Re: Add Mitre Att&ck TTP data to splunk core

elend

Hi,
I'm exploring several possibilities in Splunk Core for security purposes without using Splunk Enterprise Security. I'm currently trying to add TTP information from Mitre to Splunk Core. Is that possible or some of you ever did this before? really appreciate for any information given.

PrewinThomas

@elend

You can grab the MITRE ATT&CK data and bring it into Splunk as a lookup table or KV Store. That way, you can add MITRE TTP details to your detections or events in your searches and dashboards.
You can also try out the Security Essentials app, which gives you lots of built-in detections already mapped to MITRE ATT&CK techniques and analytics use cases.

#https://docs.splunk.com/Documentation/SSE/3.8.2/User/MITREFramework

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

PickleRick

What do you mean by that? You could implement your own method of storing TTP info about... something (a search result, most probably) in a KV-store. But that would mean you're effectively reimplementing core ES functionality. You'd have to first have a way of storing those results (akin to notables or findings) and "tagging" those, which is exactly what ES does.

elend

yes, i think it tag and trigger by created alert that have been made before. But still wonder how to store it. I've read some documentation like using Splunk Security Essentials

Add Mitre Att&ck TTP data to splunk core

development

splunk-assist

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?