Extract MITRE ATT&CK techniques and tactics from premium intelligence sources
The MITRE ATT&CK threat model is a real-time knowledge base of adversary behaviors observed in the wild, which can be useful when investigating security incidents. Splunk Intelligence Management users can automatically extract MITRE ATT&CK techniques and tactics from premium intelligence sources.
As part of the Splunk Intelligence Management platform, you can use the MITRE ATT&CK framework to perform tasks such as the following:
- Accelerate Prioritization & Resolution: Automatically correlate alerts, cases and Indicators that share ATT&CK tactics, techniques, and procedures (TTPs). This helps you quickly uncover linkages in adversarial behavior, actors, malware, and Indicators, and then prioritize response actions.
- Move Up the Pyramid of Pain: By linking Indicators with ATT&CK TTP's, you can take holistic action rather than just blocking and tackling individual data points. You can also map ATT&CK TTPs with resolved cases and create a library of cases organized by ATT&CK.
- Assess Operational Controls: By using data available from TTP trends computed from Premium Intelligences sources and submissions to Splunk Intelligence Management, your decisions can be more data-driven in assessing gaps in operational controls and increase coverage of your organization's attack surface.
Using the Mitre ATT&CK Framework
To enrich and categorize your reports and indicators MITRE ATT&CK, you can:
- Create MITRE ATT&CK tags in Intel Reports or Indicators
- Filter Intel Reports or Indicators by MITRE ATT&CK
You can only tag Intel Reports in your private enclaves with MITRE ATT&CK tags. You cannot tag reports stored in Intelligence Source enclaves.
Creating MITRE ATT&CK Tags
You can tag Intel Reports or Indicators with MITRE ATT&CK tactics or techniques.
- Click the plus sign to the right of MITRE ATT&CK in the Tags section on Filter and Refine panel while viewing an individual Intel Report or Indicator. The graphic below shows MITRE ATT&CK for an Intel Report.
- Select the tactics or techniques to associate to the item. You can select multiple tactics or techniques to associate to each item. If you select a technique, the associated tactic will be added as a separate tag.
- Click Save Changes to save the tags to the item.
MITRE ATT&CK tags show in the tags section after you save changes. All MITRE tags are preceded by "mitre/" to differentiate them from other report tags.
Filtering MITRE ATT&CK Tags
In the Reports List View or IOC List View, you can filter by MITRE ATT&CK tags to view only Intel Reports or Indicators associated with a specific MITRE ATT&CK tag.
Enrich Splunk Enterprise Security notable events with priority indicator scores
Use an auto-safelist to remove URLs and IPs that are not useful
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current