Drilldown on detection techniques using Detection Studio in Splunk Enterprise Security

Use the MITRE ATT&CK matrix to identify the individual techniques that are used in a detection and drill-down into specific techniques to focus on the most relevant threats, specific threat actors, and data sources such as service creation events.

Drilling down on MITRE ATT&CK techniques helps security teams to move beyond generic alerts to understand how attackers operate, enabling faster incident response, better detection rule tuning, proactive defense gap identification such as missing logging or controls for phishing attachments and continuous improvement by mapping real-world threats to specific defenses, ultimately reducing attacker dwell time and preventing future breaches.

  1. In Splunk Enterprise Security, access Detection Studio.
  2. In MITRE ATTACK matrix, select Coverage to review the detection coverage for various techniques and tactics.
  3. In MITRE ATTACK matrix, select Gaps to review the gaps in detection coverage for various techniques and tactics.
  4. Hover over specific techniques to identify the detection coverage for that technique, which is listed for both deployed and available detections. You can also search for specific techniques.
  5. If detection coverage for a specific tactic or technique is inadequate, select the number of available detections for a specific technique to go to the Detection library.
  6. Identify available detections from the Detection library and deploy them to increase security coverage.