Splunk Enterprise Security

How Do I Map Splunk Security Content to MITRE ATT&CK?

David
Splunk Employee
Splunk Employee

I would like to map the Splunk Security Content from Enterprise Security (ES), Enterprise Security Content Update (ESCU), Splunk Security Essentials (SSE), and anything else to MITRE ATT&CK so that I can understand what content is available and data sources are available. Is there anything to help with that?

1 Solution

David
Splunk Employee
Splunk Employee

Very easily, in fact! In Splunk Security Essentials, all of the content from the Splunk ecosystem is listed including Splunk Security Content from Enterprise Security (ES), Enterprise Security Content Update (ESCU), Splunk Security Essentials (SSE), though there’s usually a bit of a delay with ESCU, since it’s released more often than Security Essentials. All of the content is mapped to MITRE ATT&CK tactics, and you can use that to visualize the data or filter to particular tactics you’re interested in.

To filter, go to the main Security Content page in the app. If you haven’t already added the ATT&CK Filter, click “Select Filters” in the gray box on the upper right-hand side, and toggle on the “MITRE ATT&CK Tactic.” You’ll now see this as a new filter option, and you’ll also see all of the content with MITRE applicability tagged in the main display!
alt text

Splunk Security Essentials also includes some visualizations for data as well! In the next release (2.3.2), we’re adding a new panel to the Overview dashboard (hidden away in the Security Content menu) allowing you to visualize the relationships with a Sankey chart! Of course, you can adjust this analysis in any way you might want since it’s just SPL.
alt text

We’re looking for ways to enable a mapping at the Technique level as well in the future, so if you’re excited for that, stay tuned (or reach out here, or on Splunk Usergroups Slack @ davidveuve ). If you have any other suggestions for how to make this more usable for your needs, let us know!

View solution in original post

julianwiegmann
New Member

This is great and we are really looking forward to having this functionality in the next release and the ideals you have of mapping against Techniques sounds amazing.

0 Karma

David
Splunk Employee
Splunk Employee

Very easily, in fact! In Splunk Security Essentials, all of the content from the Splunk ecosystem is listed including Splunk Security Content from Enterprise Security (ES), Enterprise Security Content Update (ESCU), Splunk Security Essentials (SSE), though there’s usually a bit of a delay with ESCU, since it’s released more often than Security Essentials. All of the content is mapped to MITRE ATT&CK tactics, and you can use that to visualize the data or filter to particular tactics you’re interested in.

To filter, go to the main Security Content page in the app. If you haven’t already added the ATT&CK Filter, click “Select Filters” in the gray box on the upper right-hand side, and toggle on the “MITRE ATT&CK Tactic.” You’ll now see this as a new filter option, and you’ll also see all of the content with MITRE applicability tagged in the main display!
alt text

Splunk Security Essentials also includes some visualizations for data as well! In the next release (2.3.2), we’re adding a new panel to the Overview dashboard (hidden away in the Security Content menu) allowing you to visualize the relationships with a Sankey chart! Of course, you can adjust this analysis in any way you might want since it’s just SPL.
alt text

We’re looking for ways to enable a mapping at the Technique level as well in the future, so if you’re excited for that, stay tuned (or reach out here, or on Splunk Usergroups Slack @ davidveuve ). If you have any other suggestions for how to make this more usable for your needs, let us know!

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...