Splunk Cloud: v7.2.9
SSE: v3.2.0
In SSE, under Analytics Advisor > MITRE ATT&CK Framework > Available Content > MITRE Att&CK Matrix I am getting the error:
| mitremap popular_only="$show_popular_techniques$" content_available=$show_content_available$ groups="$threat_group$" platforms="$mitre_platforms$"
| foreach *
[ | rex field="<<FIELD>>" "(?<technique_temp>.*) \("
| eval Technique_nogroups=coalesce(technique_temp,'<<FIELD>>')
| eval "<<FIELD>> Tactic" = "<<FIELD>>"
| eval Matrix="Enterprise ATT&CK"
| eval "Sub-Technique"="-"
| lookup mitre_environment_count.csv Matrix "Sub-Technique" Technique AS Technique_nogroups, "Tactic" AS "<<FIELD>> Tactic" OUTPUT "Active" "Available" "Needs data" "Data Source"
| eval "Data Source"=split('Data Source',",")
| eval "Data Source"=mvfilter($data_sources_selected_filter$)
| rex field="Data Source" "(?<Data_Source>[^:]*)::(?<Data_Source_Count>.*)"
| rename Data_Source AS "Data Source"
| eval Selected=if(in('Data Source',$datasource_selection$) , Data_Source_Count,0)
| eval Selected=tonumber(coalesce(mvindex(Selected,0,0),0))+tonumber(coalesce(mvindex(Selected,1,1),0))+tonumber(coalesce(mvindex(Selected,2,2),0))+tonumber(coalesce(mvindex(Selected,3,3),0))+tonumber(coalesce(mvindex(Selected,4,4),0))+tonumber(coalesce(mvindex(Selected,5,5),0))+tonumber(coalesce(mvindex(Selected,6,6),0))
| fields - Technique_nogroups technique_temp "Sub-Technique"
| eval count = coalesce(count, 1), temp = "t" + count, {temp}='<<FIELD>>', color="#00A9F8", colorby="$colorby$"
| eval text='<<FIELD>>'
| eval p0_count=coalesce(Active,0)
| eval p1_count=coalesce(Available,0)
| eval p2_count=coalesce('Needs data',0)
| eval p3_count=coalesce('Selected',0)
| eval total_count=p0_count+p1_count+p2_count
| eval opacity=tostring(case(
colorby="Active",p0_count/20,
colorby="Available",p1_count/20,
colorby="Needs data",p2_count/20,
colorby="Total",total_count/20
))
| eval tooltip="Active: ".p0_count."<br />"."Available: ".p1_count."<br />"."Needs data: ".p2_count."<br />"."Total: ".total_count."<br />"."Selected: ".p3_count
| eval "<<FIELD>>_Groups"=rtrim(mvindex(split('text', " ("),1),")")
| eval "Technique"=mvindex(split('text', " ("),0)
| lookup mitre_matrix_list.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique OUTPUT TechniqueId AS "<<FIELD>>"_TechniqueId
| eval IsSubTechnique="Yes"
| lookup mitre_environment_count.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique IsSubTechnique OUTPUT "Sub-Technique" Active AS Active_SubTechnique Available AS Available_SubTechnique "Needs data" AS "Needs Data_SubTechnique" Sub_Technique_Total AS Total_SubTechnique
| eval Opacity_SubTechnique=case(
colorby="Active", mvmap(Active_SubTechnique,Active_SubTechnique/10),
colorby="Available", mvmap(Available_SubTechnique,Available_SubTechnique/10),
colorby="Needs data", mvmap('Needs Data_SubTechnique','Needs Data_SubTechnique'/10),
colorby="Total", mvmap(Total_SubTechnique,Total_SubTechnique/10)
)
| eval Color_SubTechnique=mvmap(Active_SubTechnique,'color')
| eval Active_SubTechniqueJson=mvmap(Active_SubTechnique,"\"Active\": ".Active_SubTechnique),Available_SubTechniqueJson=mvmap(Available_SubTechnique,"\"Available\": ".Available_SubTechnique),NeedsData_SubTechniqueJson=mvmap('Needs Data_SubTechnique',"\"Needs Data\": ".'Needs Data_SubTechnique'),Total_SubTechniqueJson=mvmap('Total_SubTechnique',"\"Total\": ".'Total_SubTechnique'),Color_SubTechniqueJson=mvmap('Color_SubTechnique',"\"Color\": \"".'Color_SubTechnique'."\""),Opacity_SubTechniqueJson=mvmap('Opacity_SubTechnique',"\"Opacity\": ".'Opacity_SubTechnique')
| eval SubTechniqueValuesMerge=mvzip(Active_SubTechniqueJson,mvzip(Available_SubTechniqueJson,mvzip(NeedsData_SubTechniqueJson,mvzip(Color_SubTechniqueJson,mvzip(Opacity_SubTechniqueJson,Total_SubTechniqueJson)))))
| eval Sub_Technique=coalesce(",\"Sub_Techniques\": {".mvjoin(mvzip(mvmap('Sub-Technique',"\"".'Sub-Technique'."\""),mvmap(SubTechniqueValuesMerge, "{".SubTechniqueValuesMerge."}"),": "),",")."}","")
| fields - *_SubTechniqueJson Active_SubTechnique Available_SubTechnique "Needs Data_SubTechnique" "Sub-Technique" IsSubTechnique SubTechniqueValuesMerge *_SubTechnique
| eval "<<FIELD>>_TechniqueId"=mvdedup('<<FIELD>>_TechniqueId')
| eval "<<FIELD>>" = if(text!="",mvappend("TechniqueId: ".'<<FIELD>>_TechniqueId',"Technique: ".Technique,"Color: ".color,"Opacity: ".opacity,"Active: ".p0_count,"Available: ".p1_count,"Needs data: ".p2_count,"Total: ".total_count,"Selected: ".p3_count,"Groups: ".'<<FIELD>>_Groups'),null)
| eval "<<FIELD>>"="{".mvjoin(mvmap('<<FIELD>>',"\"".mvindex(split('<<FIELD>>',": "),0)."\": \"".mvindex(split('<<FIELD>>',": "),1)."\""),",").Sub_Technique."}"
| eval count = count + 1
]
| fields - temp count Active Available "Needs data" tooltip *Tactic color colorby opacity p0* p1* p2* t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 text total_count "Data Source" Data_Source_Count Selected p3_count Matrix *_TechniqueId *_Groups Technique "Sub-Technique" Sub_Technique
mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9
@bowesmana I didn't realize that. Thank you!