Overview

This application provides compliance and triage dashboards for MITRE ATT&CK Framework with drill-down capabilities. It is recommended to utilize Splunk Enterprise Security and Splunk ES Content Update since it comes with many correlation rules that have mitre_attack annotations already. However, starting with version 2.3.0 non-ES deployments are also supported with Alert Manager integration.

Required Splunk Apps:

Starting with version 2.3.0, we added ssupport for non-ES (Enterprise Security App) deployments as well.

One of the following applications is required:

• Splunk Enterprise Security 5.2 or above

  OR

• Alert Manager

For one of the views:

• Sankey Diagram - Custom Visualization

For use cases:

• Splunk ES Content Update 1.0.40 or above

For data model searches:

• Splunk Common Information Model (CIM)

Recommended Splunk Apps:

• Lookup File Editor

Saved Searches

This application comes with predefined saved searches. Lookup Gen searches are scheduled to run daily after midnight.

• MITRE ATT&CK All Rules and Techniques Lookup Gen: This lookup generator checks currently enabled correlation rules via analytic stories and combines the searches with user-defined ``mitre_user_rule_technique_lookup.csv** file that matches MITRE ATT&CK technique/sub-technique IDs with rules.
• MITRE ATT&CK Compliance Lookup Gen: This lookup generator relies on mitre_all_rule_technique_lookup.csv in order to generate a new lookup to properly display MITRE ATT&CK Compliance martix.