Skip to main content
Splunk Lantern is a nominee for Knowledge Innovation and Knowledge Management in the CXOne Customer Recognition Awards. Click here to vote for us!
Lantern Home

 

Splunk Lantern

Improving threat detection coverage with MITRE in Splunk software

  1. Last updated
  2. Save as PDF

If you are a Splunk Enterprise Security customer, you likely have some of the following goals:

  • align detection engineering efforts to the MITRE ATT&CK framework
  • ensure that all techniques used by threat actors targeting your industry are covered
  • determine which detection sources and data sources are used in your environments and which are missing
  • create a backlog of prioritized security use cases to drive detection search development efforts

You are also probably already familiar with the MITRE ATT&CK framework. This open source framework ties data, tactics, and mitigations to a knowledge base of known adversary techniques. The website provides a ton of useful information. For example, when you drill into a tactic, you get definitions for each of the techniques, and each of those includes multiple example procedures. It also gives you mitigation options so you know what data you need to set up the mitigation.

What the MITRE ATT&CK website can't do is tell you if you have the right data in your environment. The site also doesn't link techniques to specific industries, such as healthcare or telecommunications. For these reasons, the MITRE ATT&CK framework is integrated into Splunk Enterprise Security, Splunk Security Essentials, the developer-supported MITRE ATTACK app for Splunk app, and Enterprise Security Content Updates. Each of these offers different information and tools, as shown in the following diagram.

To help make sense of these options, watch as Art Spencer, Global Services Architect at Splunk, walks through these different solutions. He'll show what type of information you can or can't get from the different applications, lookups, and programs, and how they do and don't fit together to make a complete picture of MITRE ATT&CK coverage in your organization.

Next steps

Perform a MITRE detection gap assessment

Now that you understand what Splunk tools are available, it's time to analyze your own environment so you can get the coverage you need. The following is an outline of the high level steps to take during this process:

  1. Discovery
    1. Review existing security detection searches, identify MITRE techniques and tactics, and annotate correlation searches.
    2. Identify in-scope security data sources.
  2. Design, development, testing
    1. Review capabilities provided by existing Splunk Tools and add-ons.
    2. Identify data sources to provide techniques used by threat actors.
    3. Locate or develop an interactive dashboard to aid detection and cyber threat intelligence (CTI) engineers to find content.
  3. Implementation
    1. Compare correlation search contents to groups of techniques.
    2. Identify techniques that are missing coverage.
    3. Review SSE content, threat model, prioritize use cases for development.
  4. Validation
    1. Review status and track tactic coverage percentages.
    2. Ensure that all in-scope data source techniques are covered by the detection searches.
    3. Identify missing data sources needed to fulfill coverage.

Build dashboards

As you saw in the video, there is no one Splunk tool that will give you all the MITRE ATT&CK information you need at once. The solution then is to develop custom dashboards. Splunk Docs provides excellent guidance on using the Dashboard Studio, or you can engage with an Assigned Expert for hands-on assistance.

Additional resources

The following additional Splunk Lantern articles might help you implement the guidance provided in this article: