Splunk Enterprise Security

Security Essentials not showing/mapping MITRE & cyber kill chain

AcePilot
Engager

 

When using Pplunks  security essentials :  MITRE ATT&CK Framework  we are lacking a significant amount of alerts.  we used to have around 1500 in active and 300 ish on needs data; however, overnight drop to the 200 mark total (between active and needs data) .  The following troubleshooting steps have been taken 

1. updated content with the "force update under system configuration".

AcePilot_3-1719607403751.png

2. verify communication to the urls (yes it can connect)

3. uninstall and reinstall current SSE version, this cleared the data mapping upon installed it showed  enabled 0-active-0- missing data 1715:

AcePilot_4-1719607774116.png

after the weekend it dropped to 0-8-195 

AcePilot_5-1719607848374.png

 

 

4. After i rebuilt the data inventory  it looked as such:
AcePilot_1-1719606928966.png

 

Here are some SS of the security content:

 

1. shows content 

AcePilot_2-1719607265279.png

2. drop down shows 12 mitre attack platforms but the dropdown is all 0;s

AcePilot_0-1719606146985.png

 

3.  Some times the data sources would show a filter of none. with 1300+  items, like the item below 134,  and sometimes it just doesnt appear. 

 

AcePilot_6-1719608171975.png

 

4. MITRE map missing from the  configuration tags 

AcePilot_7-1719608450133.png

 

 



 

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...