|
272 | 272 | </progress> |
273 | 273 | <query>`get_attack_data` |
274 | 274 | | lookup enterprise-attack-lookup Technique |
275 | | -| eval Label = Tactic + " - " + mitre_tactic_display |
276 | | -| eval Label2 = Technique + " - " + mitre_technique_display |
| 275 | +| eval Label = mvindex(Tactic,0) + " - " + mvindex(mitre_tactic_display, 0) |
| 276 | +| eval Label2 = Technique + " - " + mvindex(mitre_technique_display, 0) |
277 | 277 | | stats count by Label2, Label |
278 | 278 | | table Label, Label2, count |
279 | 279 | | rename Label as step1, Label2 as step2 |
280 | 280 | | append [ |
281 | 281 | search `get_attack_data` |
282 | 282 | | lookup enterprise-attack-lookup Technique |
283 | | - | eval Label = Technique + " - " + mitre_technique_display |
| 283 | + | eval Label = Technique + " - " + mvindex(mitre_technique_display, 0) |
| 284 | + | eval Tactic = mvindex(Tactic, 0) |
284 | 285 | | eventstats dc("Test Name") as count by Label, Tactic, "Test Name" |
285 | 286 | | table Label, "Test Name", count |
286 | 287 | | rename Label as step1, "Test Name" as step2 |
|
289 | 290 | <latest>$time_token.latest$</latest> |
290 | 291 | </search> |
291 | 292 | <option name="drilldown">none</option> |
| 293 | + <option name="refresh.display">progressbar</option> |
292 | 294 | </viz> |
293 | 295 | </panel> |
294 | 296 | <panel depends="$SanskeyNotInstalled$"> |
295 | 297 | <html> |
296 | | - <p>In order for this panel to show properly, please install the SanKey visualization available <a href="https://splunkbase.splunk.com/app/3112/">here</a></p> |
| 298 | + <p>In order for this panel to show properly, please install the SanKey visualization available <a href="https://splunkbase.splunk.com/app/3112/">here</a> |
| 299 | + </p> |
297 | 300 | </html> |
298 | 301 | </panel> |
299 | 302 | </row> |
|
402 | 405 | | search mitre_id!="None" |
403 | 406 | | mvexpand mitre_id |
404 | 407 | | rename mitre_id as mitre_technique] |
405 | | -| stats dc(name) by name, mitre_technique, displayapp |
406 | | -| table name, mitre_technique, displayapp |
407 | | -| rename name as "Detection", mitre_technique as "Att&ck Technique", displayapp as "Source" |
| 408 | +| stats dc(name) by name, mitre_technique, analytic_story, displayapp |
| 409 | +| table analytic_story, name, mitre_technique, displayapp |
| 410 | +| rename analytic_story as "Analytic Story", name as "Detection", mitre_technique as "Att&ck Technique", displayapp as "Source" |
408 | 411 | </query> |
409 | 412 | <earliest>$time_token.earliest$</earliest> |
410 | 413 | <latest>$time_token.latest$</latest> |
|
0 commit comments