I have custom content that I've created in SSE and mapped to various parts of the MITRE Framework. The problem is SSE only seems to be picking up Splunk ES and ESCU content, not the custom stuff I've done. Is there a solution for this?
Which version of ES are you using? And are you mapping them in correlation searches or trying to map in a different way?
https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Configurecorrelationsearches#Use_security_frame...