ThreatHunting
ThreatHunting copied to clipboard
Published
20 hours ago •
olafhartong
olafhartong
Missing the field "mitre_technique_id" in DNS whitelist editor
The "StackingTools > dns_stacking" view shows an error because the dns_whitelist macro is expecting the field mitre_technique_id:
[dns_whitelist]
definition = lookup dns_whitelist mitre_technique_id host_fqdn process_path query_name output reason | where isnull(reason)
iseval = 0
The field does not exist in the lookup samples (https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz) nor in the "DNS whitelist editor" interface, under the "Lists" menu of the application (./default/data/ui/views/dns_whitelist.xml)
Below is the updated version of ./default/data/ui/views/dns_whitelist.xml
<form>
<label>DNS whitelist editor</label>
<fieldset submitButton="true" autoRun="true">
<input type="text" token="host_fqdn">
<label>host_fqdn</label>
<default></default>
</input>
<input type="text" token="process_path">
<label>process_path</label>
<default></default>
</input>
<input type="text" token="query_name">
<label>query_name</label>
<default></default>
</input>
<input type="text" token="mitre_technique_id">
<label>mitre_technique_id</label>
<default></default>
</input>
<input type="text" token="input_reason">
<label>reason</label>
<default>CHANGEME</default>
</input>
<input type="radio" token="input_mode">
<label>Mode</label>
<choice value="add">Add</choice>
<choice value="delete">Remove</choice>
<default>add</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Today's Entries</title>
<search>
<query>| makeresults
| eval input_host_fqdn = COALESCE(if(trim("$host_fqdn$")="", "*", trim("$host_fqdn$")), "*")
| eval input_process_path = COALESCE(if(trim("$process_path$")="", "*", trim("$process_path$")), "*")
| eval input_query_name = COALESCE(if(trim("$query_name$")="", "*", trim("$query_name$")), "*")
| eval input_mitre_technique_id = COALESCE(if(trim("$mitre_technique_id$")="", "*", trim("$mitre_technique_id$")), "*")
| eval host_fqdn = input_host_fqdn
| eval process_path = input_process_path
| eval query_name = input_query_name
| eval mitre_technique_id = input_mitre_technique_id
| eval reason = trim("$input_reason$")
| eval added_date = strftime(now(), "%Y-%m-%d")
| eval contact = ("$env:user$")
| table *
| fields - _raw _time
| where reason!="CHANGEME"
| inputlookup append=t threathunting_dns_whitelist.csv
| sort -added_date
| dedup host_fqdn process_path query_name mitre_technique_id
| eval mode = "$input_mode$"
| eval delete=if(mode="delete" and host_fqdn=input_host_fqdn and process_path=input_process_path and query_name=input_query_name and mitre_technique_id=input_mitre_technique_id, "yes", "no")
| where delete="no"
| fields - delete mode
| outputlookup threathunting_dns_whitelist.csv
| fields added_date contact reason host_fqdn process_path query_name mitre_technique_id</query>
<earliest>0</earliest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">20</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Current Entries</title>
<search>
<query>| inputlookup threathunting_dns_whitelist.csv | sort -added_datetime | fields added_date contact reason host_fqdn process_path query_name mitre_technique_id</query>
<earliest>0</earliest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">100</option>
</table>
</panel>
</row>
</form>
Maybe better to remove the mitre_technique_id field from the macro directly, as I don't see it used in the view. Modified macro would be:
[dns_whitelist]
definition = lookup dns_whitelist host_fqdn process_path query_name output reason | where isnull(reason)
iseval = 0