|
2 | 2 | <search id="BaseSearch"> |
3 | 3 | <query>`get_attack_data` |
4 | 4 | |lookup enterprise-attack-lookup Technique |
5 | | - | eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name' |
6 | | - | table atomic_test, Hostname,mitre_id,mitre_technique_display,mitre_technique_url,Tactic,Technique,"Test Name", Username |
| 5 | + | eval mitre_id = Technique + " - " + mitre_technique_display, atomic_test = 'Test Number' + "-" + 'Test Name' |
| 6 | + | sort -_time |
| 7 | + | table atomic_test, Hostname, mitre_id, mitre_technique_display, mitre_technique_url, Tactic, Technique, "Test Name", Username |
7 | 8 | </query> |
8 | 9 | <earliest>$time_token.earliest$</earliest> |
9 | 10 | <latest>$time_token.latest$</latest> |
|
14 | 15 | | rest /services/apps/local |
15 | 16 | | where title = "SplunkEnterpriseSecuritySuite" |
16 | 17 | </query> |
17 | | - <finalized > |
| 18 | + <finalized> |
18 | 19 | <condition match=" 'job.resultCount' != 0"> |
19 | | - <set token="filterESLink">noop</set> |
20 | | - </condition> |
21 | | - <condition> |
22 | | - <set token="filterESLink">rename view_es as _view_es</set> |
23 | | - </condition> |
24 | | - </finalized > |
| 20 | + <set token="filterESLink">noop</set> |
| 21 | + </condition> |
| 22 | + <condition> |
| 23 | + <set token="filterESLink">rename view_es as _view_es</set> |
| 24 | + </condition> |
| 25 | + </finalized> |
| 26 | + </search> |
| 27 | + <!-- Check if the SanKey Visualiztion is installed, and inform the user if not (and adapt the relevant panel content accordingly) --> |
| 28 | + <search id="SanskeyInstalledSearch"> |
| 29 | + <query> |
| 30 | + | rest /services/apps/local |
| 31 | + | where title = "sankey_diagram_app" |
| 32 | + </query> |
| 33 | + <finalized> |
| 34 | + <condition match=" 'job.resultCount' != 0"> |
| 35 | + <set token="SanskeyInstalled">1</set> |
| 36 | + <unset token="SanskeyNotInstalled"></unset> |
| 37 | + </condition> |
| 38 | + <condition> |
| 39 | + <unset token="SanskeyInstalled"></unset> |
| 40 | + <set token="SanskeyNotInstalled">1</set> |
| 41 | + </condition> |
| 42 | + </finalized> |
25 | 43 | </search> |
26 | 44 | <label>Attack Range Dashboard</label> |
27 | | - <description>Shows tests already run and relevant statistics in addition to possible analytic stories for executed tests. Currently supports only Atomic Red tests</description> |
| 45 | + <description>Shows tests already run and relevant statistics in addition to possible Analytic Stories/Detections that might be used to detect executed tests. Currently supports only Atomic Red tests.</description> |
28 | 46 | <fieldset submitButton="false"> |
29 | 47 | <input type="time" token="time_token" searchWhenChanged="true"> |
30 | 48 | <label>Time range</label> |
|
39 | 57 | <title># Simulations run</title> |
40 | 58 | <viz type="status_indicator_app.status_indicator"> |
41 | 59 | <search base="BaseSearch"> |
42 | | - <query>|stats count</query> |
| 60 | + <query>| stats count</query> |
43 | 61 | </search> |
44 | 62 | <option name="status_indicator_app.status_indicator.colorBy">static_color</option> |
45 | 63 | <option name="status_indicator_app.status_indicator.fillTarget">text</option> |
|
57 | 75 | <title># MITRE ATT&CK Tactics</title> |
58 | 76 | <viz type="status_indicator_app.status_indicator"> |
59 | 77 | <search base="BaseSearch"> |
60 | | - <query>|stats dc(Tactic)</query> |
| 78 | + <query>| stats dc(Tactic)</query> |
61 | 79 | </search> |
62 | 80 | <option name="drilldown">none</option> |
63 | 81 | <option name="refresh.display">progressbar</option> |
|
80 | 98 | <title># MITRE ATT&CK Techniques</title> |
81 | 99 | <viz type="status_indicator_app.status_indicator"> |
82 | 100 | <search base="BaseSearch"> |
83 | | - <query>|stats dc(Technique)</query> |
| 101 | + <query>| stats dc(Technique)</query> |
84 | 102 | </search> |
85 | 103 | <option name="drilldown">none</option> |
86 | 104 | <option name="refresh.display">progressbar</option> |
|
105 | 123 | <title>Attack username</title> |
106 | 124 | <chart> |
107 | 125 | <search base="BaseSearch"> |
108 | | - <query>|stats count by Username</query> |
| 126 | + <query>| stats count by Username</query> |
109 | 127 | </search> |
110 | 128 | <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> |
111 | 129 | <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> |
|
145 | 163 | <title>Target hosts</title> |
146 | 164 | <chart> |
147 | 165 | <search base="BaseSearch"> |
148 | | - <query>|stats count by Hostname</query> |
| 166 | + <query>| stats count by Hostname</query> |
149 | 167 | </search> |
150 | 168 | <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> |
151 | 169 | <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> |
|
187 | 205 | <title>Tactics simulated</title> |
188 | 206 | <chart> |
189 | 207 | <search base="BaseSearch"> |
190 | | - <query>|stats count by Tactic</query> |
| 208 | + <query>| stats count by Tactic</query> |
191 | 209 | </search> |
192 | 210 | <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> |
193 | 211 | <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> |
|
244 | 262 | </viz> |
245 | 263 | </panel> |
246 | 264 | </row> |
| 265 | + <row> |
| 266 | + <panel depends="$SanskeyInstalled$"> |
| 267 | + <title>Executed Simulations [$simulation_count$]</title> |
| 268 | + <viz type="sankey_diagram_app.sankey_diagram"> |
| 269 | + <search> |
| 270 | + <progress> |
| 271 | + <set token="simulation_count">$job.resultCount$</set> |
| 272 | + </progress> |
| 273 | + <query>`get_attack_data` |
| 274 | +| lookup enterprise-attack-lookup Technique |
| 275 | +| eval Label = Tactic + " - " + mitre_tactic_display |
| 276 | +| eval Label2 = Technique + " - " + mitre_technique_display |
| 277 | +| stats count by Label2, Label |
| 278 | +| table Label, Label2, count |
| 279 | +| rename Label as step1, Label2 as step2 |
| 280 | +| append [ |
| 281 | + search `get_attack_data` |
| 282 | + | lookup enterprise-attack-lookup Technique |
| 283 | + | eval Label = Technique + " - " + mitre_technique_display |
| 284 | + | eventstats dc("Test Name") as count by Label, Tactic, "Test Name" |
| 285 | + | table Label, "Test Name", count |
| 286 | + | rename Label as step1, "Test Name" as step2 |
| 287 | +]</query> |
| 288 | + <earliest>$time_token.earliest$</earliest> |
| 289 | + <latest>$time_token.latest$</latest> |
| 290 | + </search> |
| 291 | + <option name="drilldown">none</option> |
| 292 | + </viz> |
| 293 | + </panel> |
| 294 | + <panel depends="$SanskeyNotInstalled$"> |
| 295 | + <html> |
| 296 | + <p>In order for this panel to show properly, please install the SanKey visualization available <a href="https://splunkbase.splunk.com/app/3112/">here</a></p> |
| 297 | + </html> |
| 298 | + </panel> |
| 299 | + </row> |
247 | 300 | <row> |
248 | 301 | <panel> |
249 | | - <title>Executed simulations</title> |
| 302 | + <title>Executed Simulations [$simulation_count$] - Details</title> |
250 | 303 | <table> |
251 | 304 | <search base="BaseSearch"> |
252 | | - <query>|table atomic_test, Hostname,mitre_id,mitre_technique_display,mitre_technique_url,Tactic,Technique,"Test Name", Username |
| 305 | + <progress> |
| 306 | + <set token="simulation_count">$job.resultCount$</set> |
| 307 | + </progress> |
| 308 | + <query>| rename atomic_test as "Atomic Red Test", mitre_id as "MITRE ID", mitre_technique_display as "Name", mitre_technique_url as "Technique URL", Username as "User Name" |
253 | 309 | </query> |
254 | 310 | </search> |
255 | 311 | <option name="count">5</option> |
|
275 | 331 | and also normalizes the field for other fringe cases (duplicate spaces, extra spaces at the end, etc.) --> |
276 | 332 | <query>`get_attack_data` |
277 | 333 | | lookup enterprise-attack-lookup Technique |
278 | | -| eval mitre_id = Technique+" - "+mitre_technique_display, atomic_test= 'Test Number'+"-"+'Test Name' |
279 | | - |
280 | | -| join type=left max=0 Technique |
281 | | - [ |
282 | | - | rest /services/configs/conf-analytic_stories splunk_server=local count=0 |
283 | | - | rex field=mappings ".*,+\s\"mitre_attack\":(?<technique>.*),+\s\"nist\"" |
284 | | - | rex field=technique mode=sed "s/\[//g" |
285 | | - | rex field=technique mode=sed "s/\]//g" |
286 | | - | eval technique=split(technique, ",") |
287 | | - | rex field=technique mode=sed "s/\"//g" |
288 | | - | mvexpand technique |
289 | | - | eval Technique=trim(technique) |
290 | | - | where Technique!="" |
291 | | - | fields Technique, title |
292 | | - ] |
| 334 | +| rename Technique as mitre_attack |
| 335 | +| stats count by mitre_attack |
| 336 | +| fields mitre_attack |
| 337 | +| join mitre_attack max=0 [ |
| 338 | + | rest /services/configs/conf-savedsearches splunk_server=local count=0 |
| 339 | + | search action.escu.search_type = detection |
| 340 | + | spath input=action.correlationsearch.annotations path=analytic_story{} output="analytic_story" |
| 341 | + | spath input=action.correlationsearch.annotations path=mitre_attack{} output="mitre_attack" |
| 342 | + | fields analytic_story, mitre_attack, title |
| 343 | + | mvexpand mitre_attack |
| 344 | + | search mitre_attack!="" |
| 345 | + | stats dc(title) as detections by analytic_story, mitre_attack |
| 346 | +] |
293 | 347 | | eval view_es="View [ES]" |
294 | 348 | | eval view_sse="View [SSE]" |
295 | 349 | | eval view_docs="View [Docs]" |
296 | 350 | | eval execute="Execute [ASX]" |
| 351 | +| rename analytic_story as title |
297 | 352 | | eval _docs_title = trim(replace(title, "\s+", " ")) |
298 | | -| eval _docs_title = upper(substr(mvjoin(split(lower(_docs_title), " "), "_"),1,1)).substr(mvjoin(split(lower(_docs_title), " "), "_"), 2) |
299 | | -| stats dc(title) by title, _docs_title, view_es, view_docs, execute |
300 | | -| fields title, _docs_title, view_es, view_docs, execute |
| 353 | +| eval _docs_title = lower(substr(mvjoin(split(lower(_docs_title), " "), "_"),1,1)).substr(mvjoin(split(lower(_docs_title), " "), "_"), 2) |
| 354 | +| fields title, mitre_attack, detections, _docs_title, view_es, view_docs, execute |
| 355 | +| eval _title = title |
| 356 | +| rename title as "Analytic Story", mitre_attack as "Att&ck Technique", detections as "Detections", view_es as "ES Link", view_docs as "Docs Link", execute as "Run in ASX" |
301 | 357 | | $filterESLink$ |
302 | 358 | </query> |
303 | 359 | <earliest>$time_token.earliest$</earliest> |
|
313 | 369 | <option name="totalsRow">false</option> |
314 | 370 | <option name="wrap">true</option> |
315 | 371 | <drilldown> |
316 | | - <condition field="view_es"> |
| 372 | + <condition field="ES Link"> |
317 | 373 | <link target="_blank">/app/SplunkEnterpriseSecuritySuite/ess_analytic_story_details?analytic_story=$click.value$</link> |
318 | 374 | </condition> |
319 | | - <!--<condition field="view_sse"> |
| 375 | + <!--<condition field="SSE Link"> |
320 | 376 | <link target="_blank">/app/Splunk_Security_Essentials/TBD?=$click.value$</link> |
321 | 377 | </condition>--> |
322 | | - <condition field="view_docs"> |
323 | | - <link target="_blank">https://docs.splunk.com/Documentation/ESSOC/latest/stories/UseCase#$row._docs_title$</link> |
| 378 | + <condition field="Docs Link"> |
| 379 | + <link target="_blank">https://research.splunk.com/stories/$row._docs_title$</link> |
324 | 380 | </condition> |
325 | 381 | <!-- Default link is the documentation --> |
326 | | - <condition field="title"> |
327 | | - <link target="_blank">https://docs.splunk.com/Documentation/ESSOC/latest/stories/UseCase#$row._docs_title$</link> |
| 382 | + <condition field="Analytic Story"> |
| 383 | + <link target="_blank">https://research.splunk.com/stories/$row._docs_title$</link> |
328 | 384 | </condition> |
329 | | - <condition field="execute"> |
330 | | - <link target="_blank">/app/Splunk_ASX/execute?form.mode=now&form.time.earliest=-24h@h&form.time.latest=now&form.story=$row.title$</link> |
| 385 | + <condition field="Run in ASX"> |
| 386 | + <link target="_blank">/app/Splunk_ASX/execute?form.mode=now&form.time.earliest=-24h@h&form.time.latest=now&form.story=$row._title$</link> |
331 | 387 | </condition> |
332 | 388 | </drilldown> |
333 | 389 | </table> |
|
340 | 396 | <set token="detection_count">$job.resultCount$</set> |
341 | 397 | </progress> |
342 | 398 | <query>`get_attack_data` |
343 | | -|rename Technique as mitre_technique |
| 399 | +| rename Technique as mitre_technique |
344 | 400 | | join type=left max=0 mitre_technique |
345 | | -[| sseanalytics |
346 | | -|search mitre_id!="None" |
347 | | -|mvexpand mitre_id |
348 | | -|rename mitre_id as mitre_technique] |
349 | | -|stats dc(name) by name,mitre_technique,channel |
350 | | -|table name, mitre_technique, channel</query> |
| 401 | + [| sseanalytics |
| 402 | + | search mitre_id!="None" |
| 403 | + | mvexpand mitre_id |
| 404 | + | rename mitre_id as mitre_technique] |
| 405 | +| stats dc(name) by name, mitre_technique, displayapp |
| 406 | +| table name, mitre_technique, displayapp |
| 407 | +| rename name as "Detection", mitre_technique as "Att&ck Technique", displayapp as "Source" |
| 408 | + </query> |
351 | 409 | <earliest>$time_token.earliest$</earliest> |
352 | 410 | <latest>$time_token.latest$</latest> |
353 | 411 | <sampleRatio>1</sampleRatio> |
|
0 commit comments