Hi Splunkers,
I have a problem with the "Splunk Security Essentials" application. Currently, I have 34 activated correlation searches that I would like to map on the Mitre Framework.
Viewing the "sse_content_exported_lookup" file, the mitre information does not match the information reported in each correlation rule.
Also, there are correlation searches in the "sse_content_exported_lookup" file that had the mitre but didn't appear in the Mitre Map.
However, all 34 correlation searches show up in the bookmarks.
Could you suggest a solution? is there any procedure I can follow to make sure that all active correlation searches appear in the mitre map?
Thank you.
I noticed that in the file "use_case.csv" ("| sseanalytics | lookup use_cases.csv....") the one from which the data for the mitre map is taken, the data does not match the data in the correlation search, and in particular the field "mitre_tactic_display" is "none".