Use foreach, inputlookup, subsearch and index

m0rt1f4g0 — Fri, 11 Aug 2023 08:28:04 GMT

Hi Splunkers.
I've been trying for weeks to do the following:

I have a search that outputs a table with MITRE techniques as shown below:

Query

Result

And I have another query that brings me a table with the IDs and names of the Techniques and tactics of MITRE

Query

| inputlookup mitre_lookup
| foreach TA00*
[| lookup mitre_tt_lookup technique_id as <<FIELD>> OUTPUT technique_name as <<FIELD>>_technique_name
| eval <<FIELD>>_technique_name=mvindex(<<FIELD>>_technique_name, 0)
| eval <<FIELD>>=<<FIELD>>_technique_name . " - " . <<FIELD>>]
| fields TA0043,TA0001, TA0002, TA0003, TA0004, TA0005, TA0006, TA0007, TA0008, TA0009, TA0011, TA0010, TA0040, TA0042
| rename TA0043 as "Reconnaissance", TA0042 as "Resource Development", TA0001 as "Initial Access", TA0002 as "Execution", TA0003 as "Persistence", TA0004 as "Privilege Escalation", TA0005 as "Defense Evasion", TA0006 as "Credential Access", TA0007 as "Discovery", TA0008 as "Lateral Movement", TA0009 as "Collection", TA0011 as "Command and Control", TA0010 as "Exfiltration", TA0040 as "Impact"

Result

I would like to search within the MITRE table for the codes_tech of the first query and if Total is greater than 0 I would put the Total and otherwise leave the other IDs at 0

Please, I really need your help, please, please, please...

Re: Use foreach, inputlookup, subsearch and index

m0rt1f4g0 — Fri, 11 Aug 2023 10:15:35 GMT

Merge the queries, but it shows me the following

The query is as follows:

|append [| inputlookup mitre_lookup
| foreach TA00*
[| lookup mitre_tt_lookup technique_id as <<FIELD>> OUTPUT technique_name as <<FIELD>>_technique_name
| eval <<FIELD>>_technique_name=mvindex(<<FIELD>>_technique_name, 0)
| eval <<FIELD>>=<<FIELD>>_technique_name . " - " . <<FIELD>>]
| join type=left codes_tech
[
| rename technique_id as TA0001, search_name as TA0001_rule_name_list, Total as TA0001_max_score ]
| fillnull value=search_name TA0001,TA0001_rule_name_list,TA0001_technique_name
| fillnull value=Total TA0001_attack_count,TA0001_max_score
| eval TA0001=TA0001."|".TA0001_technique_name."|".TA0001_rule_name_list."|".TA0001_max_score
| join type=left codes_tech
[
| rename technique_id as TA0003, search_name as TA0003_rule_name_list, Total as TA0003_max_score ]
| fillnull value=search_name TA0003,TA0003_rule_name_list,TA0003_technique_name
| fillnull value=Total TA0003_attack_count,TA0003_max_score
| eval TA0003=TA0003."|".TA0003_technique_name."|".TA0003_rule_name_list."|".TA0003_max_score]

| rename TA0043 as "Reconnaissance", TA0042 as "Resource Development", TA0001 as "Initial Access", TA0002 as "Execution", TA0003 as "Persistence", TA0004 as "Privilege Escalation", TA0005 as "Defense Evasion", TA0006 as "Credential Access", TA0007 as "Discovery", TA0008 as "Lateral Movement", TA0009 as "Collection", TA0011 as "Command and Control", TA0010 as "Exfiltration", TA0040 as "Impact"

I want the codes_tech data to look for it in the tactics columns and when it finds the codes_tech ID, put the value of search_name and total

topic Re: Use foreach, inputlookup, subsearch and index in Getting Data In

Use foreach, inputlookup, subsearch and index

Re: Use foreach, inputlookup, subsearch and index