Splunk Enterprise Security

How to collect correlation searches that are enabled and aligned to mitre att&ck framework?


Hi Splunkers,

I need to show to some stakeholders the correlation searches that we have enabled and are aligned to the mitre att&ck framework.

I've tried using the REST command and I can find all the annotations under "action.correlationsearch.annotations" field  but I would like to narrow it down to only mitre att&ck.

Anyone knows how to get this search? 

Tags (1)
0 Karma


Hello @JLopez, Can you check if this is something you want - 

| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| where disabled=0 
| eval actions=split(actions, ",") 
| rename title as "Correlation Search", cron_schedule as "Cron Schedule" "dispatch.earliest_time" as "Earliest Time" dispatch.latest_time as "Latest Time" actions as "Actions" action.correlationsearch.annotations as "Annotations"
| eval flag=if(LIKE(Annotations,"%mitre_attack%"),1,0)
| table "Correlation Search" "Cron Schedule" "Earliest Time" "Latest Time" "Actions" Annotations flag
0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...