Useful Splunk SIEM Queries for Threat Hunting - MITRE

CB Analytics Alert TTPs contain MITRE techniques. In addition to the MITRE TID, they have a concise description of the technique. Any time a sub-technique's TTP is included with a CB Analytics Alert, the parent's TTP is included.

Required Product: Carbon Black Cloud Endpoint Standard

Required Data: Alerts (App Input or Data Forwarder)

Examples: MITRE_T1596_SEARCH_OPEN_TECHNICAL_DATABASES and MITRE_T1596_001_DNS_PASSIVE_DNS

Top Endpoints by Unique MITRE TID Count

eventtype="vmware_cbc_cb_analytics" 
| rename threat_indicators{}.ttps{} as mitre_ttps
| mvexpand mitre_ttps
| rex field=mitre_ttps "^MITRE_(?<mitre_tid>T\d+(\_\d{3})?)_(?<mitre_tid_name>.*)$" 
| where not isnull(mitre_tid)
| eval mitre_tid = lower(mitre_tid)
| stats 
  dc(mitre_tid) as mitre_tid_count 
  values(mitre_tid) as mitre_tids,
  values(mitre_tid_name) as mitre_tid_names
  by device_id, device_name
| sort -mitre_tid_count

Top endpoints discovered by Unique MITRE TID count

Top TID counts