# Version Information Splunk Security Essentials version: 3.8.1 Splunk Security Essentials build: 1889 Splunk Enterprise Version: 9.3.2 Current MITRE ATT&CK Ver: 16.1 # Issue Description After an update to the MITRE ATT&CK framework, the Data Sources ID column breaks. It becomes vertically indented by 4, leaving the first 4 columns without an ID, and the subsequent columns are off by 4. There are no additional IDs at the end of the lookup. This lookup is correctly formatted upon a clean install as demonstrated below (First and Last 5 rows of the `mitre_data_sources.csv` lookup located at `$SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/lookups/mitre_data_sources.csv` ## Clean Install - First 5 Id Name Data_Source Description Data_Component Data_Component_Description DS0014 Pod Pod: Pod Creation A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Creation Initial construction of a new pod (ex: kubectl apply|run) DS0014 Pod Pod: Pod Modification A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Modification Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) DS0014 Pod Pod: Pod Metadata A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Metadata Contextual data about a pod and activity around it such as name, ID, namespace, or status DS0014 Pod Pod: Pod Enumeration A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Enumeration An extracted list of pods within a cluster (ex: kubectl get pods) DS0032 Container Container: Container Creation A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) Container Creation Initial construction of a new container (ex: docker create <container_name>) - Last 5 DS0018 Firewall Firewall: Firewall Metadata A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Metadata Contextual data about a firewall and activity around it such as name, policy, or status DS0018 Firewall Firewall: Firewall Disable A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Disable Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) DS0018 Firewall Firewall: Firewall Rule Modification A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Rule Modification Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) DS0018 Firewall Firewall: Firewall Enumeration A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Enumeration An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) DS0011 Module Module: Module Load Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class) Module Load Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) ## After triggering a `Force Update` of Security Content - First 5 Id Name Data_Source Description Data_Component Data_Component_Description   Pod Pod: Pod Enumeration A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Enumeration An extracted list of pods within a cluster (ex: kubectl get pods)   Pod Pod: Pod Metadata A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Metadata Contextual data about a pod and activity around it such as name, ID, namespace, or status   Pod Pod: Pod Creation A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Creation Initial construction of a new pod (ex: kubectl apply|run)   Pod Pod: Pod Modification A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) Pod Modification Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) DS0014 Container Container: Container Metadata A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) Container Metadata Contextual data about a container and activity around it such as name, ID, image, or status - Last 5 DS0009 Firewall Firewall: Firewall Rule Modification A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Rule Modification Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) DS0009 Firewall Firewall: Firewall Disable A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Disable Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) DS0009 Firewall Firewall: Firewall Metadata A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Metadata Contextual data about a firewall and activity around it such as name, policy, or status DS0009 Firewall Firewall: Firewall Enumeration A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) Firewall Enumeration An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) DS0018 Module Module: Module Load Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class) Module Load Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) --- This has occurred consistently on both existing and fresh Splunk installations. I suspect it's due to an update to MITRE, and the JSON parsers haven't been updated to handle the changes accordingly. This is purely conjecture. I have been playing about reading Python scripts located at `~/etc/apps/Splunk_Security_Essentials/bin`, but have come across nothing conclusive so far. --- Please let me know if this is an issue that anyone else has been facing, and if this also affects any of the other MITRE lookups, that I haven't yet noticed. If this affected more important lookups such as Detections or Threat Groups, this would considerably affect the app functionality. If anybody has any suggestions, or requires any more information, please let me know. Thanks - Stanley ... View more