Custom search commands for Splunk Security Essentials
Splunk Security Essentials includes the following custom search commands to help streamline functionality.
mitremap
The mitremap
command provides a tabular output of the MITRE ATT&CK and PRE-ATT&CK maps, based on the JSON files that ship with Splunk Security Essentials. By default, the command runs on ATT&CK and outputs labels.
Syntax
mitremap [name=mitre_kill_chain_phase] [pretty=true] [content_available=false] [popular_only=false] [min_popularity=5] [groups="APT1"] [group_only=false] [platforms="cloud"]
Example
| mitremap name=(preattack|attack) [pretty=true] [platforms="office 365,azure ad,windows"]
To filter detections where content is available, use content_available=true
. To filter detections where a certain number of groups use a technique according to ATT&CK, use popular_only=true
or min_popularity=X
to specify the minimum number of groups. To highlight specific threat groups add groups="APT1"
or groups="APT1,APT28,APT29"
. To filter and hide techniques not associated by MITRE with those threat groups, add group_only=true
.
mitremaplookup
The mitremaplookup
command ingests a set of events and generates a MITRE ATT&CK map showing the techniques used in those events. By default, it looks for the search_name field seen in index=risk or index=notable and then looks up that value in Splunk Security Essentials to generate the actual techniques. Set the mitre_technique
field to get the techniques from a specific field.
Syntax
mitremaplookup [search_name=search_name] [mitre_technique=mitre_technique] [delim="|"]
Example
| mitremaplookup
sseanalytics
The sseanalytics
command provides a tabular output for the content shown by Splunk Security Essentials. By default, the sseanalytics
command prints only key fields, but you can include the full JSON by adding include_json=true
. The sseanalytics
command automatically enriches with bookmarked status and data availability status.
Syntax
sseanalytics [cache=true] [app=appName] [include_all=false] [include_json=false]
Example
| sseanalytics [cache=true] [app=Splunk_Security_Essentials] [include_all=false] [include_json=false] | top mitre
sseidenrichment
The sseidenrichment
command is used as a lookup for products, MITRE IDs, data source IDs, or data source category IDs. Define the type field as appropriate, and field=
as a field in your dataset that contains the ID to be enriched.
Syntax
sseidenrichment type=(mitreid|productid|datasourceid|dscid) field=yourfield
Example
| sseidenrichment type=mitreid field=yourfield
sselookup
Use the sselookup
command to accept the input from index=notable
or index=risk
, or run this search command as a part of your scheduled correlation searches. If you mapped your live correlation searches in Splunk Security Essentials, the sselookup
command looks at the search_name field and the source and automatically adds key metadata fields.
Syntax
sselookup [search_name=field_containing_search_name] [all] [mitre] [metadata] [specific_field_name]
Example
| sselookup [all] [mitre] [metadata] [specific_field_name]
To add all fields, use | sselookup all. Use | sselookup mitre to output the MITRE fields. To hardcode the name of the search, pass the search name in through | sselookup search_name=myfield.
Search in Splunk Security Essentials | Use the Configuration menu to Customize Splunk Security Essentials |
This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1
Feedback submitted, thanks!