- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Security Essentials (SSE) - MITRE Data sources lookup malformed
Stanley_F
Loves-to-Learn
2 weeks ago
# Version Information
Splunk Security Essentials version: 3.8.1
Splunk Security Essentials build: 1889
Splunk Enterprise Version: 9.3.2
Current MITRE ATT&CK Ver: 16.1
# Issue Description
After an update to the MITRE ATT&CK framework, the Data Sources ID column breaks. It becomes vertically indented by 4, leaving the first 4 columns without an ID, and the subsequent columns are off by 4. There are no additional IDs at the end of the lookup.
This lookup is correctly formatted upon a clean install as demonstrated below
(First and Last 5 rows of the `mitre_data_sources.csv` lookup located at `$SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/lookups/mitre_data_sources.csv`
## Clean Install
- First 5
| Id | Name | Data_Source | Description | Data_Component | Data_Component_Description |
| DS0014 | Pod | Pod: Pod Creation | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Creation | Initial construction of a new pod (ex: kubectl apply|run) |
| DS0014 | Pod | Pod: Pod Modification | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Modification | Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) |
| DS0014 | Pod | Pod: Pod Metadata | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Metadata | Contextual data about a pod and activity around it such as name, ID, namespace, or status |
| DS0014 | Pod | Pod: Pod Enumeration | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Enumeration | An extracted list of pods within a cluster (ex: kubectl get pods) |
| DS0032 | Container | Container: Container Creation | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) | Container Creation | Initial construction of a new container (ex: docker create <container_name>) |
- Last 5
| DS0018 | Firewall | Firewall: Firewall Metadata | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Metadata | Contextual data about a firewall and activity around it such as name, policy, or status |
| DS0018 | Firewall | Firewall: Firewall Disable | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Disable | Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) |
| DS0018 | Firewall | Firewall: Firewall Rule Modification | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Rule Modification | Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) |
| DS0018 | Firewall | Firewall: Firewall Enumeration | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Enumeration | An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
| DS0011 | Module | Module: Module Load | Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class) | Module Load | Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) |
## After triggering a `Force Update` of Security Content
- First 5
| Id | Name | Data_Source | Description | Data_Component | Data_Component_Description |
| Pod | Pod: Pod Enumeration | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Enumeration | An extracted list of pods within a cluster (ex: kubectl get pods) | |
| Pod | Pod: Pod Metadata | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Metadata | Contextual data about a pod and activity around it such as name, ID, namespace, or status | |
| Pod | Pod: Pod Creation | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Creation | Initial construction of a new pod (ex: kubectl apply|run) | |
| Pod | Pod: Pod Modification | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Modification | Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) | |
| DS0014 | Container | Container: Container Metadata | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) | Container Metadata | Contextual data about a container and activity around it such as name, ID, image, or status |
- Last 5
| DS0009 | Firewall | Firewall: Firewall Rule Modification | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Rule Modification | Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) |
| DS0009 | Firewall | Firewall: Firewall Disable | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Disable | Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) |
| DS0009 | Firewall | Firewall: Firewall Metadata | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Metadata | Contextual data about a firewall and activity around it such as name, policy, or status |
| DS0009 | Firewall | Firewall: Firewall Enumeration | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Enumeration | An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
| DS0018 | Module | Module: Module Load | Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class) | Module Load | Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) |
---
This has occurred consistently on both existing and fresh Splunk installations.
I suspect it's due to an update to MITRE, and the JSON parsers haven't been updated to handle the changes accordingly. This is purely conjecture.
I have been playing about reading Python scripts located at `~/etc/apps/Splunk_Security_Essentials/bin`, but have come across nothing conclusive so far.
---
Please let me know if this is an issue that anyone else has been facing, and if this also affects any of the other MITRE lookups, that I haven't yet noticed. If this affected more important lookups such as Detections or Threat Groups, this would considerably affect the app functionality.
If anybody has any suggestions, or requires any more information, please let me know.
Thanks
- Stanley
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Meett
Splunk Employee
2 weeks ago
Hello @Stanley_F , I would suggest to file an support case as if it looks issue with app.
