This app for Splunk accompanies two blog posts about the MITRE ATTACK Endpoint Detection and Response (EDR) results for:
- APT3.
- APT29
- Carbanak+FIN7
- Wizard Spider + Sandworm
It shows data and dashboards from the JSON data published in the MITRE ATTACK evaluations
To make it easier to play with the EDR evaluation results. The JSON files from MITRE weren't that friendly for slicing and dicing in Splunk, so I write a Python script to transpose them for APT3, APT29 and Carbanak+FIN7, and included that data in this app for onboarding in Splunk.
- Install from Splunkbase (or git clone from Github, if you download the .zip file please remember to rename the directory to "EDRevals")
- Look at the dashboards and draw your own conclusions
- If unsatisfied, create your own queries
- (Optionally drop me a line about your own query adventures.)
The opinionated bar chart below shows how many of the APT3 steps were detected by which main detection type. For more information about the main detection types see the MITRE explanation
More charts available in the companion EDR evaluation results post for APT3 or APT29
The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK Evaluations for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.
"(C) 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation."
DISCLAIMERS MITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK.
ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.