Welcome to Splunk Security Content

See What Is New! - Latest Update: v5.21.0

What's New

Enable your SOC with Proven detections

This project gives you access to our repository of Analytic Stories that are security guides which provide background on TTPs, mapped to the MITRE framework, the Lockheed Martin Kill Chain, and CIS controls. They include Splunk searches, machine-learning algorithms, and Splunk SOAR playbooks (where available)—all designed to work together to detect, investigate, and respond to threats.

Detection Coverage MITRE ATT&CK

A snapshot in time of what technique we currently have some detection coverage for. The visualization below shows our current coverage across all MITRE ATT&CK tactics.

MITRE ATT&CK Coverage Overview

Detection counts per tactic with MITRE technique breakdown

-

MITRE ID Coverage

Percentage of all MITRE techniques & subtechniques detected

Techniques: - Subtechniques: -

-

Tactical Coverage

Percentage of tactics with at least one detection

-

MITRE IDs Covered

Unique techniques & subtechniques vs total (679)

-

Coverage Depth

Average detections per active tactic

High Coverage (10+ Detections)

Medium Coverage (5-9 Detections)

Low Coverage (1-4 Detections)

No Coverage

'; }); }); function updateCoverageStats(metadata) { document.getElementById('technique-coverage').textContent = `${metadata.technique_coverage_percent}%`; document.getElementById('tactical-coverage').textContent = `${metadata.tactical_coverage_percent}%`; document.getElementById('total-techniques').textContent = `${metadata.techniques_covered}/679`; const techniquesCount = metadata.techniques_count || 0; const subtechniquesCount = metadata.subtechniques_count || 0; document.getElementById('techniques-count').textContent = techniquesCount; document.getElementById('subtechniques-count').textContent = subtechniquesCount; document.getElementById('technique-depth').textContent = `${metadata.technique_depth}`; } function renderTacticsGrid(tactics) { const grid = document.getElementById('tactics-grid'); const maxCount = Math.max(...tactics.map(t => t.detection_count || t.technique_count)); tactics.forEach(tactic => { const displayCount = tactic.detection_count || tactic.technique_count; const card = document.createElement('div'); card.className = `tactic-card ${getCoverageLevel(displayCount)}`; const progressWidth = maxCount > 0 ? (displayCount / maxCount) * 100 : 0; const tacticSlug = tactic.tactic_name.toLowerCase().replace(/\s+/g, '-'); const tacticUrl = `/detections/tactics/${tacticSlug}/`; const techniquesCount = tactic.techniques_count || 0; const subtechniquesCount = tactic.subtechniques_count || 0; card.innerHTML = `

${tactic.tactic_name}

${tactic.tactic_id}

${displayCount}

T: ${techniquesCount} | ST: ${subtechniquesCount}

`; card.style.cursor = 'pointer'; card.addEventListener('click', () => { window.location.href = tacticUrl; }); card.addEventListener('mouseenter', () => { card.style.transform = 'translateY(-4px) scale(1.02)'; }); card.addEventListener('mouseleave', () => { card.style.transform = 'translateY(-2px)'; }); grid.appendChild(card); }); } function getCoverageLevel(count) { if (count >= 10) return 'high'; if (count >= 5) return 'medium'; if (count >= 1) return 'low'; return 'none'; }

We Value Your Feedback!

Help us improve! Please take a moment to share your thoughts on our website.

Give Feedback

Questions?

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

Join the #security-research room in the Splunk Community Slack.
Post a question to Splunk Answers
If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal

Contribute Content

If you want to help the rest of the security community by sharing your own detections, see our contributor guide for more information on how to get involved!