Skip to content

Overview

This application provides compliance and triage dashboards for MITRE ATT&CK Framework with drill-down capabilities. It is recommended to utilize Splunk Enterprise Security and Splunk ES Content Update; however, starting with version 2.3.0 non-ES deployments are also supported with Alert Manager integration.

Required Splunk Apps:

Starting with version 2.3.0, we added support for non-ES (Enterprise Security App) deployments as well. One of the following applications is required:

For one of the views:

Note: Although the app will work without ES Content Update, it is highly recommended since it comes with many correlation rules that have mitre_attack annotations already.

Setup Instructions

After installation of the application you will be on Setup page. Please enter the API Key if you have one or simply hit Save to continue. Default view will be the Compliance Dashboard. If the matrix is not populated, click on the table to run manually, which will direct you to the Lookup Generation dashboard (searches run automatically on that dashboard).

Note: If using Alert Manager app, you will need to uncheck Use Enterprise Security App checkbox within Setup view.

Saved Searches

This application comes with predefined saved searches. Lookup Gen searches are scheduled to run daily after midnight.

  • MITRE ATT&CK All Rules and Techniques Lookup Gen: This lookup generator checks currently enabled correlation rules via analytic stories and combines the searches with user-defined mitre_user_rule_technique_lookup.csv file that matches MITRE ATT&CK technique IDs with rules.

  • MITRE ATT&CK Compliance Lookup Gen: This lookup generator relies on mitre_all_rule_technique_lookup.csv in order to generate a new lookup to properly display MITRE ATT&CK Compliance martix.

 

Release Notes: This section provides details on system requirements and how to install and run MITRE ATT&CK App for Splunk in production environments.

Using MITRE ATT&CK App: This guide provides information on how to use MITRE ATT&CK App for Splunk.

Release Notes: This section provides details on release notes.