All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Map Custom searches to MITRE framework via Security Essentials app?

neerajs_81
Builder
‎05-31-2022 12:39 AM

Hi All,   Does Splunk Security Essentials app also map our custom (user defined) correlation searches to different MITRE tactics & techniques ? 

Based on what i see,  if we run the setup wizard it will do so for the pre defined ones that come with ES or with Security Essentials app itself.   There is nothing mentioned about custom correlation searches that one sets up in ES.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 01:29 AM

Hi @neerajs_81,

if you want this, you should try the MITRE ATTACK App for Splunk (https://splunkbase.splunk.com/app/4617/).

Obviously Security Essentials maps only the correlation searches it knows, and not the custom ones you created in ES.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎08-10-2022 04:44 AM

SSE will do this automatically for you and have your custom detections displayed on the MITRE Overview dashboard. You need to run the Content Introspection setup step and all your detections will appear in SSE just as any other content in there. 

 

It's detailed in the documentation for SSE here

https://docs.splunk.com/Documentation/SSE/3.6.0/User/ContentIntrospection

 

j

Reply
Solved! Jump to solution

neerajs_81
Builder
‎08-10-2022 04:52 AM

Yes apparently the new release of  SSE does this. We found out. Thank you for responding. Awarded karma points.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 01:29 AM

Hi @neerajs_81,

if you want this, you should try the MITRE ATTACK App for Splunk (https://splunkbase.splunk.com/app/4617/).

Obviously Security Essentials maps only the correlation searches it knows, and not the custom ones you created in ES.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎05-31-2022 02:00 AM

Thanks. I thought so but just wanted to confirm. So there is no way literally to make it import custom correlation searches from ES?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2022 02:03 AM

Hi @neerajs_81,

you can manually do it but put attention that ES correlation searches usually use DataModels.

To map MITRE ATTACK searches, use the above App.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top