All Apps and Add-ons

Splunk Security Essentials: 'mvmap' function is unsupported or undefined

unknown_platfor
Engager

Splunk Cloud: v7.2.9

SSE: v3.2.0

In SSE, under Analytics Advisor > MITRE ATT&CK Framework > Available Content > MITRE Att&CK Matrix I am getting the error:

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.
 error.png

 

SPL for search

 

 

| mitremap popular_only="$show_popular_techniques$" content_available=$show_content_available$ groups="$threat_group$" platforms="$mitre_platforms$"
| foreach *
    [ | rex field="<<FIELD>>" "(?<technique_temp>.*) \("
    | eval Technique_nogroups=coalesce(technique_temp,'<<FIELD>>')
    | eval "<<FIELD>> Tactic" = "<<FIELD>>"
    | eval Matrix="Enterprise ATT&CK"
    | eval "Sub-Technique"="-"
    | lookup mitre_environment_count.csv Matrix "Sub-Technique" Technique AS Technique_nogroups, "Tactic" AS "<<FIELD>> Tactic" OUTPUT "Active" "Available" "Needs data" "Data Source"
    | eval "Data Source"=split('Data Source',",")
    | eval "Data Source"=mvfilter($data_sources_selected_filter$)
    | rex field="Data Source" "(?<Data_Source>[^:]*)::(?<Data_Source_Count>.*)"
    | rename Data_Source AS "Data Source"
    | eval Selected=if(in('Data Source',$datasource_selection$) , Data_Source_Count,0)
    | eval Selected=tonumber(coalesce(mvindex(Selected,0,0),0))+tonumber(coalesce(mvindex(Selected,1,1),0))+tonumber(coalesce(mvindex(Selected,2,2),0))+tonumber(coalesce(mvindex(Selected,3,3),0))+tonumber(coalesce(mvindex(Selected,4,4),0))+tonumber(coalesce(mvindex(Selected,5,5),0))+tonumber(coalesce(mvindex(Selected,6,6),0))
    | fields - Technique_nogroups technique_temp "Sub-Technique"
    | eval count = coalesce(count, 1), temp = "t" + count, {temp}='<<FIELD>>', color="#00A9F8", colorby="$colorby$"

    | eval text='<<FIELD>>'
    | eval p0_count=coalesce(Active,0)
    | eval p1_count=coalesce(Available,0)
    | eval p2_count=coalesce('Needs data',0)
    | eval p3_count=coalesce('Selected',0)
    | eval total_count=p0_count+p1_count+p2_count
    | eval opacity=tostring(case(
        colorby="Active",p0_count/20,
        colorby="Available",p1_count/20,
        colorby="Needs data",p2_count/20,
        colorby="Total",total_count/20
        ))
    | eval tooltip="Active: ".p0_count."<br />"."Available: ".p1_count."<br />"."Needs data: ".p2_count."<br />"."Total: ".total_count."<br />"."Selected: ".p3_count
    | eval "<<FIELD>>_Groups"=rtrim(mvindex(split('text', " ("),1),")")
    | eval "Technique"=mvindex(split('text', " ("),0)
    | lookup mitre_matrix_list.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique OUTPUT TechniqueId AS "<<FIELD>>"_TechniqueId 
    | eval IsSubTechnique="Yes"
    | lookup mitre_environment_count.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique IsSubTechnique OUTPUT "Sub-Technique" Active AS Active_SubTechnique Available AS Available_SubTechnique "Needs data" AS "Needs Data_SubTechnique" Sub_Technique_Total AS Total_SubTechnique
    | eval Opacity_SubTechnique=case(
    colorby="Active", mvmap(Active_SubTechnique,Active_SubTechnique/10),
    colorby="Available", mvmap(Available_SubTechnique,Available_SubTechnique/10),
    colorby="Needs data", mvmap('Needs Data_SubTechnique','Needs Data_SubTechnique'/10),
    colorby="Total", mvmap(Total_SubTechnique,Total_SubTechnique/10)
    )
    | eval Color_SubTechnique=mvmap(Active_SubTechnique,'color')
    | eval Active_SubTechniqueJson=mvmap(Active_SubTechnique,"\"Active\": ".Active_SubTechnique),Available_SubTechniqueJson=mvmap(Available_SubTechnique,"\"Available\": ".Available_SubTechnique),NeedsData_SubTechniqueJson=mvmap('Needs Data_SubTechnique',"\"Needs Data\": ".'Needs Data_SubTechnique'),Total_SubTechniqueJson=mvmap('Total_SubTechnique',"\"Total\": ".'Total_SubTechnique'),Color_SubTechniqueJson=mvmap('Color_SubTechnique',"\"Color\": \"".'Color_SubTechnique'."\""),Opacity_SubTechniqueJson=mvmap('Opacity_SubTechnique',"\"Opacity\": ".'Opacity_SubTechnique') 
    | eval SubTechniqueValuesMerge=mvzip(Active_SubTechniqueJson,mvzip(Available_SubTechniqueJson,mvzip(NeedsData_SubTechniqueJson,mvzip(Color_SubTechniqueJson,mvzip(Opacity_SubTechniqueJson,Total_SubTechniqueJson))))) 
    | eval Sub_Technique=coalesce(",\"Sub_Techniques\": {".mvjoin(mvzip(mvmap('Sub-Technique',"\"".'Sub-Technique'."\""),mvmap(SubTechniqueValuesMerge, "{".SubTechniqueValuesMerge."}"),": "),",")."}","") 
    | fields - *_SubTechniqueJson  Active_SubTechnique Available_SubTechnique "Needs Data_SubTechnique" "Sub-Technique" IsSubTechnique SubTechniqueValuesMerge *_SubTechnique 
    
    | eval "<<FIELD>>_TechniqueId"=mvdedup('<<FIELD>>_TechniqueId') 
    | eval "<<FIELD>>" = if(text!="",mvappend("TechniqueId: ".'<<FIELD>>_TechniqueId',"Technique: ".Technique,"Color: ".color,"Opacity: ".opacity,"Active: ".p0_count,"Available: ".p1_count,"Needs data: ".p2_count,"Total: ".total_count,"Selected: ".p3_count,"Groups: ".'<<FIELD>>_Groups'),null) 
    | eval "<<FIELD>>"="{".mvjoin(mvmap('<<FIELD>>',"\"".mvindex(split('<<FIELD>>',": "),0)."\": \"".mvindex(split('<<FIELD>>',": "),1)."\""),",").Sub_Technique."}"
    | eval count = count + 1 
        ]
        | fields - temp count Active Available "Needs data" tooltip *Tactic color colorby opacity p0* p1* p2* t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 text total_count "Data Source" Data_Source_Count Selected p3_count Matrix *_TechniqueId *_Groups Technique "Sub-Technique" Sub_Technique

 

 

Labels (1)
Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

@unknown_platfor 

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

unknown_platfor
Engager

@bowesmana   I didn't realize that.  Thank you!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...