Comparing MITRE ATTACK evaluations of EDR software in Splunk, APT3
The JSON results of the APT3 evaluations can be found here: Round 1, APT3. For easier Splunking you have to transpose the JSON files from MITRE with the script below. This allows you to perform searches to compare detection results from each EDR vendor.
Usage
$ python transpose_mitre_eval.py file_from_mitre.json > better_file_for_splunking.json
transpose_mitre_eval.py
import json
import sys
# Copyright 2019 Jorrit Folmer
# This script is MIT licensed: free to use and provided "as is" without warranty of any kind.
try:
filename = sys.argv[1]
contents = json.loads(open(filename).read())
except Exception as e:
print "Usage: %s file.json" % sys.argv[0]
print ""
print "%s" % str(e)
exit(1)
for t in contents:
try:
steps = contents.get(t,[]).get('Steps',[])
except AttributeError as e:
continue
for s in steps:
step = steps.get(s, [])
newdict = dict()
newdict['Technique'] = t
newdict['TacticGroup'] = contents.get(t,[]).get('TacticGroup','')
newdict['TechniqueName'] = contents.get(t,[]).get('TechniqueName','')
newdict['Step'] = s
#steps.get(s,[])
det = []
dettxt = []
for d in step.get('DetectionCategories',''):
for di in d:
det.append(di)
dettxt.append(d.get(di,''))
newdict['Detection'] = det
newdict['DetectionText'] = dettxt
newdict['Procedure'] = step.get('Procedure','')
print json.dumps(newdict,indent=2,sort_keys=True)