Skip to content

Integration with Security Frameworks and Security Alerts

MITRE ATT&CK for ICS

The MITRE ICS ATT&CK model was released in January 2020 and provides a framework of common technique, tactics, and procedures (TTP) for attacks on Industrial Control Systems (ICS) and OT environments. While some of these TTP's can be identified using Splunk alone, several of them require third-party support of industrial and network protocols. As a result, the OT Security Add-on for Splunk has two main kinds of alerts, those in which a TTP is identified by a third-party OT Security product or those which can be detected with Splunk alone.

Sec - <TTP> (e.g. OT Sec - Data Historian Compromise​​). Items in yellow are covered by the OT ​Sec - MITRE ICS Alert ​correlation search. This correlation search requires a TTP identifier (specifically a field named technique_id) present in the events sent by the third-party product. This field is already supported by several third-party partner integrations.

By default Splunk will attempt to reach out for the latest version of the MITRE ATT&CK ICS framework; however, due to limitations with many OT environments a static lookup is provided an leveraged when tagging alerts. Any alerts from the MITRE ATT&CK for ICS will begin with a prefix of T0.

Event types

Event types provide a mechanism to classify logs and events and tag them with categories that can be searched and aggregated across multiple indexes, sources, and source types. The OT Security Add-on for Splunk includes event typing specific to MITRE ICS alerts and data from third-party OT Security solutions.

The following event types are used within the solution:

mitre_ics_alert:** this event type is used for all MITRE ICS-related alerts and requires the macro​ get_ot_security_alerts to define which data sources should be included. This event type is used in the correlation search OT Threat - MITRE - ICS Alert ​ to generate notable alerts. In addition, the tag mitre_ics can be used to identify these same events.

Third-party OT Security Product Alerts

Third-party OT Security products often generate alerts and events relevant to Splunk Enterprise Security. These alerts are particularly valuable when they leverage the Alerts data model included in Splunk's Common Information (CIM). To include these events as notables within Splunk, enable the correlation search OT Threat - Non-MITRE ICS OT Security Alert and OT Threat - MITRE ICS Alert to show both non-tagged security alerts and also those tagged with a specific MITRE indicator​. We recommend that this correlation search is run and results are validated and searches tuned prior to enabling the rule globally. This will prevent unnecessary alerts showing up in the Enterprise Security Incident Review dashboard.