Operationalize MITRE ATT&CK
Table of Contents
If you are orienting your security environment, you’re in luck (particularly if you use Splunk Enterprise Security). This app contains a wealth of MITRE ATT&CK integrations, and this guide will help walk you through them.
In the app configuration, you can include / exclude different sources of content, allowing you to filter out Splunk solutions you might not own, or avoid seeing the free content from Splunk Security Essentials. Most users will leave this at the default settings.
Find the Configuration menu in the navigation.
Under Enabled Sources you can turn on or off different apps. This will apply globally across the app.
Data Source Categories use standardized searches to find data configured with the tags that are used in Splunk’s Common Information Model. You can also add custom products that either don’t match the Common Information Model, or mark that you have products you expect to add in the future.
The Data Inventory dashboard allows you to configure what products you have in your environment. Products have a variety of metadata (sourcetypes, event volume, CIM compliance) and are connected with data source categories, allowing the app to show you what content can be turned on with your present data.
Here’s an example of several data source categories, under the EDR data source. DSCs are detailed categories that have been proven out through thousands of professional services engagements.
When you first open this page, it will prompt you to use the automated scans. If you install SSE on your production search head, most of the work from this page is automated!
There are four automated introspection steps that pulls a variety of data.
For any sources or sourcetypes that are uncommon, you can tell the app what product it is.
If you have a product that wasn’t detected, or you aren’t installing this app on your production search head, you can always manually add products by clicking Add Product. If you don’t have data for a DSC, you can say No Data Present.
Correlation Search Introspection and Mapping
Tracking what content you have active is key to so much Splunk Security Essentials functionality (enriching the MITRE ATT&CK Matrix, guiding you to the right content, integrations with Splunk Enterprise Security, Risk-based Alerting, the Data Availability Dashboard). This can be accomplished through bookmarking (set status Implemented), but it’s often easier to configure via Correlation Search Introspection on the Bookmarked Content dashboard.
Splunk Security Essentials uses bookmarking to track what content is active in your environment, or to just help you remember what content you want to deploy.
To make the process of recording your active content easier if you’ve installed this app on your production search head, it contains a Correlation Search Introspection feature which walks you through marking active content.
This introspection will pull a list of all of your enabled local scheduled searches that have an action associated with them. It will also automatically enable any directly enabled ES, ESCU, or SSE content.
For most content, the introspection will provide you with the option to indicate that a search is not a security detection, search through all of the out-of-the-box content contained in the app, or create new custom content in the app. Any of these will help you accurately map data source, MITRE, and other metadata for your content.
Splunk Security Essentials includes a search engine to help you search the app and map any detection search to all of the out-of-the-box content.
For content that doesn’t exist in Splunk out-of-the-box, you can create custom content. Custom content shows everywhere throughout the app, just like normal Splunk content.
You can even define all of the same metadata content (such as MITRE ATT&CK, Kill Chain, data source categories, etc.). You can also add all the normal descriptive fields (how to respond, known false positives, etc.).
If you don’t have Splunk Security Essentials on your production environment, you can always individually mark content as installed, or bookmarked.
Check for ES Integration
Assuming that you have ES in your environment, Splunk Security Essentials can push MITRE ATT&CK and Kill Chain attributions to the Incident Review dashboard, along with raw searches of index=risk or index=notable. Just configure the ES Integration in the system config menu.
Find the Configuration menu in the navigation.
Click Update ES and the app will push MITRE and Kill Chain configurations into the ES Incident Review dashboard.
Analytics Advisor MITRE ATT&CK Framework
The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that’s present in your environment. The MITRE ATT&CK Overview dashboard even includes a customized MITRE ATT&CK Matrix that shows your level of coverage on MITRE ATT&CK while letting you filter for the data you have in the environment, or the threat groups that target you.
Like the Analytics Advisor Content Overview dashboard, the MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard.
The MITRE ATT&CK Matrix tab shows the coverage in your environment against all techniques. By default the app will color the matrix based on all content (Total), but you can adjust the filters to show just what content is currently enabled in your environment (Active), what content is available to start using with your data (Available), or what content you could use if you ingested more data into Splunk (Needs Data).
You can also get insight into the threat groups that target you by selecting those a group. The app will add a red icon for each technique associated with that threat group. If you don’t track a specific group, you can also filter for only the techniques popular with many groups.
Finally, you can also highlight a specific data source directly in the matrix. This allows you to show the incremental value you’d get by adding an additional data source to your environment.
The Chart View tab shows on a high level and how your environment stacks up against the content available and the MITRE ATT&CK Framework specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.
The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.
Analyze ES Risk Attributions
Risk-based Alerting is all oriented towards aggregating risky events. This dashboard looks at the content in the ES Risk Framework with out-of-the-box Risk aggregations. It also includes a customized MITRE ATT&CK Matrix based on your search filters, letting you see what techniques have been seen against a particular user, host, or network.
The Analyze ES Risk Attributions dashboard helps you understand the data provided by the Splunk Enterprise Security’s Risk Analysis Framework. Most users will arrive here via a drilldown from a user or system, populating that user/system in the search box and focusing the analysis accordingly. That said, you can enter any search string to use the dashboard to analyze a network or even your entire organization.
Customers who get the most value out of ES Risk often use MITRE ATT&CK, which is why we provide a series of system-wide ATT&CK metrics on the left, and then on the number of hits per tactic for your provided user/system.
Beneath that, you will find a customized MITRE ATT&CK Matrix for this user/system, showing you which techniques have fired for the data you’ve selected in the search.
Aggregating risk attributions is the core strength of this dashboard. You’ll next see a series of charts that aggregate risk by various metrics.
Finally, you’ll see a straightforward sum of risk by object, which will let you see which objects are experiencing the greatest amount of risk.
MITRE ATT&CK-based Content Recommendations
With an understanding of what data you have, you can specify the types of security concerns you’re facing and then use MITRE ATT&CK to filter for the Splunk content related to MITRE Techniques that are associated with many different threat groups.
Select a category of issue that you are concerned about. If desired, you can also adjust the default filters for data availability and popularity.
You will be greeted by a list of content that is tied to ATT&CK techniques MITRE reports as being popular with many threat groups.
This dashboard is built on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.
MITRE ATT&CK Matrix