ThreatHunting : A Splunk App Mapped To MITRE ATT&CK

ThreatHunting is a Splunk application containing several dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.

You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found here

Note: This application is not a magic bullet, it will require tuning and real investigative work to be truly effective in your environment. Try to become best friends with your system administrators. They will be able to explain a lot of the initially discovered indicators.

Mitre ATT&CK

I strive to map all searches to the ATT&CK framework. A current ATT&CK navigator export of all linked configurations is found here and can be viewed here.

Also Read – Osmedeus : Security Framework For Reconnaissance & Vulnerability Scanning

App Prerequisites

Install the following apps to your SearchHead:

Required actions after deployment

  • Make sure the threathunting index is present on your indexers
  • Edit the macro’s to suit your environment > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros (make sure the sourcetype is correct)
  • The app is shipped without whitelist lookup files, you’ll need to create them yourself. This is so you won’t accidentally overwrite them on an upgrade of the app.
  • Install the lookup csv’s or create them yourself, empty csv’s are here

A step by step guide kindly written by Kirtar Oza can be found here

Usage

A more detailed explanation of all functions can be found here or in this blog post

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

7 hours ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

1 day ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

1 day ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

1 day ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

1 day ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

1 day ago