All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Map Custom searches to MITRE framework via Security Essentials app?

neerajs_81
Builder
‎05-31-2022 12:39 AM

Hi All,   Does Splunk Security Essentials app also map our custom (user defined) correlation searches to different MITRE tactics & techniques ? 

Based on what i see,  if we run the setup wizard it will do so for the pre defined ones that come with ES or with Security Essentials app itself.   There is nothing mentioned about custom correlation searches that one sets up in ES.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 01:29 AM

Hi @neerajs_81,

if you want this, you should try the MITRE ATTACK App for Splunk (https://splunkbase.splunk.com/app/4617/).

Obviously Security Essentials maps only the correlation searches it knows, and not the custom ones you created in ES.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎08-10-2022 04:44 AM

SSE will do this automatically for you and have your custom detections displayed on the MITRE Overview dashboard. You need to run the Content Introspection setup step and all your detections will appear in SSE just as any other content in there. 

 

It's detailed in the documentation for SSE here

https://docs.splunk.com/Documentation/SSE/3.6.0/User/ContentIntrospection

 

j

Reply
Solved! Jump to solution

neerajs_81
Builder
‎08-10-2022 04:52 AM

Yes apparently the new release of  SSE does this. We found out. Thank you for responding. Awarded karma points.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 01:29 AM

Hi @neerajs_81,

if you want this, you should try the MITRE ATTACK App for Splunk (https://splunkbase.splunk.com/app/4617/).

Obviously Security Essentials maps only the correlation searches it knows, and not the custom ones you created in ES.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎05-31-2022 02:00 AM

Thanks. I thought so but just wanted to confirm. So there is no way literally to make it import custom correlation searches from ES?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 02:03 AM

Hi @neerajs_81,

you can manually do it but put attention that ES correlation searches usually use DataModels.

To map MITRE ATTACK searches, use the above App.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...