"mitre_technique_id" is not available in the "Whitelist Editor"

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

MIT License

1.12k stars 175 forks source link

"mitre_technique_id" is not available in the "Whitelist Editor" #17

Closed bmk666 closed 4 years ago

bmk666 commented 5 years ago

The "mitre_technique_id" drop down on the "Whitelist Editor Pages" only shown "All (*)"

olafhartong commented 5 years ago

I do not have this error, is the app properly named ?

does this query yield results for you?

| rest /servicesNS/-/ThreatHunting/saved/searches
| search title="[T*]*"
| makemv delim="," action.summary_index.mitre_technique_id
| mvexpand action.summary_index.mitre_technique_id
| stats dc(action.summary_index.mitre_technique) AS Searches by action.summary_index.mitre_technique_id
| sort action.summary_index.mitre_technique_id
| rename action.summary_index.mitre_technique_id AS "id" 
| table id