Threathunting - A Splunk App Mapped To Mitre Att&Ck To Direct Your Threat Hunts
This is a Splunk application containing several dashboards too over 120 reports that volition facilitate initial hunting indicators to investigate.
You plainly hollo for to survive ingesting Sysmon information into Splunk, a expert configuration tin survive flora here
Note: This application is non a magic bullet, it volition require tuning too existent investigative piece of job to survive genuinely effective inward your environment. Try to buy the farm best friends amongst your organization administrators. They volition survive able to explicate a lot of the initially discovered indicators.
Big credit goes out to MITRE for creating the ATT&CK framework!
Pull requests / number tickets too novel additions volition survive greatly appreciated!
Mitre ATT&CK
I strive to map all searches to the ATT&CK framework. Influenza A virus subtype H5N1 electrical flow ATT&CK navigator export of all linked configurations is flora here too tin survive viewed here
App Prerequisites
Install the next apps to your SearchHead:
- Add-on for Microsoft Sysmon
- Punchcard Visualization
- Force Directed Visualization
- Sankey Diagram Visualization
- Lookup File Editor
Required actions afterwards deployment
- Make certain the threathunting index is acquaint on your indexers
- Edit the macro's to accommodate your surroundings > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros (make certain the sourcetype is correct)
- The app is shipped without whitelist lookup files, you'll hollo for to create them yourself. This is too then yous won't accidentally overwrite them on an upgrade of the app.
- Install the lookup csv's or create them yourself, empty csv's are here
Usage
Influenza A virus subtype H5N1 to a greater extent than detailed explanation of all functions tin survive flora here or inward this weblog post
