Splunk® Security Essentials

Use Splunk Security Essentials

The MITRE ATT&CK Framework dashboard

The MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose relevant MITRE ATT&CK content. Before you use the MITRE ATT&CK dashboard, Configure the Data Inventory dashboard and Content Mapping. For more information, see Configure the products you have in your environment with the Data Inventory dashboard or Track active content in Splunk Security Essentials using Content Mapping.

The dashboard is split into three pieces.

Available Content

The MITRE ATT&CK Matrix tab shows the coverage in your environment. By default, the app colors the matrix based on Total content, but you can adjust this to show only the Active content, the Available content to use with your data, or the content that Needs data. You can also adjust to show the Threat Group Count and Bookmark Count. The Active number is based on what you have bookmarked and set to active, or has been pulled from content mapping. Available shows the number of use cases mapped to the MITRE ATT&CK framework that you have data for but haven't been deployed. Needs data shows the number of use cases you can deploy if you add data. With Threat Group Count and Bookmark Count the matrix is a darker blue where more threat groups are present, or where you have more pieces of content bookmarked for the technique.

The content counts include sub-techniques.

You can also use this tool to highlight the threat groups that target you. Select the MITRE ATT&CK Threat Group to highlight specific techniques in the matrix that are associated with a specific industry. Once you select a specific industry, numbers appear by certain techniques to indicate how many threat groups are associated with each technique. Click the numbers to view more information about the specific threats.

You can also select Edit and add the filter Originating App to filter the content based on the application it originated from. For more information on adding custom content from third-party applications, see Create custom content from third-party applications.

Select MITRE ATT&CK Software to highlight techniques associated with a particular software and the MITRE ATT&CK Matrix Platform to highlight techniques associated with a specific platform. Use the Highlight Data Source filter to highlight a specific data source directly in the matrix. Use the Filter dropdown to filter based on techniques that have 3 or more threat groups associated with them, techniques with content, bookmarked content, or only cells associated with the threat group industry you selected. You can also change the visualizations using Chart View, Radar View, Sankey View and Security Journey View. If you choose to use these alternate views, you can use the Split by filter to filter techniques based on app, data source, index, sourcetype, and so on.


The MITRE ATT&CK Matrix also features sub-techniques. You can click on the side of any box in the table to expand a technique and view the associated sub-techniques.

Selected Content

The Selected Content panel lets you filter further into individual content pieces. You can view the content list to view content to use against specific threat groups based on the popularity of threat groups using a certain technique, select content by data source or data source category, or select content by MITRE ATT&CK tactic, technique, or threat group. You can even view which tactics, techniques, and threat groups are covered by which app. You can also bookmark your filters to come back to later. To create a bookmark, follow these steps:

  1. From the Selected Content panel, navigate to Bookmark Selection.
  2. Select a Bookmark Status. Available options include Bookmarked, Waiting on Data, Deployment Issues, Needs Tuning, Ready for Deployment, and Successfully Implemented.
  3. (Optional) Customize the Note field with notes about this bookmark.
  4. Click Add Bookmarks.

Once you have added a bookmark, you can filter based on what you have bookmarked or the bookmark notes you added.

View Content

The View Content panel lets you go directly to full details of the selection inside the Splunk Security Essentials general content page.

Add custom threat group lists to the MITRE ATT&CK Framework dashboard

You can add custom threat group lists to Splunk Security Essentials to track your coverage of these threat groups in Splunk Security Essentials.

To add your custom threat group list into Splunk Security Essentials, follow these steps:

  1. From Splunk Cloud Platform, select Apps > Splunk App for Lookup File Editing.
  2. From the Type drop-down menu, select KV Store Lookup.
  3. From the App drop-down menu, select Splunk Security Essentials.
  4. Select mitre_custom_threat_groups and enter your custom threat group list.
    1. Enter a custom list name in the mitre_threat_groups field. For example, enter "Custom List: Buttercup Games".
    2. Enter your list of threat Groups in the mitre_threat_group_value field. For example, enter "APT17, APT19, Ajax Security, Team, Andariel, Confucius, Deep Panda, Dragonfly, Elderwood, Fox Kitten, Gallmaker, HAFNIUM".
  5. Navigate to the Splunk Security Essentials app and select Analytics Advisor > MITRE ATT&CK Framework.

The list you created is now available in the dropdown "MITRE ATT&CK Threat Group".

Add custom technique lists to the MITRE ATT&CK Framework dashboard

You can add lists of techniques to Splunk Security Essentials to track your coverage of these techniques in Splunk Security Essentials.

To add your custom technique list into Splunk Security Essentials, follow these steps:

  1. From Splunk Cloud Platform, select Apps > Splunk App for Lookup File Editing.
  2. From the Type drop-down menu, select KV Store Lookup.
  3. From the App drop-down menu, select Splunk Security Essentials.
  4. Select mitre_custom_technique_lists and enter your custom technique list.
    1. Enter a name for your list in the "List" field. For example, enter "List - Top 10 for Buttercup Games".
    2. Enter the techniques in the "Techniques" field. For example, "T1486,T1490,T1027,T1047,T1036".
    3. (Optional) Add a reference for this technique in the "Reference" field. For example, the URL or incoming source name where you found this list.
  5. Navigate to the Splunk Security Essentials app and select Analytics Advisor > MITRE ATT&CK Framework.

The list you created is now available in the dropdown "MITRE ATT&CK Technique".

Last modified on 03 July, 2023
The Cyber Kill Chain dashboard   Find content with the MITRE ATT&CK-Driven Content Recommendation dashboard

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters