Mitre Technique Extraction - Splunk, MISP Nothing working

dhruv_gupta
Tera Contributor

Hi all,

We are implementing MITRE framework. We tried configuring auto extraction rule but they dont seem to be working. Has anybody implemented that or can share some insights. That will be really helpful

 

@andy_ojha 

6 REPLIES 6

Martin Dewit
Kilo Sage

For Splunk, have you looked at this post? 

https://www.servicenow.com/community/secops-forum/configure-splunk-events-to-include-mitre-att-ck-tt...

 

For MISP, the docs specify settings within the integration. Have you configured those?

https://docs.servicenow.com/csh?topicname=review-the-misp-integration-settings.html&version=latest 

 

 

dhruv_gupta
Tera Contributor

yaa all checked.

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey @dhruv_gupta  - looks like @Martin Dewit  has got you on the right track.

A few questions that may help:

1) Have we already configured MITRE ATT&CK - and pulled in the data from the "TAXII Profiles"?
  - Assuming we went with "Enterprise ATT&CK" but can you confirm?

andy_ojha_0-1721832963928.png

 


2) What flavor of Splunk are we using?
  - Are we using Splunk Enterprise Security (ES) - where the Notable Events actually have MITRE ATT&CK TTPs in the Notable event field data?

 

3) How are we integration Splunk with SecOps?
 - Are we using the NOW Store App - and setup the Profiles for Automated ingestion (scheduled)?
 - Or, are we first testing with the "Manual" option to push Notables to NOW with the button?

4) Can you confirm on the ServiceNow config side -> the Extraction Rule for Splunk -> has the Ignore option disabled (false)?  

 

andy_ojha_0-1721833336244.png

 



dhruv_gupta
Tera Contributor

1;)

dhruv_gupta_0-1721833507161.png

2:) & 3:)

dhruv_gupta_1-1721833570578.png

4:)

dhruv_gupta_2-1721833662954.png