Merge pull request #15 from dlamspl/dev

Dev

Author: ccl0utier

README.md

@@ -21,18 +21,25 @@ This application has the following depencencies:
 + [Splunk Security Essentials v3.x.x](https://splunkbase.splunk.com/app/3435/)
 + [Status Indicator - Custom Visualization](https://splunkbase.splunk.com/app/3119/)
 + [Sankey Diagram - Custom Visualization](https://splunkbase.splunk.com/app/3112/)
++ [Parallel Coordinates - Custom Visualization](https://splunkbase.splunk.com/app/3137)
++ [Treemap - Custom Visualization](https://splunkbase.splunk.com/app/3118)
+
+**Note:** The application will fallback to not showing any panels that rely on prerequisite visualizations if they are missing.
 
 ## What does it look like ?
 
 The Main dashboard gives you an overview of the simulations run, users, hosts, MITRE ATT&CK tactics and techniques, tests executed and potential mapping with analytic stories. 
 
 ![Main Dashboard](appserver/static/docs/img/ar_main_dashboardv1.0.png?raw=true "Main Dashboard")
 
-The second dashboard (Navigator) shows all the available Atomic Red tests and their potential mappings to security content.  The reason we categorize those as "potential" is because the mapping is simply made based on the MITRE tactic referenced in the test and the security content. This does not necessarily mean that a specific Atomic Red Test will trigger a particular detection.   This is where you should read more on what ATT&CK is all about and how the Splunk [Security Content](https://research.splunk.com) maps to it.  :)
-
+The second dashboard (Navigator) shows all the available Atomic Red tests and their potential mappings to security content.  The reason we categorize those as "potential" is because the mapping is simply made based on the MITRE technique/subtechnique referenced in the test and the security content. This does not necessarily mean that a specific Atomic Red Test will trigger a particular detection.   This is where you should read more on what ATT&CK is all about and how the Splunk [Security Content](https://research.splunk.com) maps to it.  :)
 
 ![Navigator](appserver/static/docs/img/ar_navigator_dashboardv1.0.png?raw=true "Navigator")
 
+The 3rd dashboard allows you to search for potential Splunk Security Detections, Atomic Red Tests or determine PurpleSharp support for one or more MITRE Att&ck Technique/Subtechnique.
+
+![MITRE Content Based Search](appserver/static/docs/img/ar_mitre_content_search_dashboard.png?raw=true "Content Search")
+
 Finally there is a dashboard made with Splunk dashboards - Beta which looks nice but still in beta !
 
 ![Main - Beta](appserver/static/docs/img/ar_dashboards_beta_preview.png?raw=true "Main-Beta")

app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "splunk_attack_range_reporting",
-      "version": "1.0.8"
+      "version": "1.0.9"
     },
     "author": [
       {

appserver/static/docs/img/ar_mitre_content_search_dashboard.png

@@ -5,7 +5,7 @@ is_configured = 0
 
 [launcher]
 description = Splunk Attack range dashboards
-version = 1.0.8
+version = 1.0.9
 author = [email protected]
 
 [ui]

appserver/static/docs/img/ar_navigator_dashboardv1.0.png

@@ -1,19 +1,11 @@
 <nav search_view="search">
-
     <!-- Set "attack_range_main_dashboard" as the default page -->
     <collection label="Attack Range Dashboards">
-
-        <view name="attack_range_main_dashboard" default="true"/>
-        <view name="attack_range_navigator" />
-
-        
-
+        <view default="true" name="attack_range_main_dashboard"/>
+        <view name="attack_range_navigator"/>
+        <view name="attack_range_mitre_content_search"/>
     </collection>
-    
-  	<view name="search" />
-  	<view name="datasets" />
-  <view name="dashboards" />
-  
-  
-    
-</nav>
+    <view name="search"/>
+    <view name="datasets"/>
+    <view name="dashboards"/>
+</nav>

default/app.conf

@@ -272,15 +272,16 @@
           </progress>
           <query>`get_attack_data`
 | lookup enterprise-attack-lookup Technique
-| eval Label = Tactic + " - " + mitre_tactic_display 
-| eval Label2 = Technique + " - " + mitre_technique_display 
+| eval Label = mvindex(Tactic,0) + " - " + mvindex(mitre_tactic_display, 0)
+| eval Label2 = Technique + " - " + mvindex(mitre_technique_display, 0)
 | stats count by Label2, Label
 | table Label, Label2, count
 | rename Label as step1, Label2 as step2
 | append [
    search `get_attack_data`
    | lookup enterprise-attack-lookup Technique
-   | eval Label = Technique + " - " + mitre_technique_display 
+   | eval Label = Technique + " - " + mvindex(mitre_technique_display, 0)
+   | eval Tactic = mvindex(Tactic, 0)
    | eventstats dc("Test Name") as count by Label, Tactic, "Test Name"
    | table Label, "Test Name", count
    | rename Label as step1, "Test Name" as step2
@@ -289,11 +290,13 @@
           <latest>$time_token.latest$</latest>
         </search>
         <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
       </viz>
     </panel>
     <panel depends="$SanskeyNotInstalled$">
       <html>
-        <p>In order for this panel to show properly, please install the SanKey visualization available <a href="https://splunkbase.splunk.com/app/3112/">here</a></p>
+        <p>In order for this panel to show properly, please install the SanKey visualization available <a href="https://splunkbase.splunk.com/app/3112/">here</a>
+        </p>
       </html>
     </panel>
   </row>
@@ -402,9 +405,9 @@
   | search mitre_id!="None"
   | mvexpand mitre_id
   | rename mitre_id as mitre_technique]
-| stats dc(name) by name, mitre_technique, displayapp
-| table name, mitre_technique, displayapp
-| rename name as "Detection", mitre_technique as "Att&amp;ck Technique", displayapp as "Source"
+| stats dc(name) by name, mitre_technique, analytic_story, displayapp
+| table analytic_story, name, mitre_technique, displayapp
+| rename analytic_story as "Analytic Story", name as "Detection", mitre_technique as "Att&amp;ck Technique", displayapp as "Source"
           </query>
           <earliest>$time_token.earliest$</earliest>
           <latest>$time_token.latest$</latest>

default/data/ui/nav/default.xml

@@ -0,0 +1,157 @@
+<form version="1.1" theme="dark">
+  <label>MITRE ATT&amp;CK Based Content Search</label>
+  <description>Displays Splunk Security Detections and Atomic Red/PurpleSharp Tests based on selected MITRE Att&amp;ck technique(s).</description>
+  <!-- Check if the Parallel Coordinates Visualiztion is installed, and inform the user if not (and adapt the relevant panel content accordingly) -->
+  <search id="ParallelCoordinatesInstalledSearch">
+    <query>
+      | rest /services/apps/local 
+      | where title = "parallel_coordinates_app"
+    </query>
+    <finalized>
+      <condition match=" 'job.resultCount' != 0">
+        <set token="ParallelCoordinatesInstalled">1</set>
+        <unset token="ParallelCoordinatesNotInstalled"></unset>
+      </condition>
+      <condition>
+        <unset token="ParallelCoordinatesInstalled"></unset>
+        <set token="ParallelCoordinatesNotInstalled">1</set>
+      </condition>
+    </finalized>
+  </search>
+  <fieldset submitButton="false" autoRun="true">
+    <input type="multiselect" token="tokTechniques" searchWhenChanged="true">
+      <label>Selected Att&amp;ck Technique(s)</label>
+      <valuePrefix>mitre_id="</valuePrefix>
+      <delimiter> OR </delimiter>
+      <fieldForLabel>label</fieldForLabel>
+      <fieldForValue>value</fieldForValue>
+      <search>
+        <query>| inputlookup enterprise-attack-lookup
+| stats count by Technique, mitre_technique_display
+| eval value = Technique, label = value + " - " + mitre_technique_display
+| fields value, label
+| sort value</query>
+      </search>
+      <valueSuffix>"</valueSuffix>
+      <prefix>(</prefix>
+      <suffix>)</suffix>
+    </input>
+  </fieldset>
+  <row>
+    <panel depends="$ParallelCoordinatesInstalled$">
+      <title>Splunk Detections/ATT&amp;CK Technique(s)/Atomic Tests Mapping</title>
+      <viz type="parallel_coordinates_app.parallel_coordinates">
+        <search>
+          <query>| sseanalytics 
+| fields mitre_id, name 
+| mvexpand mitre_id 
+| search $tokTechniques$ 
+| table mitre_id, name 
+| lookup atomic-red-windows-tests "Technique #" AS mitre_id OUTPUT "Test Name" as test_name, "Test #" as test_no
+| eval label = mvzip(test_no, test_name, " - ")
+| fields mitre_id, name, label
+| mvexpand label
+| eval label = if(isnull(label) OR label=="", "&lt;NO TEST YET&gt;", label)
+| lookup purplesharp-techniques-lookup Technique as mitre_id OUTPUTNEW Technique as matched_technique
+| eval "Supported by PurpleSharp" = if(isnull(matched_technique), "No", "Yes")
+| fields - matched_technique
+| table name, mitre_id, "Supported by PurpleSharp", label
+| sort mitre_id, label, name
+| rename mitre_id as "Att&amp;ck Technique/Sub Technique", name as "Splunk Security Detection", label as "Atomic Test Name"</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="parallel_coordinates_app.parallel_coordinates.colorMode">categorical</option>
+        <option name="parallel_coordinates_app.parallel_coordinates.hideTicks">false</option>
+        <option name="parallel_coordinates_app.parallel_coordinates.maxCategories">35</option>
+        <option name="parallel_coordinates_app.parallel_coordinates.maxColor">#3fc77a</option>
+        <option name="parallel_coordinates_app.parallel_coordinates.minColor">#006d9c</option>
+        <option name="refresh.display">progressbar</option>
+      </viz>
+    </panel>
+    <panel depends="$ParallelCoordinatesNotInstalled$">
+      <html>
+        <p>In order for this panel to show properly, please install the Parallel Coordinates visualization available <a href="https://splunkbase.splunk.com/app/3137">here</a>
+        </p>
+      </html>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Available Splunk Security Detections</title>
+      <table>
+        <search>
+          <query>| sseanalytics 
+| fields mitre_id, name, displayapp, dashboard
+| eval _SSE_url = "" + dashboard
+| mvexpand mitre_id 
+| search $tokTechniques$
+| eval Link = "[View Details]"
+| table mitre_id, displayapp, name, Link, _SSE_url
+| sort mitre_id, name
+| rename mitre_id as "Att&amp;ck Technique/Sub Technique", displayapp as "Source", name as "Security Detection"</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="count">10</option>
+        <option name="drilldown">row</option>
+        <option name="refresh.display">progressbar</option>
+        <drilldown>
+          <link target="_blank">/app/Splunk_Security_Essentials/$row._SSE_url|n$</link>
+        </drilldown>
+      </table>
+    </panel>
+    <panel>
+      <title>Available Atomic Red Tests</title>
+      <table>
+        <search>
+          <query>| inputlookup atomic-red-windows-tests 
+| eval name = 'Test #' + " - " + 'Test Name' 
+| rename "Technique #" as mitre_id
+| search $tokTechniques$
+| fields mitre_id, name, "Test GUID"
+| eval Link = "[View Details]"
+| eval _mitre_id = mitre_id
+| sort mitre_id, name
+| rename mitre_id as "Att&amp;ck Technique/Sub Technique", name as "Test Name"</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">row</option>
+        <option name="refresh.display">progressbar</option>
+        <drilldown>
+          <link target="_blank">https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/$row._mitre_id|n$/$row._mitre_id|n$.md</link>
+        </drilldown>
+      </table>
+    </panel>
+    <panel>
+      <title>PurpleSharp Supported Techniques</title>
+      <table>
+        <search>
+          <query>| inputlookup purplesharp-techniques-lookup 
+| rename "Technique" as mitre_id 
+| search $tokTechniques$
+| rename mitre_id as "Att&amp;ck Technique/Sub Technique" 
+| eval "Has related tests?" = "Yes" 
+| eval Link = "[View Details]"
+| appendpipe 
+    [ stats count 
+    | eval "Has related tests?"="None of the selected technique(s) have tests yet" 
+    | where count==0 
+    | table "Has related tests?"]</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">row</option>
+        <option name="refresh.display">progressbar</option>
+        <format type="color" field="Has related tests?">
+          <colorPalette type="map">{"Yes":#53A051, "None of the selected technique(s) have tests yet":#FF0000}</colorPalette>
+        </format>
+        <drilldown>
+          <link target="_blank">https://www.purplesharp.com/en/latest/techniques/techniques.html</link>
+        </drilldown>
+      </table>
+    </panel>
+  </row>
+</form>