Splunk : Introducing ATT&CK Detections Collector

Share:

By Marcus LaFerrera January 03, 2022

The Splunk SURGe team loves to automate and simplify mundane tasks. Through rapid response blogs, we provide context and analysis on late breaking security events that affect everyone, not just Splunk customers. We are firm believers that through shared knowledge and experience we can help the masses better understand the threat landscape and how they can improve their security posture.

The SURGe team is lazy. We like to replace the mundane with scripts or some form of automation. In each rapid response blog we include a table that lists relevant MITRE ATT&CK techniques as well as detections from Enterprise Security Content Updates (ESCU). At first, this was a manual task where a SURGe team member identified MITRE ATT&CK techniques, then searched through ESCU to find our detections. Needless to say, this was a time-consuming process, albeit worth the effort to ensure we could provide actionable information to our readers.

Once the dust settles from the rapid response process, we stay true to our roots and spend an hour or two going over what went well, and perhaps more importantly, what could be improved. This has proven to be of tremendous benefit to the process as a whole, allowing us to develop tools and processes that can bring more value to our readers. Early on we realized we were spending an inordinate amount of time collecting ATT&CK techniques and generating a comprehensive listing of ESCU detections. Did I mention we love to automate and simplify mundane tasks?

Segue, Please

Now that we know the why, let's move on to the how. We open-sourced a new project called, ATT&CK Detections Collector, or ADC for short. ADC simplifies the process of collecting ATT&CK techniques and identifying a comprehensive list of ESCU detections without breaking a sweat. As a matter of fact, ADC generates a nicely formatted, blog-ready table. Before ADC, a poor soul would have to manually generate the list. We've even added a bonus feature that automatically generates an ATT&CK Navigator layer. This allows anyone to visualize ESCU detections and coverage directly in ATT&CK Navigator.

How does ADC accomplish this magic, you ask? With a Python script, of course. Just run adc.py with a listing of ATT&CK techniques or provide a URL (such as a vendor blog post) that contains the techniques. The script will automagically extract the needed parameters, grab context from the MITRE ATT&CK dataset, then match it up with ESCU detections. It's that simple... and automated! Please note, this is not an app or addition to any product, just something extra to make your life easier.

We've made it easy to run this code in Jupyter Notebooks, which creates a nice, pretty table in seconds. You can easily link to each detection to better understand how it pertains to your data.

Remember that bonus feature we mentioned earlier? Let's take a look at what that would look like. The color gradient is dependent on the number of ESCU detections for the specific ATT&CK technique. Additionally, you can view direct links to the relevant ESCU detections in the comments section. There is also plenty of room to customize the output via the output template in the repository, and you're all set.

Code, Or It Didn't Happen

Done. We open sourced the ATT&CK Detections Collector project so that it can help others as much as it has helped us. Check out the code here, along with more detailed documentation on how to install and use the project. We will continue to contribute to the project to address any potential bugs or feature requests.

We're also big believers in eating our own dog food. If you'd like to see some examples of where we have used ADC in the past, check out some of our previous blogs posts, such as Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk and SUPERNOVA Redux, with a Generous Portion of Masquerading. You can expect plenty of blog posts from us in the future. We've heard this cyber security thing is here to stay.

If you find ADC useful, or have ideas on how to improve the project, we'd love to hear from you! The SURGe team here at Splunk will have many more fun projects to share in the future, so keep your eyes peeled for more.