Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing the field "mitre_technique_id" in DNS whitelist editor #76

Open
sebastiendamaye opened this issue Dec 17, 2020 · 2 comments
Open

Missing the field "mitre_technique_id" in DNS whitelist editor #76

sebastiendamaye opened this issue Dec 17, 2020 · 2 comments

Comments

@sebastiendamaye
Copy link

The "StackingTools > dns_stacking" view shows an error because the dns_whitelist macro is expecting the field mitre_technique_id:

[dns_whitelist]
definition = lookup dns_whitelist mitre_technique_id host_fqdn process_path query_name output reason |  where isnull(reason)
iseval = 0

The field does not exist in the lookup samples (https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz) nor in the "DNS whitelist editor" interface, under the "Lists" menu of the application (./default/data/ui/views/dns_whitelist.xml)
@sebastiendamaye
Copy link
Author

Below is the updated version of ./default/data/ui/views/dns_whitelist.xml 

<form>
  <label>DNS whitelist editor</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="text" token="host_fqdn">
      <label>host_fqdn</label>
      <default></default>
    </input>
    <input type="text" token="process_path">
      <label>process_path</label>
      <default></default>
    </input>
    <input type="text" token="query_name">
      <label>query_name</label>
      <default></default>
    </input>
    <input type="text" token="mitre_technique_id">
      <label>mitre_technique_id</label>
      <default></default>
    </input>
    <input type="text" token="input_reason">
      <label>reason</label>
      <default>CHANGEME</default>
    </input>
    <input type="radio" token="input_mode">
      <label>Mode</label>
      <choice value="add">Add</choice>
      <choice value="delete">Remove</choice>
      <default>add</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Today's Entries</title>
        <search>
          <query>| makeresults 
| eval input_host_fqdn = COALESCE(if(trim("$host_fqdn$")="", "*", trim("$host_fqdn$")), "*") 
| eval input_process_path = COALESCE(if(trim("$process_path$")="", "*", trim("$process_path$")), "*") 
| eval input_query_name = COALESCE(if(trim("$query_name$")="", "*", trim("$query_name$")), "*") 
| eval input_mitre_technique_id = COALESCE(if(trim("$mitre_technique_id$")="", "*", trim("$mitre_technique_id$")), "*") 

| eval host_fqdn = input_host_fqdn 
| eval process_path = input_process_path 
| eval query_name = input_query_name 
| eval mitre_technique_id = input_mitre_technique_id
| eval reason = trim("$input_reason$") 
| eval added_date = strftime(now(), "%Y-%m-%d") 
| eval contact = ("$env:user$") 
| table * 
| fields - _raw _time 
| where reason!="CHANGEME" 

| inputlookup append=t threathunting_dns_whitelist.csv 
| sort -added_date 
| dedup host_fqdn process_path query_name mitre_technique_id

| eval mode = "$input_mode$" 
| eval delete=if(mode="delete" and host_fqdn=input_host_fqdn and process_path=input_process_path and query_name=input_query_name and mitre_technique_id=input_mitre_technique_id, "yes", "no") 
| where delete="no" 
| fields - delete mode 

| outputlookup threathunting_dns_whitelist.csv 
| fields added_date contact reason host_fqdn process_path query_name mitre_technique_id</query>
          <earliest>0</earliest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Current Entries</title>
        <search>
          <query>| inputlookup threathunting_dns_whitelist.csv | sort -added_datetime | fields added_date contact reason host_fqdn process_path query_name mitre_technique_id</query>
          <earliest>0</earliest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">100</option>
      </table>
    </panel>
  </row>
</form>

@sebastiendamaye
Copy link
Author

Maybe better to remove the mitre_technique_id field from the macro directly, as I don't see it used in the view. Modified macro would be:

[dns_whitelist]
definition = lookup dns_whitelist host_fqdn process_path query_name output reason |  where isnull(reason)
iseval = 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sebastiendamaye