MITRE have just published the JSON results of their EDR evalutions simulating APT29. However also this time their structure makes it difficult to Splunk. Use this Python script for easier Splunking.
$ python transpose_mitre_eval_apt29.py file.json > file_for_splunk.json
from __future__ import print_function
from builtins import str
import json
import sys
# Copyright 2020 Jorrit Folmer
# This script is MIT licensed: free to use and provided "as is" without warranty of any kind.
try:
filename = sys.argv[1]
contents = json.loads(open(filename).read())
except Exception as e:
print("Usage: %s file.json" % sys.argv[0])
print("")
print("%s" % str(e))
exit(1)
for t in contents.get('Techniques', []):
try:
steps = t.get('Steps',[])
except AttributeError as e:
continue
for s in steps:
newdict = dict()
newdict['Step'] = s.get('SubStep','')
newdict['Technique'] = t.get('TechniqueId')
newdict['TacticGroup'] = t.get('Tactics',[])[0].get('TacticName','')
newdict['TechniqueName'] = t.get('TechniqueName')
det = []
dettxt = []
detmod = []
for d in s.get('Detections',''):
det.append(d.get('DetectionType',''))
dettxt.append(d.get('DetectionNote',''))
for mod in d.get('Modifiers',[]):
detmod.append(mod)
newdict['Detection'] = det
newdict['DetectionText'] = dettxt
newdict['DetectionModifiers'] = detmod
newdict['Procedure'] = s.get('Procedure','')
print(json.dumps(newdict,indent=2,sort_keys=True))