Useful Splunk SIEM Queries for Threat Hunting

Carbon Black Cloud aligns to the MITRE ATT&CK Framework in both CB Analytics Alerts and Watchlist Hits.

This alignment enables easy and effective threat hunting, such as:

Identifying and investigating endpoints that have observed the most unique MITRE TIDs
Identifying and investigating endpoints that have observed specific MITRE TIDs, such as those used in an emerging threat
Identifying which MITRE TIDs have been observed on a specific endpoint that is already under investigation

Carbon Black Cloud strives to keep current with MITRE's routine updates of the ATT&CK framework. Deprecated MITRE TTPs are included with alerts for 12 months. If you are using a specific MITRE TID for detections, we recommend that you stay up to date with the latest changes.