Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to collect correlation searches that are enabled and aligned to mitre att&ck framework?

JLopez
Explorer
‎07-26-2023 05:00 AM

Hi Splunkers,

I need to show to some stakeholders the correlation searches that we have enabled and are aligned to the mitre att&ck framework.

I've tried using the REST command and I can find all the annotations under "action.correlationsearch.annotations" field  but I would like to narrow it down to only mitre att&ck.

Anyone knows how to get this search? 

Tags (1)
0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎07-31-2023 01:08 PM

Hello @JLopez, Can you check if this is something you want - 

| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| where disabled=0 
| eval actions=split(actions, ",") 
| rename title as "Correlation Search", cron_schedule as "Cron Schedule" "dispatch.earliest_time" as "Earliest Time" dispatch.latest_time as "Latest Time" actions as "Actions" action.correlationsearch.annotations as "Annotations"
| eval flag=if(LIKE(Annotations,"%mitre_attack%"),1,0)
| table "Correlation Search" "Cron Schedule" "Earliest Time" "Latest Time" "Actions" Annotations flag
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...