Mitre Technique Extraction - Splunk, MISP Nothing working

dhruv_gupta · ‎07-24-2024

Hi all,

We are implementing MITRE framework. We tried configuring auto extraction rule but they dont seem to be working. Has anybody implemented that or can share some insights. That will be really helpful

@andy_ojha

Martin Dewit · ‎07-24-2024

For Splunk, have you looked at this post?

https://www.servicenow.com/community/secops-forum/configure-splunk-events-to-include-mitre-att-ck-tt...

For MISP, the docs specify settings within the integration. Have you configured those?

https://docs.servicenow.com/csh?topicname=review-the-misp-integration-settings.html&version=latest

dhruv_gupta · ‎07-24-2024

yaa all checked.

andy_ojha · ‎07-24-2024

Hey @dhruv_gupta - looks like @Martin Dewit has got you on the right track.

A few questions that may help:

1) Have we already configured MITRE ATT&CK - and pulled in the data from the "TAXII Profiles"?
- Assuming we went with "Enterprise ATT&CK" but can you confirm?

2) What flavor of Splunk are we using?
- Are we using Splunk Enterprise Security (ES) - where the Notable Events actually have MITRE ATT&CK TTPs in the Notable event field data?

3) How are we integration Splunk with SecOps?
- Are we using the NOW Store App - and setup the Profiles for Automated ingestion (scheduled)?
- Or, are we first testing with the "Manual" option to push Notables to NOW with the button?

4) Can you confirm on the ServiceNow config side -> the Extraction Rule for Splunk -> has the Ignore option disabled (false)?

dhruv_gupta · ‎07-24-2024

1;)

2:) & 3:)

4:)