Splunk-based dashboards and visuals for working with the MITRE ATT&CK Framework
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Dashboards Add files via upload Sep 14, 2017
Lookups Update df_tactic_rating_poc.csv Sep 8, 2017
Navigation Create default.xml Sep 14, 2017
PowerShell Delete HOST-SPLUNKSearchConnect.psm1 Sep 20, 2017
Reports Create darkfalcon_rating_report Sep 15, 2017
LICENSE Initial commit Sep 8, 2017
README.md Update README.md Sep 15, 2017

README.md

DarkFalcon

Splunk-based dashboards and visuals for working with the MITRE ATT&CK Framework

This is a lookup file driven system of dashboards helping work with the ATT&CK framework within a company and leveraging it for making business decisions. There is also an xml for adding the custome navigation to your Splunk nav.

Setup

Below are the steps you can follow to get DarkFalcon up and running in your Splunk instance.

1. Add Lookup Files

In Splunk, Click Settings then Lookups. Click Lookup Table Files then New in the upper-left. For each file in the Lookups Folder in the repo, add with the same name as the file.

Ensure permissions on the files are set to app, instead of owner or private, so others on your team can see them.

2. Create Dashboards

In Splunk, Click Dashboards then click Create new Dashboard button in the upper-right. Set the following in the pop-up: Title: ID: Permissions: Shared in App

When the new dashboard comes up, click edit source in the upper-right. Copy the XML from the file in the repo and paste it replacing the xml in the dashboard and click save.

Do this for each file in the Dashboard folder. These are already coded to use the lookup files that you added in the first section.

3. Update Navigation

This one is a little trickier and you have a couple of options for implementing it.

Option 1 - Update Nav XML from SSH

For this, SSH into you Splunk server and browse to the navigation folder of the app you added the dashboards to, usually search or SplunkEnterpriseSecuritySuite.

Copy the collection part of the nav xml from the Navigation folder of this repo and add it to the default.xml of the nav on your Splunk server. Save the file and refresh the site and you should see the links.

Option 2 - Create the Nav from the GUI

This is easiest through Enterprise Security Suite since they give you an easy to use page. In ESS, click Configue, then General then Navigation.

In the page, you will see the darkfalcon dashboards you created in step 2 and you can drag them to the right to stack them in the navigation bar. Use thhe xml from this repo under Navigation as an outline of how we we did our layout.

4. Setup Reports

Part of the reporting is a scheduled report that archives the scores so that they can be used for tracking over time. The other report is used for automated scoring and will be talked about in the blog.

In Splunk, click Settings thenSearches and Reports. Click New and add the settings outlined in each report listed in the Reports folder of this repo.