This version 2.1.0 is not the most recent version of documentation. Click here for the latest version.  MITRE ATT&CK App for Splunk® - Documentation

Installation

1. Download the latest AppInspect Passed version from: https://splunkbase.splunk.com/app/4617/

   Please visit the Github repo for the latest changes and development efforts: https://github.com/seynur/DA-ESS-MitreContent/

2. Install the application on Splunk Enterprise. This application (DA-ESS-MitreContent) should be installed on the Search Head or Search Head Cluster where Enterprise Security Application resides. For details on add-on installation please refer to Splunk Documentation

Initial Setup

Upon initial installation you will be on Compliance Dashboard. If the matrix is not populated, click on the table row to run manually, which will direct you to the Setup dashboard (searches run automatically on that dashboard).

1. Click on the table row.

   

    

2. This setup page will run lookup generating searches for the initial usage. These reports are scheduled to run daily at midnight in order to populate/update the lookup tables for enabled correlation rules pertinent to MITRE ATT&CK Framework.

   

    

3. Wait for the initial search to complete for MITRE ATT&CK All Rules and Techniques Lookup. Depending on your environment you may get an error for MITRE ATT&CK Compliance Lookup. No worries, wait for 15 seconds for it to refresh; this search depends on the first one.

   

    

4. Once the search is completed, you can go back to “MITRE ATT&CK Compliance with Splunk ES” dashboard to view the level of existing rules (enabled and available) in comparison to MITRE ATT&CK techniques. You can click on a specific technique in order to view the associated correlation rules within ES App.

   

    

5. MITRE ATT&CK Rule Finder view enables users to search for existing correlation rules based on technique names. You can click on the desired rule for further configuration.