Installation

Download and Install

1. Download the latest AppInspect Passed version from: https://splunkbase.splunk.com/app/4617/

   For the latest changes and development efforts: https://github.com/seynur/DA-ESS-MitreContent/

2. Install the application on Splunk Enterprise. DA-ESS-MitreContent should be installed on the Search Head or Search Head Cluster where Enterprise Security Application resides.

   For details on add-on installation please refer to Splunk Documentation: https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons

Initial Setup

Upon installation of the add-on, you may need to initially run a search to populate the lookup table. The report simply checks for available (and enabled) Correlation Searches that are tagged for MITRE ATT&CK techniques within the Analytic Stories.

1. First, please check the table at the top named “MITRE ATT&CK Compliance Lookup Gen Status” for lookup table status.

2. Click on the row if the lookup table appears to be empty. This will open a new windows with the “Mitre Compliance Lookup Gen” report. By default this scheduled report runs daily, at 0:00. Its time range is last 24 hours. Click Open in Search button to run this report for the first time.

3. Once the search is completed, you can go back to “MITRE ATT&CK Compliance with Splunk ES” dashboard to view the level of existing rules (enabled and available) in comparison to MITRE ATT&CK techniques.