https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752592#M23030 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254178">@elend</a>&nbsp;</P><P>You can grab the MITRE ATT&amp;CK data and bring it into Splunk as a lookup table or KV Store. That way, you can add MITRE TTP details to your detections or events in your searches and dashboards.<BR />You can also try out the Security Essentials app, which gives you lots of built-in detections already mapped to MITRE ATT&amp;CK techniques and analytics use cases.</P><P>#<A href="https://docs.splunk.com/Documentation/SSE/3.8.2/User/MITREFramework" target="_blank">https://docs.splunk.com/Documentation/SSE/3.8.2/User/MITREFramework</A></P><P>Regards,<BR />Prewin<BR />If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Tue, 02 Sep 2025 04:10:06 GMT PrewinThomas 2025-09-02T04:10:06Z https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752569#M23023 <P>Hi,&nbsp;<BR />I'm exploring several possibilities in Splunk Core for security purposes without using Splunk Enterprise Security. I'm currently trying to add TTP information from Mitre to Splunk Core. Is that possible or some of you ever did this before? really appreciate for any information given.</P> Mon, 01 Sep 2025 09:30:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752569#M23023 elend 2025-09-01T09:30:00Z https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752578#M23026 <P>What do you mean by that? You could implement your own method of storing TTP info about... something (a search result, most probably) in a KV-store. But that would mean you're effectively reimplementing core ES functionality. You'd have to first have a way of storing those results (akin to notables or findings) and "tagging" those, which is exactly what ES does.</P> Mon, 01 Sep 2025 11:22:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752578#M23026 PickleRick 2025-09-01T11:22:14Z https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752591#M23029 <P>yes, i think it tag and trigger by created alert that have been made before. But still wonder how to store it. I've read some documentation like using&nbsp;<SPAN>Splunk Security Essentials</SPAN></P> Tue, 02 Sep 2025 02:54:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752591#M23029 elend 2025-09-02T02:54:23Z https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752592#M23030 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254178">@elend</a>&nbsp;</P><P>You can grab the MITRE ATT&amp;CK data and bring it into Splunk as a lookup table or KV Store. That way, you can add MITRE TTP details to your detections or events in your searches and dashboards.<BR />You can also try out the Security Essentials app, which gives you lots of built-in detections already mapped to MITRE ATT&amp;CK techniques and analytics use cases.</P><P>#<A href="https://docs.splunk.com/Documentation/SSE/3.8.2/User/MITREFramework" target="_blank">https://docs.splunk.com/Documentation/SSE/3.8.2/User/MITREFramework</A></P><P>Regards,<BR />Prewin<BR />If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Tue, 02 Sep 2025 04:10:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Add-Mitre-Att-amp-ck-TTP-data-to-splunk-core/m-p/752592#M23030 PrewinThomas 2025-09-02T04:10:06Z