The MITRE ATT&CK Benchmark dashboard
The MITRE ATT&CK Benchmark dashboard contains a list of the top 20 techniques seen in threat reports. Use the dashboard to check how well the detections in your environment provide coverage against these techniques. See the Splunk Blogs post Revisiting the Big Picture: Macro-level ATT&CK Updates for 2023 for more information on this dashboard.
To configure this dashboard, follow these steps:
- From Splunk Security Essentials, select Analytics Advisor, then MITRE ATT&CK Benchmark.
- In the ATT&CK Techniques filter, select the ATT&CK Technique list or lists you want to check your environment against. By default, the Splunk SURGe 2022 list is populated.
- In the ATT&CK Platform filter, select which platform or platforms you want to check your environment against.
- Select whether or not you want to Include Correlated Techniques from CISA Alerts to determine if the techniques were used with others as part of an adversary attack flow. By default, these techniques aren't included.
- Enter a CISA Alert Correlation Factor to expand the number of techniques used in the dashboard beyond what are already selected in the ATT&CK Techniques filter. Since CISA alerts describe incidents where multiple techniques can appear, we can correlate how often ATT&CK techniques are seen together in the same incident. By adjusting the CISA Alert Correlation Factor, you can expand the scope of your selection with additional ATT&CK techniques that are often used together by adversaries. For example, if you enter a factor of 0.7, additional ATT&CK Techniques that appear at least 70% of the time in the same CISA Alert as the ones in the ATT&CK Techniques filter are added to the dashboard.
Understand your coverage against the top 20 detections
The coverage widgets on this dashboard show how well the detections in your environment provide coverage against the top 20 techniques.
Widget | Description |
---|---|
Techniques in Selection | Shows how many techniques you have selected. |
Coverage | Shows, as a percentage, how well the current active detections in your environment cover your selected techniques. |
Potential Coverage with Available Data | Shows the percentage coverage possible with the detections that are available in your environment, but are not currently active. |
Potential Coverage with all Detections | Shows the potential percentage covered in your environment if you use all available detections. |
Techniques in Selection | Shows what detections you have active, or can activate to protect against the listed MITRE ATT&CK techniques. Select an entry in the table to view more details. |
Top ATT&CK Data Sources | Shows what MITRE ATT&CK data sources are linked to the techniques you have selected. This can help you understand what data sources you might want to use to build detections. |
Top ATT&CK Data Sources with Descriptions | Shows more information about the data sources shown in the Top ATT&CK Data Sources chart. The number in the Techniques column corresponds with the data source number from the chart. |
The MITRE ATT&CK Framework dashboard | Find content with the MITRE ATT&CK-Driven Content Recommendation dashboard |
This documentation applies to the following versions of Splunk® Security Essentials: 3.8.0, 3.8.1
Feedback submitted, thanks!