Hi all,

First of all, I realize this is achievable using Security Essentials, however we have a lot of manually created correlation searches and so need to add them manually - seems more work than creating a new search such as this.

I have two lookup tables; 'MitreFramework.csv' which is a copy-paste of the Mitre Att&ck Matrix from https://attack.mitre.org, and 'mitre_enrichment.csv' which simply contains the technique names and their mitre_ids (fields are named exactly like this.)

I have also annotated all of our correlation searches with their respective Mitre technique ID into up to three columns, export of which in a search shown below.


I'm trying to compare the Mitre Technique ID's as above with the mitre_id field in the mitre_enrichment.csv lookup, to then get the corresponding 'technique' name, and then search for that technique field in the 'Mitre Framework.csv' lookup. If it exists, something happens to a table of the Mitre Framework to indicate that is it being covered (even appending a number of 1 to the cell, or only showing the cells which are matched would be okay).

I know... this is a bit complicated, I'm hoping someone with more experience can see the logic and assist. Search for simply exporting the Mitre framework and annotations from the correlation rules is below. 'CHR' is simply part of the naming convention we use for all our rules;

| inputlookup MitreFramework.csv
| append
[| rest splunk_server=local count=0 /services/saved/searches
| where disabled!=1
| search action.correlationsearch.label="CHR*"
| rex field="action.correlationsearch.annotations" "^.*attack\":\[\"(?<Mitre1>T\d+)\"]?"
| rex field="action.correlationsearch.annotations" "^.*attack\":\[\"T\d+\",\"(?<Mitre2>T\d+)\""
| rex field="action.correlationsearch.annotations" "^.*attack\":\[\"T\d+\",\"T\d+\",\"(?<Mitre3>T\d+?)\""
| table action.correlationsearch.label Mitre1 Mitre2 Mitre3
| rename action.correlationsearch.label as "Rule Name" Mitre1 as "Mitre Technique 1" Mitre2 as "Mitre Technique 2" Mitre3 as "Mitre Technique 3"]