Configure Splunk events to include MITRE ATT&CK TTPs

Mandy8 · ‎02-11-2021

Does anyone have any documentation on how to configure the Splunk "ServiceNow Event Integration" to include MITRE-ATT&CK TTPs to use in the new Threat Intelligence MITRE ATT&CK framework? I found documentation on how to "Auto-extract technique rules for importing MITRE-ATT&CK information", but it doesn't include configuration requirements for the alerts coming from SIEMs.

Mandy8 · ‎02-12-2021

Apparently, my organization is not going to start the process of installing the Splunk Security Essentials until Q4. We have scheduled Splunk alerts that send events to the Security Incident Response app. Is there a way to hard code the TTP's in the events that get sent over so they show up in the incident ticket MITRE ATT&CK Card?

andy_ojha · ‎02-14-2021

Hey there,

On some of the example URLs posted above - there are some ways to achieve that with particular Splunkbase Apps you can install on your ES Search Head, using 'eval' and 'lookups' on your rules. Would recommend looking at the Splunk Community for some example on that.

On ServiceNow docs, they describe a feature called 'Detection rules' that give the framework to achieve something like that custom in ServiceNow - but as you can see from the published material at this time, it would be something you have to build custom from scratch (and own, test, maintain, troubleshoot yourself) - and there are no real good examples of achieving this, published right now.

To move forward, would recommend starting off by getting the MITRE ATT&CK Enterprise content pulled into ServiceNow (setting up the TAXII collection), and training the Security Analysts on how to manually add the Tactics / Techniques onto the Security Incident record during their investigation / response activities.

This way, your org can begin tracking this until you get your SIEM content enhanced to include the specific TTPs for each of your ES Notable Correlation Rules.

It's also a good step here as your org can actually begin documenting how your ES Notable Correlation Rules map to specific MITRE ATT&CK TTPs. Then you can later bake this into Splunk ES (so that it is extracted automatically in ServiceNow).

Reference:

sn_ti_alert_rules_mitre_attack_technique_mapping

Hareesh Namavar · ‎02-17-2021

Hi Mandy,

The right way of using this feature is to use Splunk base app and map the MITRE ATT&CK TTPs to notable events/alerts in Splunk ES SIEM. SIR will be able to auto-extract the TTPs from notable events and they will be mapped automatically to security incidents in SIR.

Andy suggested a good workaround in the previous post.

Have you also tried hardcoding the TTP info in the correlation rule name or description? This way the TTPs info will be available in the notable event raw payload which can be autoextracted using our existing OOTB feature.

Mandy8 · ‎02-17-2021

Thank you! Do I have to use correlation rules or can I use normal Splunk searches run on a schedule? If I can use normal scheduled Splunk searches, is there a way to hardcode the TTP into the ServiceNow Event Integration event that gets sent to SIR?

Hareesh Namavar · ‎02-18-2021

Hi,

You could hardcode MITRE ATT&CK TTPs to any of the below fields in Splunk ES.

rule_name
rule_description
search_name
savedsearch_description

Any notable event generated by the rule/search will have the TTP info in the raw payload. OOTB auto-extraction feature will be able to parse the info and will associate the TTPs to security incidents.

Could you please test the above scenario and let us know the outcome?