Splunk® Intelligence Management (Legacy)

User Guide

Extract MITRE ATT&CK techniques and tactics from premium intelligence sources

The MITRE ATT&CK threat model is a real-time knowledge base of adversary behaviors observed in the wild, which can be useful when investigating security incidents. Splunk Intelligence Management users can automatically extract MITRE ATT&CK techniques and tactics from premium intelligence sources.

As part of the Splunk Intelligence Management platform, you can use the MITRE ATT&CK framework to perform tasks such as the following:

  • Accelerate Prioritization & Resolution: Automatically correlate alerts, cases and Indicators that share ATT&CK tactics, techniques, and procedures (TTPs). This helps you quickly uncover linkages in adversarial behavior, actors, malware, and Indicators, and then prioritize response actions.
  • Move Up the Pyramid of Pain: By linking Indicators with ATT&CK TTP's, you can take holistic action rather than just blocking and tackling individual data points. You can also map ATT&CK TTPs with resolved cases and create a library of cases organized by ATT&CK.
  • Assess Operational Controls: By using data available from TTP trends computed from Premium Intelligences sources and submissions to Splunk Intelligence Management, your decisions can be more data-driven in assessing gaps in operational controls and increase coverage of your organization's attack surface.

Using the Mitre ATT&CK Framework

To enrich and categorize your reports and indicators MITRE ATT&CK, you can:

  • Create MITRE ATT&CK tags in Intel Reports or Indicators
  • Filter Intel Reports or Indicators by MITRE ATT&CK

You can only tag Intel Reports in your private enclaves with MITRE ATT&CK tags. You cannot tag reports stored in Intelligence Source enclaves.

Creating MITRE ATT&CK Tags

You can tag Intel Reports or Indicators with MITRE ATT&CK tactics or techniques.

  • Click the plus sign to the right of MITRE ATT&CK in the Tags section on Filter and Refine panel while viewing an individual Intel Report or Indicator. The graphic below shows MITRE ATT&CK for an Intel Report.
  • Select the tactics or techniques to associate to the item. You can select multiple tactics or techniques to associate to each item. If you select a technique, the associated tactic will be added as a separate tag.
  • Click Save Changes to save the tags to the item.

MITRE ATT&CK tags show in the tags section after you save changes. All MITRE tags are preceded by "mitre/" to differentiate them from other report tags.

Filtering MITRE ATT&CK Tags

In the Reports List View or IOC List View, you can filter by MITRE ATT&CK tags to view only Intel Reports or Indicators associated with a specific MITRE ATT&CK tag.

Last modified on 21 April, 2022
Enrich Splunk Enterprise Security notable events with priority indicator scores   Use an auto-safelist to remove URLs and IPs that are not useful

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters