This application provides compliance and triage dashboards for MITRE ATT&CK Framework with drill-down capabilities. It is recommended to utilize Splunk Enterprise Security and Splunk ES Content Update since it comes with many correlation rules that have mitre_attack annotations already. However, starting with version 2.3.0 non-ES deployments are also supported with Alert Manager integration.
Required Splunk Apps:
Starting with version 2.3.0, we added ssupport for non-ES (Enterprise Security App) deployments as well.
One of the following applications is required:
For one of the views:
For use cases:
- Splunk ES Content Update 1.0.40 or above
For data model searches:
Recommended Splunk Apps:
This application comes with predefined saved searches. Lookup Gen searches are scheduled to run daily after midnight.
- MITRE ATT&CK All Rules and Techniques Lookup Gen: This lookup generator checks currently enabled correlation rules via analytic stories and combines the searches with user-defined ``mitre_user_rule_technique_lookup.csv** file that matches MITRE ATT&CK technique/sub-technique IDs with rules.
- MITRE ATT&CK Compliance Lookup Gen: This lookup generator relies on
mitre_all_rule_technique_lookup.csvin order to generate a new lookup to properly display MITRE ATT&CK Compliance martix.