The MITRE ATT&CK Framework dashboard
The MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose relevant MITRE ATT&CK content. Before you use the MITRE ATT&CK dashboard, Configure the Data Inventory dashboard and Content Introspection. For more information, see Configure the products you have in your environment with the Data Inventory dashboard or Track active content in Splunk Security Essentials using Content Introspection.
The dashboard is split into three pieces.
Available Content
The MITRE ATT&CK Matrix tab shows the coverage in your environment. By default, the app colors the matrix based on Total content, but you can adjust this to show only the Active content, the Available content to use with your data, or the content that Needs data. You can also adjust to show the Threat Group Count and Bookmark Count. The Active number is based on what you have bookmarked and set to active, or has been pulled from content introspection. Available shows the number of use cases mapped to the MITRE ATT&CK framework that you have data for but haven't been deployed. Needs data shows the number of use cases you can deploy if you add data. With Threat Group Count and Bookmark Count the matrix is a darker blue where more threat groups are present, or where you have more pieces of content bookmarked for the technique.
You can also use this tool to highlight the threat groups that target you. Select the MITRE ATT&CK Threat Group to highlight specific techniques in the matrix that are associated with a specific industry. Once you select a specific industry, numbers appear by certain techniques to indicate how many threat groups are associated with each technique. Click the numbers to view more information about the specific threats.
Select MITRE ATT&CK Software to highlight techniques associated with a particular software and the MITRE ATT&CK Matrix Platform to highlight techniques associated with a specific platform. Use the Highlight Data Source filter to highlight a specific data source directly in the matrix. Use the Filter dropdown to filter based on techniques that have 3 or more threat groups associated with them, techniques with content, bookmarked content, or only cells associated with the threat group industry you selected. You can also change the visualizations using Chart View, Radar View, Sankey View and Security Journey View. If you choose to use these alternate views, you can use the Split by filter to filter techniques based on app, data source, index, sourcetype, and so on.
The MITRE ATT&CK Matrix also features sub-techniques. You can click on the side of any box in the table to expand a technique and view the associated sub-techniques.
Selected Content
The Selected Content panel lets you filter further into individual content pieces. You can view the content list to view content to use against specific threat groups based on the the popularity of threat groups using a certain technique, select content by data source or data source category, or select content by MITRE ATT&CK tactic, technique, or threat group. You can also bookmark your filters to come back to later. To create a bookmark, follow these steps:
- From the Selected Content panel, navigate to Bookmark Selection.
- Select a Bookmark Status. Available options include Bookmarked, Waiting on Data, Deployment Issues, Needs Tuning, Ready for Deployment, and Successfully Implemented.
- (Optional) Customize the Note field with notes about this bookmark.
- Click Add Bookmarks.
Once you have added a bookmark, you can filter based on what you have bookmarked or the bookmark notes you added.
View Content
The View Content panel lets you go directly to full details of the selection inside the Splunk Security Essentials general content page.
The Content Overview dashboard | The Cyber Kill Chain dashboard |
This documentation applies to the following versions of Splunk® Security Essentials: 3.4.0, 3.5.0, 3.5.1
Feedback submitted, thanks!