Splunk® Security Essentials

Use Splunk Security Essentials

Custom search commands for Splunk Security Essentials

Splunk Security Essentials includes the following custom search commands to help streamline functionality.

mitremap

The mitremap command provides a tabular output of the MITRE ATT&CK and PRE-ATT&CK maps, based on the JSON files that ship with Splunk Security Essentials. By default, the command runs on ATT&CK and outputs labels.

Syntax

mitremap [name=mitre_kill_chain_phase] [pretty=true] [content_available=false] [popular_only=false] [min_popularity=5] [groups="APT1"] [group_only=false] [platforms="cloud"]

Example

| mitremap name=(preattack|attack) [pretty=true] [platforms="office 365,azure ad,windows"]

To filter detections where content is available, use content_available=true. To filter detections where a certain number of groups use a technique according to ATT&CK, use popular_only=true or min_popularity=X to specify the minimum number of groups. To highlight specific threat groups add groups="APT1" or groups="APT1,APT28,APT29". To filter and hide techniques not associated by MITRE with those threat groups, add group_only=true.

mitremaplookup

The mitremaplookup command ingests a set of events and generates a MITRE ATT&CK map showing the techniques used in those events. By default, it looks for the search_name field seen in index=risk or index=notable and then looks up that value in Splunk Security Essentials to generate the actual techniques. Set the mitre_technique field to get the techniques from a specific field.

Syntax

mitremaplookup [search_name=search_name] [mitre_technique=mitre_technique] [delim="|"]

Example

| mitremaplookup

sseanalytics

The sseanalytics command provides a tabular output for the content shown by Splunk Security Essentials. By default, the sseanalytics command prints only key fields, but you can include the full JSON by adding include_json=true. The sseanalytics command automatically enriches with bookmarked status and data availability status.

Syntax

sseanalytics [cache=true] [app=appName] [include_all=false] [include_json=false]

Example

| sseanalytics [cache=true] [app=Splunk_Security_Essentials] [include_all=false] [include_json=false] | top mitre

sseidenrichment

The sseidenrichment command is used as a lookup for products, MITRE IDs, data source IDs, or data source category IDs. Define the type field as appropriate, and field= as a field in your dataset that contains the ID to be enriched.

Syntax

sseidenrichment type=(mitreid|productid|datasourceid|dscid) field=yourfield

Example

| sseidenrichment type=mitreid field=yourfield

sselookup

Use the sselookup command to accept the input from index=notable or index=risk, or run this search command as a part of your scheduled correlation searches. If you mapped your live correlation searches in Splunk Security Essentials, the sselookup command looks at the search_name field and the source and automatically adds key metadata fields.

Syntax

sselookup [search_name=field_containing_search_name] [all] [mitre] [metadata] [specific_field_name]

Example

| sselookup [all] [mitre] [metadata] [specific_field_name]

To add all fields, use | sselookup all. Use | sselookup mitre to output the MITRE fields. To hardcode the name of the search, pass the search name in through | sselookup search_name=myfield.

Last modified on 03 July, 2023
Search in Splunk Security Essentials   Use the Configuration menu to Customize Splunk Security Essentials

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters