Splunk Enterprise Security

How Do I Map Splunk Security Content to MITRE ATT&CK?

David
Splunk Employee
Splunk Employee

I would like to map the Splunk Security Content from Enterprise Security (ES), Enterprise Security Content Update (ESCU), Splunk Security Essentials (SSE), and anything else to MITRE ATT&CK so that I can understand what content is available and data sources are available. Is there anything to help with that?

1 Solution

David
Splunk Employee
Splunk Employee

Very easily, in fact! In Splunk Security Essentials, all of the content from the Splunk ecosystem is listed including Splunk Security Content from Enterprise Security (ES), Enterprise Security Content Update (ESCU), Splunk Security Essentials (SSE), though there’s usually a bit of a delay with ESCU, since it’s released more often than Security Essentials. All of the content is mapped to MITRE ATT&CK tactics, and you can use that to visualize the data or filter to particular tactics you’re interested in.

To filter, go to the main Security Content page in the app. If you haven’t already added the ATT&CK Filter, click “Select Filters” in the gray box on the upper right-hand side, and toggle on the “MITRE ATT&CK Tactic.” You’ll now see this as a new filter option, and you’ll also see all of the content with MITRE applicability tagged in the main display!
alt text

Splunk Security Essentials also includes some visualizations for data as well! In the next release (2.3.2), we’re adding a new panel to the Overview dashboard (hidden away in the Security Content menu) allowing you to visualize the relationships with a Sankey chart! Of course, you can adjust this analysis in any way you might want since it’s just SPL.
alt text

We’re looking for ways to enable a mapping at the Technique level as well in the future, so if you’re excited for that, stay tuned (or reach out here, or on Splunk Usergroups Slack @ davidveuve ). If you have any other suggestions for how to make this more usable for your needs, let us know!

View solution in original post

julianwiegmann
New Member

This is great and we are really looking forward to having this functionality in the next release and the ideals you have of mapping against Techniques sounds amazing.

0 Karma

David
Splunk Employee
Splunk Employee

Very easily, in fact! In Splunk Security Essentials, all of the content from the Splunk ecosystem is listed including Splunk Security Content from Enterprise Security (ES), Enterprise Security Content Update (ESCU), Splunk Security Essentials (SSE), though there’s usually a bit of a delay with ESCU, since it’s released more often than Security Essentials. All of the content is mapped to MITRE ATT&CK tactics, and you can use that to visualize the data or filter to particular tactics you’re interested in.

To filter, go to the main Security Content page in the app. If you haven’t already added the ATT&CK Filter, click “Select Filters” in the gray box on the upper right-hand side, and toggle on the “MITRE ATT&CK Tactic.” You’ll now see this as a new filter option, and you’ll also see all of the content with MITRE applicability tagged in the main display!
alt text

Splunk Security Essentials also includes some visualizations for data as well! In the next release (2.3.2), we’re adding a new panel to the Overview dashboard (hidden away in the Security Content menu) allowing you to visualize the relationships with a Sankey chart! Of course, you can adjust this analysis in any way you might want since it’s just SPL.
alt text

We’re looking for ways to enable a mapping at the Technique level as well in the future, so if you’re excited for that, stay tuned (or reach out here, or on Splunk Usergroups Slack @ davidveuve ). If you have any other suggestions for how to make this more usable for your needs, let us know!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...