This application provides compliance and triage dashboards for MITRE ATT&CK Framework with drill-down capabilities. It is recommended to utilize Splunk Enterprise Security and Splunk ES Content Update since it comes with many correlation rules that have mitre_attack annotations already. However, starting with version 2.3.0 non-ES deployments are also supported with Alert Manager integration.

Required Splunk Apps:

Starting with version 2.3.0, we added ssupport for non-ES (Enterprise Security App) deployments as well.

One of the following applications is required:

For one of the views:

For use cases:

For data model searches:

Saved Searches

This application comes with predefined saved searches. Lookup Gen searches are scheduled to run daily after midnight.

  • MITRE ATT&CK All Rules and Techniques Lookup Gen: This lookup generator checks currently enabled correlation rules via analytic stories and combines the searches with user-defined ``mitre_user_rule_technique_lookup.csv** file that matches MITRE ATT&CK technique/sub-technique IDs with rules.
  • MITRE ATT&CK Compliance Lookup Gen: This lookup generator relies on mitre_all_rule_technique_lookup.csv in order to generate a new lookup to properly display MITRE ATT&CK Compliance martix.