Solved: Splunk Security Essentials: 'mvmap' function is un...

unknown_platfor · ‎11-08-2020

Splunk Cloud: v7.2.9

SSE: v3.2.0

In SSE, under Analytics Advisor > MITRE ATT&CK Framework > Available Content > MITRE Att&CK Matrix I am getting the error:

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.

SPL for search

| mitremap popular_only="$show_popular_techniques$" content_available=$show_content_available$ groups="$threat_group$" platforms="$mitre_platforms$"
| foreach *
    [ | rex field="<<FIELD>>" "(?<technique_temp>.*) \("
    | eval Technique_nogroups=coalesce(technique_temp,'<<FIELD>>')
    | eval "<<FIELD>> Tactic" = "<<FIELD>>"
    | eval Matrix="Enterprise ATT&CK"
    | eval "Sub-Technique"="-"
    | lookup mitre_environment_count.csv Matrix "Sub-Technique" Technique AS Technique_nogroups, "Tactic" AS "<<FIELD>> Tactic" OUTPUT "Active" "Available" "Needs data" "Data Source"
    | eval "Data Source"=split('Data Source',",")
    | eval "Data Source"=mvfilter($data_sources_selected_filter$)
    | rex field="Data Source" "(?<Data_Source>[^:]*)::(?<Data_Source_Count>.*)"
    | rename Data_Source AS "Data Source"
    | eval Selected=if(in('Data Source',$datasource_selection$) , Data_Source_Count,0)
    | eval Selected=tonumber(coalesce(mvindex(Selected,0,0),0))+tonumber(coalesce(mvindex(Selected,1,1),0))+tonumber(coalesce(mvindex(Selected,2,2),0))+tonumber(coalesce(mvindex(Selected,3,3),0))+tonumber(coalesce(mvindex(Selected,4,4),0))+tonumber(coalesce(mvindex(Selected,5,5),0))+tonumber(coalesce(mvindex(Selected,6,6),0))
    | fields - Technique_nogroups technique_temp "Sub-Technique"
    | eval count = coalesce(count, 1), temp = "t" + count, {temp}='<<FIELD>>', color="#00A9F8", colorby="$colorby$"

    | eval text='<<FIELD>>'
    | eval p0_count=coalesce(Active,0)
    | eval p1_count=coalesce(Available,0)
    | eval p2_count=coalesce('Needs data',0)
    | eval p3_count=coalesce('Selected',0)
    | eval total_count=p0_count+p1_count+p2_count
    | eval opacity=tostring(case(
        colorby="Active",p0_count/20,
        colorby="Available",p1_count/20,
        colorby="Needs data",p2_count/20,
        colorby="Total",total_count/20
        ))
    | eval tooltip="Active: ".p0_count."<br />"."Available: ".p1_count."<br />"."Needs data: ".p2_count."<br />"."Total: ".total_count."<br />"."Selected: ".p3_count
    | eval "<<FIELD>>_Groups"=rtrim(mvindex(split('text', " ("),1),")")
    | eval "Technique"=mvindex(split('text', " ("),0)
    | lookup mitre_matrix_list.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique OUTPUT TechniqueId AS "<<FIELD>>"_TechniqueId 
    | eval IsSubTechnique="Yes"
    | lookup mitre_environment_count.csv Matrix Tactic AS "<<FIELD>> Tactic" Technique IsSubTechnique OUTPUT "Sub-Technique" Active AS Active_SubTechnique Available AS Available_SubTechnique "Needs data" AS "Needs Data_SubTechnique" Sub_Technique_Total AS Total_SubTechnique
    | eval Opacity_SubTechnique=case(
    colorby="Active", mvmap(Active_SubTechnique,Active_SubTechnique/10),
    colorby="Available", mvmap(Available_SubTechnique,Available_SubTechnique/10),
    colorby="Needs data", mvmap('Needs Data_SubTechnique','Needs Data_SubTechnique'/10),
    colorby="Total", mvmap(Total_SubTechnique,Total_SubTechnique/10)
    )
    | eval Color_SubTechnique=mvmap(Active_SubTechnique,'color')
    | eval Active_SubTechniqueJson=mvmap(Active_SubTechnique,"\"Active\": ".Active_SubTechnique),Available_SubTechniqueJson=mvmap(Available_SubTechnique,"\"Available\": ".Available_SubTechnique),NeedsData_SubTechniqueJson=mvmap('Needs Data_SubTechnique',"\"Needs Data\": ".'Needs Data_SubTechnique'),Total_SubTechniqueJson=mvmap('Total_SubTechnique',"\"Total\": ".'Total_SubTechnique'),Color_SubTechniqueJson=mvmap('Color_SubTechnique',"\"Color\": \"".'Color_SubTechnique'."\""),Opacity_SubTechniqueJson=mvmap('Opacity_SubTechnique',"\"Opacity\": ".'Opacity_SubTechnique') 
    | eval SubTechniqueValuesMerge=mvzip(Active_SubTechniqueJson,mvzip(Available_SubTechniqueJson,mvzip(NeedsData_SubTechniqueJson,mvzip(Color_SubTechniqueJson,mvzip(Opacity_SubTechniqueJson,Total_SubTechniqueJson))))) 
    | eval Sub_Technique=coalesce(",\"Sub_Techniques\": {".mvjoin(mvzip(mvmap('Sub-Technique',"\"".'Sub-Technique'."\""),mvmap(SubTechniqueValuesMerge, "{".SubTechniqueValuesMerge."}"),": "),",")."}","") 
    | fields - *_SubTechniqueJson  Active_SubTechnique Available_SubTechnique "Needs Data_SubTechnique" "Sub-Technique" IsSubTechnique SubTechniqueValuesMerge *_SubTechnique 
    
    | eval "<<FIELD>>_TechniqueId"=mvdedup('<<FIELD>>_TechniqueId') 
    | eval "<<FIELD>>" = if(text!="",mvappend("TechniqueId: ".'<<FIELD>>_TechniqueId',"Technique: ".Technique,"Color: ".color,"Opacity: ".opacity,"Active: ".p0_count,"Available: ".p1_count,"Needs data: ".p2_count,"Total: ".total_count,"Selected: ".p3_count,"Groups: ".'<<FIELD>>_Groups'),null) 
    | eval "<<FIELD>>"="{".mvjoin(mvmap('<<FIELD>>',"\"".mvindex(split('<<FIELD>>',": "),0)."\": \"".mvindex(split('<<FIELD>>',": "),1)."\""),",").Sub_Technique."}"
    | eval count = count + 1 
        ]
        | fields - temp count Active Available "Needs data" tooltip *Tactic color colorby opacity p0* p1* p2* t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17 t18 text total_count "Data Source" Data_Source_Count Selected p3_count Matrix *_TechniqueId *_Groups Technique "Sub-Technique" Sub_Technique

bowesmana · ‎11-08-2020

@unknown_platfor

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

View solution in original post

bowesmana · ‎11-08-2020

@unknown_platfor

mvmap is a Splunk 8 eval function, so will not work on that version 7.2.9

unknown_platfor · ‎11-10-2020

@bowesmana I didn't realize that. Thank you!

Splunk Security Essentials: 'mvmap' function is unsupported or undefined

configuration

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk