[Load_Sample_Log_Data(1)]
args = label
definition = inputlookup [| inputlookup SampleDataList | search label="$label$" | rename lookup as search | table search]

[Sort_MITRE]
definition = fields "Initial Access" "Execution" "Persistence" "Privilege Escalation" "Defense Evasion" "Credential Access" "Discovery" "Lateral Movement" "Collection" "Command and Control" "Exfiltration" "Impact"

[Sort_MITRE_Rows(1)]
definition = eval eventOrderTactic = case($fieldname$="Initial Access", 1, $fieldname$="Execution", 2, $fieldname$="Persistence", 3, $fieldname$="Privilege Escalation", 4, $fieldname$="Defense Evasion", 5, $fieldname$="Credential Access", 6, $fieldname$="Discovery", 7, $fieldname$="Lateral Movement", 8, $fieldname$="Collection", 9, $fieldname$="Command and Control", 10, $fieldname$="Exfiltration", 11, $fieldname$="Impact", 12, 1=1, 13) | sort eventOrderTactic | fields - eventOrderTactic
args = fieldname

[Init_All_MITRE_Rows(2)]
definition = append [| makeresults | eval $fieldname$="Initial Access", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Execution", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Persistence", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Privilege Escalation", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Defense Evasion", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Credential Access", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Discovery", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Lateral Movement", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Collection", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Command and Control", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Exfiltration", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Impact", $countfield$=0 | fields - _time ]
args = fieldname,countfield

[User_to_Index_Provisioning_From_Data_Governance_App]
definition = rest splunk_server=local /services/authentication/users \
| eval roles=mvjoin(roles,", ") \
| fields title, roles \
| rename title as username \
| makemv delim=", " roles \
| mvexpand roles \
| rename roles as role \
| join max=1 overwrite=1 type=inner usetime=0 role \
    [| rest splunk_server=local /services/authorization/roles \
    | rename title as role \
    | fillnull value="" \
    | fields role, srchIndexesAllowed] \
| fields username, srchIndexesAllowed \
| rex field=srchIndexesAllowed mode=sed "s/\s/,/g" \
| makemv delim="," srchIndexesAllowed \
| mvcombine srchIndexesAllowed \
| mvcombine srchIndexesAllowed \
| rex field=srchIndexesAllowed mode=sed "s/\s/,/g" \
| makemv delim="," srchIndexesAllowed \
| eventstats values(srchIndexesAllowed) AS didx by username \
| fields username, didx \
| mvcombine didx \
| rex field=didx mode=sed "s/\s/, /g" \
| rename didx as accessible_indexes \
| join max=1 overwrite=1 type=inner usetime=0 username \
    [| rest splunk_server=local /services/authentication/users \
    | eval roles=mvjoin(roles,", ") \
    | rename title as username \
    | fields username, roles] \
| makemv delim=", " accessible_indexes \
| mvexpand accessible_indexes \
| join max=1 overwrite=1 type=outer usetime=0 accessible_indexes \
    [| rest /services/data/indexes \
    | fields title \
    | dedup title \
    | where match(title,"^_\\w+$") \
    | mvcombine title \
    | eval title=mvjoin(title,", ") \
    | rename title as expanded_indexes \
    | eval accessible_indexes="_*"] \
| join max=1 overwrite=1 type=outer usetime=0 accessible_indexes \
    [| rest /services/data/indexes \
    | fields title \
    | dedup title \
    | where match(title,"^[^_]+$") \
    | mvcombine title \
    | eval title=mvjoin(title,", ") \
    | rename title as expanded_indexes \
    | eval accessible_indexes="*"] \
| eval accessible_indexes=if(match(accessible_indexes,"^(?:_\\*|\\*)$"),expanded_indexes,accessible_indexes) \
| fields - expanded_indexes \
| makemv delim=", " accessible_indexes \
| mvexpand accessible_indexes 
iseval = 0