection_count">$job.resultCount$</set>
-           </progress>
+|search mitre_technique=$technique_token$ channel=$channel_token$ mitre_tactic_display=$tactic_name_token$ mitre_technique_display=$technique_name_token$
+|table name, "Candidate Atomic test", mitre_tactic_display,channel</query>
         </search>
         <option name="count">10</option>
         <option name="dataOverlayMode">none</option>
@@ -214,5 +258,33 @@
         <option name="wrap">true</option>
       </table>
     </panel>
+    <panel depends="$show_init_tactic$">
+      <title>Detections with possible Atomic tests mapping [$detection_count_default_panel$]</title>
+      <table>
+        <search base="SSEAnalytics">
+          <progress>
+            <set token="detection_count_default_panel">$job.resultCount$</set>
+          </progress>
+          <query>|mvexpand mitre_technique 
+|search mitre_technique!="None" mitre_technique!="" mitre_technique!="TA*" 
+
+|lookup atomic-red-windows-tests "Technique #" AS mitre_technique OUTPUT "Test Name" as atomic_test_name
+| eval atomic_test_exists=if(atomic_test_name != "", "1", "0")
+| eval "Candidate Atomic test"=mitre_technique
+| where atomic_test_exists="1"
+|search mitre_technique="*" channel="*"  mitre_technique_display="***"
+|search mitre_technique=$technique_token$ channel=$channel_token$  mitre_technique_display=$technique_name_token$
+|table name, "Candidate Atomic test",channel</query>
+        </search>
+        <option name="count">10</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="rowNumbers">false</option>
+        <option name="totalsRow">false</option>
+        <option name="wrap">true</option>
+      </table>
+    </panel>
   </row>
 </form>

local/data/ui/views/attack_range_navigator.xml

@@ -1,9 +1,9 @@
-[mitre_matrix_list_ar]
+[atomic-red-windows-tests]
 batch_index_query = 0
 case_sensitive_match = 1
-filename = mitre_matix_list_ar.csv
+filename = windows-atomic-red-tests.csv
 
-[atomic-red-windows-tests]
+[mitre_matrix_list_ar]
 batch_index_query = 0
 case_sensitive_match = 1
-filename = windows-atomic-red-tests.csv
+filename = mitre_matrix_list_ar.csv

local/transforms.conf

@@ -11,14 +11,14 @@ access = read : [ * ]
 export = none
 owner = admin
 version = 8.0.1
-modtime = 1587039557.989469000
+modtime = 1587537315.709316000
 
 [views/attack_range_navigator]
 access = read : [ * ]
 export = none
 owner = admin
 version = 8.0.1
-modtime = 1586957534.458117000
+modtime = 1587534293.161279000
 
 [nav/default]
 version = 8.0.2
@@ -28,19 +28,12 @@ modtime = 1586836655.568709000
 version = 8.0.1
 modtime = 1586922601.443066000
 
-[lookups/mitre_matix_list_ar.csv]
-access = read : [ * ]
-export = none
-owner = admin
-version = 8.0.1
-modtime = 1586923458.623613000
-
 [transforms/mitre_matrix_list_ar]
 access = read : [ * ]
 export = none
 owner = admin
 version = 8.0.1
-modtime = 1586923678.456480000
+modtime = 1587406098.533287000
 
 [lookups/windows-atomic-red-tests.csv]
 access = read : [ * ]
@@ -62,3 +55,10 @@ export = none
 owner = admin
 version = 8.0.1
 modtime = 1587043563.477440000
+
+[lookups/mitre_matrix_list_ar.csv]
+access = read : [ * ]
+export = none
+owner = admin
+version = 8.0.1
+modtime = 1587406027.679196000