Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Add Mitre Att&ck TTP data to splunk core

elend
Communicator
‎09-01-2025 02:30 AM

Hi, 
I'm exploring several possibilities in Splunk Core for security purposes without using Splunk Enterprise Security. I'm currently trying to add TTP information from Mitre to Splunk Core. Is that possible or some of you ever did this before? really appreciate for any information given.

Labels (2)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎09-01-2025 09:10 PM

@elend 

You can grab the MITRE ATT&CK data and bring it into Splunk as a lookup table or KV Store. That way, you can add MITRE TTP details to your detections or events in your searches and dashboards.
You can also try out the Security Essentials app, which gives you lots of built-in detections already mapped to MITRE ATT&CK techniques and analytics use cases.

#https://docs.splunk.com/Documentation/SSE/3.8.2/User/MITREFramework

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2025 04:22 AM

What do you mean by that? You could implement your own method of storing TTP info about... something (a search result, most probably) in a KV-store. But that would mean you're effectively reimplementing core ES functionality. You'd have to first have a way of storing those results (akin to notables or findings) and "tagging" those, which is exactly what ES does.

0 Karma
Reply

elend
Communicator
‎09-01-2025 07:54 PM

yes, i think it tag and trigger by created alert that have been made before. But still wonder how to store it. I've read some documentation like using Splunk Security Essentials

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...