Skip to content

Splunk app to compare Endpoint Detection and Response solutions based on MITRE ATT&CK evaluations (APT3, APT29, Carbanak + FIN7, Wizard Spider + Sandworm)

Notifications You must be signed in to change notification settings

jorritfolmer/EDRevals

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

EDR evaluation app for Splunk

This app for Splunk accompanies two blog posts about the MITRE ATTACK Endpoint Detection and Response (EDR) results for:

  1. APT3.
  2. APT29
  3. Carbanak+FIN7
  4. Wizard Spider + Sandworm

It shows data and dashboards from the JSON data published in the MITRE ATTACK evaluations

Why does this Splunk app exist?

To make it easier to play with the EDR evaluation results. The JSON files from MITRE weren't that friendly for slicing and dicing in Splunk, so I write a Python script to transpose them for APT3, APT29 and Carbanak+FIN7, and included that data in this app for onboarding in Splunk.

How do I use this app?

  1. Install from Splunkbase (or git clone from Github, if you download the .zip file please remember to rename the directory to "EDRevals")
  2. Look at the dashboards and draw your own conclusions
  3. If unsatisfied, create your own queries
  4. (Optionally drop me a line about your own query adventures.)

Example

The opinionated bar chart below shows how many of the APT3 steps were detected by which main detection type. For more information about the main detection types see the MITRE explanation

screenshot

More charts available in the companion EDR evaluation results post for APT3 or APT29

LICENSE

The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK Evaluations for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.

"(C) 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation."

DISCLAIMERS MITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques or variations on existing techniques not documented by ATT&CK.

ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

About

Splunk app to compare Endpoint Detection and Response solutions based on MITRE ATT&CK evaluations (APT3, APT29, Carbanak + FIN7, Wizard Spider + Sandworm)

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published