Splunk Enterprise

MITRE usecases

1ueshkil
Loves-to-Learn

Hi Team,

We are new to Splunk SIEM, Need to create real time use cases based on MITRE Framework for Linux and Palo Alto log sources in customer environment. Kindly help on this.

Labels (1)
0 Karma

1ueshkil
Loves-to-Learn

We have already integrated linux, palo alto,SAP log sources. Just looking to create Linux, Palo alto, SAP use cases which is based on MITRE framework or any attack pattern use cases, as we don't have that much knowledge to create SPL use cases.

0 Karma

1ueshkil
Loves-to-Learn

@inventsekar Could you please suggest on this.

We have already integrated linux, palo alto,SAP log sources. Just looking to create Linux, Palo alto, SAP use cases which is based on MITRE framework or any attack pattern use cases, as we don't have that much knowledge to create SPL use cases.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @1ueshkil .. I did this UseCases bit long back.. so i got some confusions now. i am just giving you my educated guesses.. 

Let us know, if you have Security Essentials App - ( https://splunkbase.splunk.com/app/3435 )


>>> We have already integrated linux, palo alto,SAP log sources.
Nice. most of the problems solved. You no need to worry about data/logs required for the UseCase creation. Now you need to focus only on UseCase Creation

>>>Just looking to create Linux, Palo alto, SAP use cases which is based on MITRE framework or any attack pattern use cases, as we don't have that much knowledge to create SPL use cases.

Pls select a simple usecase to start with. Lets say DDOS attack on Linux systems. then we can try to work on the UseCase creation step by step. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

1ueshkil
Loves-to-Learn

Yes it was installed.

0 Karma

1ueshkil
Loves-to-Learn

@inventsekar Could you please suggest. Yes that app was installed. 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @1ueshkil ... we may need more details from you.. 

Pls check this: https://www.splunk.com/en_us/blog/security/using-mitre-att-ck-in-splunk-security-essentials.html

Do you know on Linux and Palo Alto, which use-case you are exactly looking for.. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

1ueshkil
Loves-to-Learn

Hi,

Any kind of real time attacks - Unauthorized attacks, Malicious access attempts, Command and controller traffic, Inbound/outbound malicious traffic, port scanning, palo alto threat detected traffic etc....

0 Karma

inventsekar
SplunkTrust
SplunkTrust

may we know if you have a working splunk environment (splunk indexer(s), linux UF's already sending logs to indexer, required apps installed on SH, etc..) 

if yes, pls suggest us what things exactly you have.. 

OR

do you have nothing and you want to start from zero.. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...