Mitre Technique Extraction - Splunk, MISP Nothing working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2024 07:26 AM
Hi all,
We are implementing MITRE framework. We tried configuring auto extraction rule but they dont seem to be working. Has anybody implemented that or can share some insights. That will be really helpful
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2024 07:44 AM
For Splunk, have you looked at this post?
For MISP, the docs specify settings within the integration. Have you configured those?
https://docs.servicenow.com/csh?topicname=review-the-misp-integration-settings.html&version=latest
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2024 07:48 AM
yaa all checked.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2024 08:01 AM - edited 07-24-2024 08:02 AM
Hey @dhruv_gupta - looks like @Martin Dewit has got you on the right track.
A few questions that may help:
1) Have we already configured MITRE ATT&CK - and pulled in the data from the "TAXII Profiles"?
- Assuming we went with "Enterprise ATT&CK" but can you confirm?
2) What flavor of Splunk are we using?
- Are we using Splunk Enterprise Security (ES) - where the Notable Events actually have MITRE ATT&CK TTPs in the Notable event field data?
3) How are we integration Splunk with SecOps?
- Are we using the NOW Store App - and setup the Profiles for Automated ingestion (scheduled)?
- Or, are we first testing with the "Manual" option to push Notables to NOW with the button?
4) Can you confirm on the ServiceNow config side -> the Extraction Rule for Splunk -> has the Ignore option disabled (false)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2024 08:07 AM - edited 07-30-2024 02:41 AM
1;)
2:) & 3:)
4:)