Analytics Advisor MITRE ATT&CK Framework

The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that’s present in your environment. The MITRE ATT&CK Overview dashboard even includes a customized MITRE ATT&CK Matrix that shows your level of coverage on MITRE ATT&CK while letting you filter for the data you have in the environment, or the threat groups that target you.

  1. Like the Analytics Advisor Content Overview dashboard, the MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard.
  2. The MITRE ATT&CK Matrix tab shows the coverage in your environment against all techniques. By default the app will color the matrix based on all content (Total), but you can adjust the filters to show just what content is currently enabled in your environment (Active), what content is available to start using with your data (Available), or what content you could use if you ingested more data into Splunk (Needs Data).
  3. You can also get insight into the threat groups that target you by selecting those a group. The app will add a red icon for each technique associated with that threat group. If you don’t track a specific group, you can also filter for only the techniques popular with many groups.
  4. Finally, you can also highlight a specific data source directly in the matrix. This allows you to show the incremental value you’d get by adding an additional data source to your environment.
  5. The Chart View tab shows on a high level and how your environment stacks up against the content available and the MITRE ATT&CK Framework specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.
  6. The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
  7. The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
  8. These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.