Custom search commands for Splunk Security Essentials

Splunk Security Essentials includes the following custom search commands to help streamline functionality.

mitremap

The mitremap command provides a tabular output of the MITRE ATT&CK and PRE-ATT&CK maps, based on the JSON files that ship with Splunk Security Essentials. By default, the command runs on ATT&CK and outputs labels.

Syntax

mitremap [name=mitre_kill_chain_phase] [pretty=true] [content_available=false] [popular_only=false] [min_popularity=5] [groups="APT1"] [group_only=false] [platforms="cloud"]

Example

| mitremap name=(preattack|attack) [pretty=true] [platforms="office 365,azure ad,windows"]

To filter detections where content is available, use content_available=true. To filter detections where a certain number of groups use a technique according to ATT&CK, use popular_only=true or min_popularity=X to specify the minimum number of groups. To highlight specific threat groups add groups="APT1" or groups="APT1,APT28,APT29". To filter and hide techniques not associated by MITRE with those threat groups, add group_only=true.

mitremaplookup

The mitremaplookup command ingests a set of events and generates a MITRE ATT&CK map showing the techniques used in those events. By default, it looks for the search_name field seen in index=risk or index=notable and then looks up that value in Splunk Security Essentials to generate the actual techniques. Set the mitre_technique field to get the techniques from a specific field.

Syntax

mitremaplookup [search_name=search_name] [mitre_technique=mitre_technique] [delim="|"]

Example

| mitremaplookup

sseanalytics

The sseanalytics command provides a tabular output for the content shown by Splunk Security Essentials. By default, the sseanalytics command prints only key fields, but you can include the full JSON by adding include_json=true. The sseanalytics command automatically enriches with bookmarked status and data availability status.

Syntax

sseanalytics [cache=true] [app=appName] [include_all=false] [include_json=false]

Example

| sseanalytics [cache=true] [app=Splunk_Security_Essentials] [include_all=false] [include_json=false] | top mitre

sseidenrichment

The sseidenrichment command is used as a lookup for products, MITRE IDs, data source IDs, or data source category IDs. Define the type field as appropriate, and field= as a field in your dataset that contains the ID to be enriched.

Syntax

sseidenrichment type=(mitreid|productid|datasourceid|dscid) field=yourfield

Example

| sseidenrichment type=mitreid field=yourfield

sselookup

Use the sselookup command to accept the input from index=notable or index=risk, or run this search command as a part of your scheduled correlation searches. If you mapped your live correlation searches in Splunk Security Essentials, the sselookup command looks at the search_name field and the source and automatically adds key metadata fields.

Syntax

sselookup [search_name=field_containing_search_name] [all] [mitre] [metadata] [specific_field_name]

Example

| sselookup [all] [mitre] [metadata] [specific_field_name]

To add all fields, use | sselookup all. Use | sselookup mitre, to output just the MITRE fields. To hardcode the name of the search, pass the search name in through | sselookup search_name=myfield.