Skip to content

Instantly share code, notes, and snippets.

Last active March 18, 2022 12:25
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Script to transpose JSON files from MITRE ATTACK EDR evaluations for easier use in Splunk

Comparing MITRE ATTACK evaluations of EDR software in Splunk, APT3

The JSON results of the APT3 evaluations can be found here: Round 1, APT3. For easier Splunking you have to transpose the JSON files from MITRE with the script below. This allows you to perform searches to compare detection results from each EDR vendor.


$ python file_from_mitre.json > better_file_for_splunking.json

import json
import sys

# Copyright 2019 Jorrit Folmer
# This script is MIT licensed: free to use and provided "as is" without warranty of any kind.

    filename = sys.argv[1]
    contents = json.loads(open(filename).read())
except Exception as e:
    print "Usage: %s file.json" % sys.argv[0]
    print ""
    print "%s" % str(e)

for t in contents:
        steps = contents.get(t,[]).get('Steps',[])
    except AttributeError as e:
    for s in steps:
        step = steps.get(s, [])
        newdict = dict()
        newdict['Technique'] = t
        newdict['TacticGroup'] = contents.get(t,[]).get('TacticGroup','')
        newdict['TechniqueName'] = contents.get(t,[]).get('TechniqueName','')
        newdict['Step'] = s 
        det = []
        dettxt = []
        for d in step.get('DetectionCategories',''):
            for di in d:
        newdict['Detection'] = det
        newdict['DetectionText'] = dettxt
        newdict['Procedure'] = step.get('Procedure','')
        print json.dumps(newdict,indent=2,sort_keys=True)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment