Splunk Enterprise Security

Splunk Security Essentials - Mitre Map does not report each correlation search?

davidem
Explorer

Hi Splunkers,

I have a problem with the "Splunk Security Essentials" application. Currently, I have 34 activated correlation searches that I would like to map on the Mitre Framework.

Viewing the "sse_content_exported_lookup" file, the mitre information does not match the information reported in each correlation rule.

Also, there are correlation searches in the "sse_content_exported_lookup" file that had the mitre but didn't appear in the Mitre Map.

However, all 34 correlation searches show up in the bookmarks.


Could you suggest a solution? is there any procedure I can follow to make sure that all active correlation searches appear in the mitre map?

 

Thank you.

Labels (1)
0 Karma

davidem
Explorer

I noticed that in the file "use_case.csv" ("| sseanalytics | lookup use_cases.csv....") the one from which the data for the mitre map is taken, the data does not match the data in the correlation search, and in particular the field "mitre_tactic_display" is "none".

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...