Splunk Enterprise Security

joomla · ‎12-18-2021

Hi Community Members,

Anyone knows whether we can use Splunk Enterprise Security to map our correlation searches against MITRE Tactics and Techniques without installing more apps like MITRE Dashboard or Splunk Security Essentials.

This mapping can help to see what security coverages we have and what requires improvements.

Many Thanks in advance.

aasabatini · ‎12-20-2021

Hi @joomla

one suggestion, to use the mitre attck matrix without the security essentials and mitre dashboard is:

create a lookup table to map the mitre matrix, one column for the codes, another one for the names of the attack and other one for the description.

insert in your correlation rule a code field with the code in which the attack is mapped

example:

I created a correlation rule for the log4j vulnerability on my correlation search I will create this field

eval code= "CVE-2021-44228"

after this correlate the search with the lookup with the lookup command

---- your correlation search----
|lookup mitre.csv code
---end of your correlation search

hope can help

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Splunk Enterprise Security

correlation search

using Enterprise Security

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...