So, we've built several alerts based on the MITRE ATT&CK Framework and have them set to send an email when a search has a hit.
Now naturally the next step is that management wants us to tag those alerts with the MITRE framework as the source according to the technique alerted on in order to create a dashboard and provide metrics such as how many ATT&CK based alerts have we had per month etc...
We're kinda stuck as to how to enrich the alerts with this type of categorization/tagging within Splunk.
Any suggestions on a method or add on that may help with this?
Actually,
what you might need in the end is bit more complicated than just taxonomy based on the MITRE. Here's my thinking process:
Based on these factors you should be able to align the detection method with attack phase and to follow it to the upstream for management reporting.
So yea...in the end you need couple of other factors being able to satisfy the management needs. However, this gives great information how well detection capabilities are performing and against what threats/types the detection is in place. Further thinking may allow possibilities to adjust detection datapoints too.
Start with the Alert Manager
app. You may not decide to use it but by deconstructing it, you will see where/how you can access every possible detail about alerts that have been fired:
Hi @digital_alchemy
My name is Anam Siddique and I am the Community Content Specialist for Splunk Answers. Please accept the answer if the solution provided by @woodcock worked for you. And if it didn't please update with further comments so someone can help you. We have awesome users who contribute and it would be great if the community can benefit from their answer plus they can get credit/points for their work!
Thanks