fixed some issues with panels that are empty failing generate

splunk · Sep 18, 2020 · 4f8b5cd · patel-bhavin · Sep 21, 2020 · 4f8b5cd
1 parent 660135b
commit 4f8b5cd
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 7 deletions.
diff --git a/bin/generate.py b/bin/generate.py
@@ -300,7 +300,6 @@ def generate_workbench_panels(response_tasks, stories):
     output = template.render(response_tasks=workbench_panel_objects, stories=stories)
     with open(output_path, 'w') as f:
         f.write(output)
-
     j2_env = Environment(loader=FileSystemLoader(TEMPLATE_PATH),
                          trim_blocks=True)
     template = j2_env.get_template('workflow_actions.j2')
@@ -402,7 +401,7 @@ def map_response_tasks_to_stories(response_tasks):
                 for story in response_task['tags']['analytics_story']:
                     if 'type' in response_task.keys():
                         task_name = str(response_task['type'] + ' - ' + response_task['name'])
-                    else: 
+                    else:
                         task_name = str('ESCU - ' + response_task['name'])
                     if not (story in sto_res):
                         sto_res[story] = {task_name}

diff --git a/bin/jinja2_templates/es_investigations.j2 b/bin/jinja2_templates/es_investigations.j2
@@ -4,7 +4,12 @@
 label = {{ story.name }}
 description = {{ story.description }}
 disabled = 0
+
+{% if story.workbench_panels is defined %}
 panels = {{ story.workbench_panels | tojson }}
+{% else %}
+panels =
+{% endif %}
 
 {% endfor %}
 

diff --git a/stories/detect_zerologon_attack.yml b/stories/detect_zerologon_attack.yml
@@ -2,20 +2,20 @@ name: Detect Zerologon Attack
 id: 5d14a962-569e-4578-939f-f386feb63ce4
 version: 1
 date: '2020-09-18'
-description: Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein
+description: 'Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein
   attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack
   is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story
   are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz
-  as payload carrier.
-narrative: This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller,
+  as payload carrier.'
+narrative: 'This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller,
   using Netlogon Remote Protocol (MS-NRPC).
   This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually
   reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and
   assign themselve high privileges that can lead to domain controller and potentially complete network takeover.
   The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these
   searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz
-  tool which has bee updated to carry this attack payload.
-author: Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk
+  tool which has bee updated to carry this attack payload.'
+author: 'Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk'
 type: ESCU
 references:
 - https://attack.mitre.org/wiki/Technique/T1003