Search Commands

Splunk Security Essentials ships with a variety of custom search commands to streamline lots of functionality. Below, find a list of those commands.

Table of Contents

mitremap

Description

mitremap provides a tabular output of the MITRE ATT&CK and PRE-ATT&CK maps, based on the JSON files that ship with Splunk Security Essentials. By default it runs on ATT&CK, but you can switch with name=preattack. By default it outputs labels, but you can get the IDs if you want by adding pretty=false. If you would like to filter to only detections where content is available, use content_available=true. If you would like to filter to only detections where a certain number of groups use that technique according to ATT&CK, use popular_only=true and optionally min_popularity=X to specify the minimum number of groups (default: 5). If you want to highlight specific threat groups (as identified in ATT&CK), you can add groups=“APT1” or groups=“APT1,APT28,APT29”. If you would like to filter and not see techniques not associated by MITRE with those threat groups, you can also add group_only=true

Example

| mitremap name=(preattack|attack) [pretty=true]

Syntax

mitremap [name=mitre_kill_chain_phase] [pretty=true] [content_available=false] [popular_only=false] [min_popularity=5] [groups=“APT1”] [group_only=false]

mitremaplookup

Description

mitremaplookup takes in a set of events and then generates a MITRE ATT&CK Map showing the techniques used in those events. By default, it will look for the search_name field (seen in index=risk or index=notable) and then look up that value in Splunk Security Essentials to generate the actual techniques, but if you provide a field called mitre_technique (or specify another field name with mitre_technique=myotherfield) it will grab them from that field. If you provide a mitre_technique field (or point us to one), it will accept single values or multi-value natively, or you can provide an explicit delimiter for multiple techniques with the delim=“” flag, e.g., a comma or pipe delimited list. Finally, if you have your techniques listed with the id and the name, e.g., “T1001 - Data Obfuscation”, it will automatically strip off the rest (even in a multi-value field).

Example

| mitremaplookup

Syntax

mitremaplookup [search_name=search_name] [mitre_technique=mitre_technique] [delim=“|”]

sseanalytics

Description

sseanalytics will provide a tabular output for the content shown by Splunk Security Essentials (or any other Essentials app). By default, it will only print key fields, but you can also include the full JSON by adding include_json=true. The command will also automatically enrich with bookmarked status and data availability status. By default it will search Splunk Security Essentials, but you can specify another app with app=. Splunk Security Essentials will cache content by default for performance, but you can override this by adding cache=false.

Example

| sseanalytics [cache=true] [app=Splunk_Security_Essentials] [include_all=false] [include_json=false] | top mitre

Syntax

sseanalytics [cache=true] [app=appName] [include_all=false] [include_json=false]

sseidenrichment

Description

sseidenrichment serves as a lookup for products, mitre ids, data source ids, or data source category ids. Define type as appropriate, and then field= should reference a field in your dataset that contains the ID that will be enriched.

Example

| sseidenrichment type=(mitreid|productid|datasourceid|dscid) field=yourfield

Syntax

sseidenrichment type=(mitreid|productid|datasourceid|dscid) field=yourfield

sselookup

Description

sselookup is intended to accept the input from index=notable or index=risk, or run as a part of your scheduled correlation searches. If you have mapped your live correlation searches in SSE, it will look at the search_name field and the source (or the current running search name if run as a scheduled search) and then automatically add key metadata fields (as if you ran | sselookup metadata). If you want to add all fields, use | sselookup all. You can also output just the MITRE fields with | sselookup mitre, or you can specify particular fields (list in | sseanalytics) by adding them to the list, such as | sselookup name mitre alertvolume. If you would like to hardcode the name of the search to something other than search_name (or source), pass it in via | sselookup search_name=myfield.

Example

| sselookup [all] [mitre] [metadata] [specific_field_name]

Syntax

sselookup [search_name=field_containing_search_name] [all] [mitre] [metadata] [specific_field_name]