forked from apger/RBA-ES6.6-Demo-Dashboards
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathES-6.6-audit__attribution_analytics.xml
233 lines (230 loc) · 12.9 KB
/
ES-6.6-audit__attribution_analytics.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
<form>
<label>Audit: Attribution Analytics (Tuning View)</label>
<description>Helpful for tuning new detections</description>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_picker" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Risk Rules: Num Risk Objects versus Aggregate Score</title>
<chart>
<search>
<query>|tstats `summariesonly` dc(All_Risk.risk_object) as "Num of Risk Objects",sum(All_Risk.calculated_risk_score) as "Agg Score", max(All_Risk.calculated_risk_score) as max_score from datamodel="Risk.All_Risk" by source</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bubble</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Risk Rules: Unique Threat Objects Versus Aggregate Score</title>
<chart>
<search>
<query>|tstats `summariesonly` dc(All_Risk.threat_object) as "Num Unique Threat Objects",sum(All_Risk.calculated_risk_score) as "Agg Score", max(All_Risk.calculated_risk_score) as max_score from datamodel="Risk.All_Risk" by source</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">bubble</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>MITRE ATT&CK: Num ATT&CK Tactics Versus Aggregate Score</title>
<chart>
<search>
<query>|tstats `summariesonly` dc(All_Risk.annotations.mitre_attack.mitre_tactic) as "Num Tactics",sum(All_Risk.calculated_risk_score) as "Agg Score", max(All_Risk.calculated_risk_score) as max_score from datamodel="Risk.All_Risk" by All_Risk.annotations.mitre_attack.mitre_tactic</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">bubble</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>MITRE ATT&CK: Num ATT&CK Techniques Versus Aggregate Score</title>
<chart>
<search>
<query>|tstats `summariesonly` dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as count,sum(All_Risk.calculated_risk_score) as "Agg Score", max(All_Risk.calculated_risk_score) as max_score from datamodel="Risk.All_Risk" by All_Risk.annotations.mitre_attack.mitre_technique_id|rename "All_Risk.annotations.mitre_attack.mitre_technique_id" as Technique|rex field=Technique "(?<Technique>.....)"|stats sum(count) as count sum("Agg Score") as "Agg Score" max("max_score") as "max_score" by Technique|lookup mitre_attack_lookup mitre_technique_id as Technique OUTPUT mitre_technique|table mitre_technique, count, "Agg Score", max_score|rename count as "Num Techniques"</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">bubble</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Threat Object Types: Num Threat Object Types Versus Aggregate Score</title>
<chart>
<search>
<query>|tstats `summariesonly` dc(All_Risk.annotations.mitre_attack.mitre_tactic) as "Num Tactics",sum(All_Risk.risk_score) as "Agg Score", max(All_Risk.risk_score) as max_score from datamodel="Risk.All_Risk" by All_Risk.threat_object_type</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">bubble</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Threat Object Types: Num ATT&CK Techniques Versus Aggregate Score</title>
<chart>
<search>
<query>|tstats `summariesonly` dc(All_Risk.annotations.mitre_attack.mitre_technique) as "Num Techniques",sum(All_Risk.risk_score) as "Agg Score", max(All_Risk.risk_score) as max_score from datamodel="Risk.All_Risk" by All_Risk.threat_object_type</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">bubble</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Risk Rules -> Risk Notable Type</title>
<viz type="sankey_diagram_app.sankey_diagram">
<search>
<query>`notable`|search eventtype="risk_notables"|stats sum(risk_score) as "Agg Score" count by orig_source,source|sort - "Agg Score"</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</viz>
</panel>
<panel>
<title>Risk Rules -> Risk Objects</title>
<viz type="sankey_diagram_app.sankey_diagram">
<search>
<query>|tstats `summariesonly` sum(All_Risk.calculated_risk_score) as "Agg Score" count from datamodel="Risk.All_Risk" by source,All_Risk.risk_object|rename "All_Risk.risk_object" as target|search "Agg Score" >40|sort - "Agg Score"</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="drilldown">none</option>
</viz>
</panel>
</row>
<row>
<panel>
<title>Risk Object Scoring versus Score Threshold</title>
<chart>
<title>User Risk Objects</title>
<search>
<query>|tstats `summariesonly` sum(All_Risk.calculated_risk_score) as "Agg Score" from datamodel="Risk.All_Risk" where All_Risk.risk_object_type="user" All_Risk.risk_object!="system" by All_Risk.risk_object|rename "All_Risk.risk_object" as "Risk Object"|eval "Risk Threshold"=100|sort - "Agg Score"|head 10</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">"Risk Threshold"</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>Risk Object Scoring versus Score Threshold</title>
<chart>
<title>System Risk Objects</title>
<search>
<query>|tstats `summariesonly` sum(All_Risk.calculated_risk_score) as "Agg Score" from datamodel="Risk.All_Risk" where All_Risk.risk_object_type="system" All_Risk.risk_object!="system" by All_Risk.risk_object|rename "All_Risk.risk_object" as "Risk Object"|eval "Risk Threshold"=100|sort - "Agg Score"|head 10</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">"Risk Threshold"</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Threat Object Scoring versus Score Threshold</title>
<chart>
<search>
<query>|tstats `summariesonly` sum(All_Risk.calculated_risk_score) as "Agg Score" from datamodel="Risk.All_Risk" by All_Risk.threat_object|rename "All_Risk.threat_object" as "Threat Object"|eval "Risk Threshold"=100|sort - "Agg Score"|head 10</query>
<earliest>$time_picker.earliest$</earliest>
<latest>$time_picker.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">"Risk Threshold"</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Attribution related Search Activity</title>
<search>
<query>index=_internal sourcetype=scheduler NOT savedsearch_name="Threat - RR - TEST - Rule" savedsearch_name="* - RR - *" OR savedsearch_name="Threat - ATT&CK Tactic Threshold Exceeded*"
| extract pairdelim=",", kvdelim="=", auto=f
| stats avg(result_count) as avg_results max(result_count) as max_results sparkline avg(run_time) as avg_runtime max(run_time) as max_runtime count AS execution_count by savedsearch_name, app
| join savedsearch_name type=outer
[| rest splunk_server=local /servicesNS/-/-/saved/searches
| fields title description eai:acl.app eai:acl.sharing eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time, disabled actions
| rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS Owner cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time" actions AS "Adaptive Response Actions", eai:acl.sharing AS Sharing]
|eval comment="This is just to make the demo work below since we do not have execution results in _internal"
| append
[| rest splunk_server=local /servicesNS/-/-/saved/searches
| search title="* - RIR - *" OR title="* - RR - *"
| fields title description eai:acl.app eai:acl.sharing eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time, disabled actions
| rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS Owner cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time" actions AS "Adaptive Response Actions", eai:acl.sharing AS Sharing]
| join savedsearch_name type=outer
[ | search index=risk | stats sum(risk_score) AS "total_risk" by source | rename source as savedsearch_name]
| rename savedsearch_name AS "Saved Search Name" description AS Description
| eval Enabled = if(disabled=1, "False", "True")
| sort - avg_runtime
| makemv delim="," "Adaptive Response Actions"
| eval avg_runtime = round(avg_runtime, 1)
| eval avg_results = round(avg_results, 0)
| table "Saved Search Name", Description, App, Enabled, total_risk, "Adaptive Response Actions", "Cron Schedule", "Dispatch Earliest Time", "Dispatch Latest Time", execution_count, sparkline, avg_results, max_results, avg_runtime, max_runtime</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>