Configure Splunk events to include MITRE ATT&CK TTPs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-11-2021 03:24 PM
Does anyone have any documentation on how to configure the Splunk "ServiceNow Event Integration" to include MITRE-ATT&CK TTPs to use in the new Threat Intelligence MITRE ATT&CK framework? I found documentation on how to "Auto-extract technique rules for importing MITRE-ATT&CK information", but it doesn't include configuration requirements for the alerts coming from SIEMs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-18-2021 08:36 AM
I found out yesterday that we aren't running ES (we have a Splunk instance named ES, however, Enterprise Security is not installed), so I was thinking I would add the TTP to the "ServiceNow Event Integration" description field. I would have to configure something in the Threat Intelligence module to pull the TTP out of the description to populate the MITRE ATT&CK Card in the Security Incident Response (SIR) incident tickets.
We expect to either have SSE or ES installed sometime in August - October. Until then I'll have to hard code the TTP into the Splunk events generated in SIR.
