All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Map Custom searches to MITRE framework via Security Essentials app?

neerajs_81
Builder
‎05-31-2022 12:39 AM

Hi All,   Does Splunk Security Essentials app also map our custom (user defined) correlation searches to different MITRE tactics & techniques ? 

Based on what i see,  if we run the setup wizard it will do so for the pre defined ones that come with ES or with Security Essentials app itself.   There is nothing mentioned about custom correlation searches that one sets up in ES.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 01:29 AM

Hi @neerajs_81,

if you want this, you should try the MITRE ATTACK App for Splunk (https://splunkbase.splunk.com/app/4617/).

Obviously Security Essentials maps only the correlation searches it knows, and not the custom ones you created in ES.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎08-10-2022 04:44 AM

SSE will do this automatically for you and have your custom detections displayed on the MITRE Overview dashboard. You need to run the Content Introspection setup step and all your detections will appear in SSE just as any other content in there. 

 

It's detailed in the documentation for SSE here

https://docs.splunk.com/Documentation/SSE/3.6.0/User/ContentIntrospection

 

j

Reply
Solved! Jump to solution

neerajs_81
Builder
‎08-10-2022 04:52 AM

Yes apparently the new release of  SSE does this. We found out. Thank you for responding. Awarded karma points.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 01:29 AM

Hi @neerajs_81,

if you want this, you should try the MITRE ATTACK App for Splunk (https://splunkbase.splunk.com/app/4617/).

Obviously Security Essentials maps only the correlation searches it knows, and not the custom ones you created in ES.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎05-31-2022 02:00 AM

Thanks. I thought so but just wanted to confirm. So there is no way literally to make it import custom correlation searches from ES?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 02:03 AM

Hi @neerajs_81,

you can manually do it but put attention that ES correlation searches usually use DataModels.

To map MITRE ATTACK searches, use the above App.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...