Something Else To Be Thankful For: Splunk Security Essentials 3.2.2

Well, it’s been a while since you read a blog dedicated to the latest release – okay, the latest several releases – of Splunk Security Essentials (SSE). We have been busy behind the scenes, however, so let’s catch you up on SSE’s latest features, which include the new version of our content API, and externally with updates from MITRE and the release of ATT&CK v7.2 (with Sub-Techniques) and ATT&CK v8.

ATT&CK and Sub-Techniques

This past July, MITRE ATT&CK released version 7.2. This update was a major overhaul of the ATT&CK framework because it introduced Sub-Techniques, a completely new object. 

Sub-techniques are a way to describe a specific implementation of a technique in more detail and by doing that makes the ATT&CK Framework more closely linked to the methods and procedures that an attacker will actually perform. The Sub-techniques are attached to, and nested under, a Technique. To support this new feature, we updated SSE so that you can use the ATT&CK Matrix visualization to represent your data. This update also meant we updated all mappings of our detections to the new Techniques and Sub-Techniques. You’ll see these visualizations starting in SSE version 3.2.0. 

ATT&CK and Network Matrix

The updates keep on rolling out with MITRE ATT&CK version 8 released just last month in October. In this latest version, the framework introduced a Network matrix with additional Techniques as well as merging the PRE-ATT&CK Matrix into the Enterprise Matrix into two new Tactics. This update was incorporated into SSE version 3.2.2. 

SSE and Security Content API

During the summer of this year, Splunk also released a new schema to the Splunk Security Content API. This API allowed us to develop a framework for downloading content automatically into the SSE app from the client side. If you are running one of the later versions of SSE, you might have seen the green “Configuration” button triggering a refresh of the browser. We have had the capability to update the ATT&CK Framework for some time, but from SSE version 3.2.1, we now also update the detection content immediately as it’s made available in the API. This means you will no longer have to worry about manually updating Splunk Security Essentials to get the latest content into your environment. 

SSE and the Software Object

Along with the updates mentioned above, in the latest release of Splunk Security Essentials 3.2.2, we also added support for an additional ATT&CK object — Software. Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. The Software object has two types, Tools and Malware. Tools, as in penetration test tools, hacker tools, and so on, include software like Cobalt Strike and Mimikatz. Malware includes items like Ryuk, Emotet, SamSam. By having access to the Software object inside SSE, it allows you to answer questions like:

• “What detections in the content repository would help me find Emotet?” 
• “What detection coverage do I have today for ransomware Ryuk?”
• “Is anybody using Cobalt Strike in my environment?”
   

Adding this object was partly inspired by my colleague Ryan Kovar who recently wrote an excellent blog post, Ryuk and Splunk Detections, on the ATT&CK Techniques that are being used by the Ryuk ransomware. 

Adding Your Own Pre-Existing Detection Searches

Have you ever wondered if you can add your own pre-existing detection searches into SSE and have them appear alongside the content repository? Well, the answer is an enthusiastic yes! This capability has been available for some time but the useability of this has been greatly improved in the latest versions. 

To access this feature in the app, go to the “Security Content” tab then the “Custom Content” feature. The good news is that you can add a new piece of content and use an existing saved search as a template. You just need to fill out a few metadata fields and press save and your custom search will be displayed in all SSE dashboards including the ATT&CK Matrix. 

In addition to everything presented above, we have plenty of general improvements and fixes included in every release. Read more in the releases notes of each release. 

I hope you enjoy these latest releases. And for those of you who have not yet explored Splunk Security Essentials, check out the Demo Environment today. 

Happy Spunking!
Johan Bjerke