For easier Splunking use the steps and Python script below.
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/AhnLab_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Bitdefender_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CheckPoint_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cisco_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CrowdStrike_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cybereason_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CyCraft_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cylance_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cynet_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Elastic_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ESET_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fidelis_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/FireEye_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fortinet_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/F-Secure_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/GoSecure_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Malwarebytes_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/McAfee_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/MicroFocus_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Microsoft_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/OpenText_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/PaloAltoNetworks_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ReaQta_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/SentinelOne_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Sophos_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Symantec_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/TrendMicro_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Uptycs_Results.json
wget https://attackevals.mitre-engenuity.org/downloadable_JSON/VMware_Results.json
Usage:
$ for i in $(ls *json); do python transpose_mitre_edr_evals.py $i carbanak_fin7 >> r3.log;done
$ /opt/splunk/bin/splunk add oneshot r3.log -index main -sourcetype attackeval:json
Script:
# Copyright 2021-2022 Jorrit Folmer
# This script is MIT licensed: free to use and provided "as is" without warranty of any kind.
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/AhnLab_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Bitdefender_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CheckPoint_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cisco_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CrowdStrike_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cybereason_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/CyCraft_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cylance_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Cynet_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Elastic_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ESET_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fidelis_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/FireEye_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Fortinet_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/F-Secure_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/GoSecure_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Malwarebytes_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/McAfee_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/MicroFocus_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Microsoft_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/OpenText_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/PaloAltoNetworks_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/ReaQta_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/SentinelOne_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Sophos_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Symantec_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/TrendMicro_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/Uptycs_Results.json
# wget https://attackevals.mitre-engenuity.org/downloadable_JSON/VMware_Results.json
from __future__ import print_function
from builtins import str
import json
import sys
try:
filename = sys.argv[1]
contents = json.loads(open(filename).read())
except Exception as e:
print("Usage: %s <file.json> <adversary_name>" % sys.argv[0])
print("")
print("%s" % str(e))
exit(1)
try:
adv = sys.argv[2]
except Exception as e:
print("Usage: %s <file.json> <adversary_name>" % sys.argv[0])
print("")
print("%s" % str(e))
exit(2)
for adversary in contents.get('Adversaries', {}):
detadv = adversary.get('Adversary_Name','')
if adv!=detadv:
continue
for scenario in adversary.get('Detections_By_Step',{}).values():
for k,v in scenario.items():
#print(k)
#print(json.dumps(v,indent=2))
try:
steps = v
#steps = t.get('Steps',[])
except AttributeError as e:
continue
for s in steps:
#print(json.dumps(s,indent=2))
newdict = dict()
substeps = s.get('Substeps',[])
for ss in substeps:
#print(json.dumps(ss,indent=2))
newdict['Step'] = ss.get('Substep','')
newdict['Technique'] = ss.get('Technique',{}).get('Technique_Id')
newdict['TacticGroup'] = ss.get('Tactic',[]).get('Tactic_Name','')
newdict['Technique_Name'] = ss.get('Technique',{}).get('Technique_Name')
newdict['Capability_Requirements'] = ss.get('Capability_Requirements','')
det = []
dettxt = []
detmod = []
detds = []
for d in ss.get('Detections',''):
det.append(d.get('Detection_Type',''))
if d.get('Detection_Note','') != '':
dettxt.append(d.get('Detection_Note',''))
for mod in d.get('Modifiers',[]):
detmod.append(mod)
for ds in d.get('Datasources',[]):
detds.append(ds)
newdict['Detection'] = det
newdict['Adversary'] = detadv
newdict['DetectionText'] = dettxt
newdict['DetectionModifiers'] = detmod
newdict['Datasources'] = detds
newdict['Procedure'] = ss.get('Criteria','')
print(json.dumps(newdict,indent=2,sort_keys=True))