Splunk® Security Essentials

Use Splunk Security Essentials

This documentation does not apply to the most recent version of Splunk® Security Essentials. For documentation on the most recent version, go to the latest release.

The MITRE ATT&CK Framework dashboard

The MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose relevant MITRE ATT&CK content. Before you use the MITRE ATT&CK dashboard, Configure the Data Inventory dashboard and Content Introspection. For more information, see Configure the products you have in your environment with the Data Inventory dashboard or Track active content in Splunk Security Essentials using Content Introspection.

The dashboard is split into three pieces.

Available Content

The MITRE ATT&CK Matrix tab shows the coverage in your environment. By default, the app colors the matrix based on Total content, but you can adjust the filters to show only the Active content, the Available content to use with your data, or the content that Needs data. The Active number is based on what you have bookmarked and set to active, or has been pulled from content introspection. Available shows the number of use cases mapped to the MITRE ATT&CK framework that you have data for but hasn't been deployed. Needs data shows the number of use cases you can deploy if you add data.

You can also use the filters to get insight into the threat groups that target you. Use the MITRE ATT&CK Threat Group filter to add a red icon for each technique associated with that threat group. If you don't track a specific group, you can also filter for only the techniques popular with many groups. Use the Highlight Data Source filter to highlight a specific data source directly in the matrix. You can also change the visualizations using Chart View, Radar View, Sankey View and so on.

The MITRE ATT&CK Matrix also features sub-techniques. You can click on the side of any box in the table to expand a technique and view the associated sub-techniques.

Selected Content

The Selected Content panel lets you filter further into individual content pieces. You can view the content list, select content by data source or data source category, or select content by MITRE ATT&CK tactic, technique, or threat group.

View Content

The View Content panel lets you go directly to full details of the selection inside the Splunk Security Essentials general content page.

Last modified on 14 September, 2021
The Content Overview dashboard   The Cyber Kill Chain dashboard

This documentation applies to the following versions of Splunk® Security Essentials: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters