Hi Community Members,
Anyone knows whether we can use Splunk Enterprise Security to map our correlation searches against MITRE Tactics and Techniques without installing more apps like MITRE Dashboard or Splunk Security Essentials.
This mapping can help to see what security coverages we have and what requires improvements.
Many Thanks in advance.
Hi @joomla
one suggestion, to use the mitre attck matrix without the security essentials and mitre dashboard is:
create a lookup table to map the mitre matrix, one column for the codes, another one for the names of the attack and other one for the description.
insert in your correlation rule a code field with the code in which the attack is mapped
example:
I created a correlation rule for the log4j vulnerability on my correlation search I will create this field
eval code= "CVE-2021-44228"
after this correlate the search with the lookup with the lookup command
---- your correlation search----
|lookup mitre.csv code
---end of your correlation search
hope can help