Splunk Enterprise Security

Using custom content with MITRE ATT&CK Framework

chooglin
Loves-to-Learn

I have custom content that I've created in SSE and mapped to various parts of the MITRE Framework. The problem is SSE only seems to be picking up Splunk ES and ESCU content, not the custom stuff I've done. Is there a solution for this?

Labels (1)
0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

Which version of ES are you using? And are you mapping them in correlation searches or trying to map in a different way? 
https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Configurecorrelationsearches#Use_security_frame... 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...