MITRE ATT&CK–Driven Threat Hunting in A SOC Environment: a Real-World Case Study Using SPLUNK Correlation Rules

Abstract

This study investigates the effectiveness of MITRE ATT&CK driven threat hunting in a Security Operations Center environment through the use of Splunk correlation rules, with the central problem being that modern SOCs often struggle with excessive alert volume, false positives, incomplete adversary visibility, and delayed response in complex cloud and enterprise security environments. The purpose of the study was to determine whether ATT&CK aligned threat hunting and better engineered Splunk correlation rules improve detection effectiveness, triage efficiency, response efficiency, and overall threat hunting success. The research adopted a quantitative, cross sectional, case-based design using a structured five-point Likert scale questionnaire administered to 120 cybersecurity professionals drawn from cloud and enterprise SOC cases, including SOC analysts, threat hunters, incident responders, detection engineers, and SOC managers. The key independent variables were MITRE ATT&CK alignment, Splunk correlation rule quality, technique coverage adequacy, and precision noise balance, while the dependent variables were threat detection effectiveness, triage efficiency, response efficiency, and overall threat hunting success. Data analysis was conducted using descriptive statistics, Cronbach’s alpha reliability testing, correlation analysis, and multiple regression. The findings showed that all major constructs recorded positive mean scores above 3.00, including MITRE ATT&CK alignment (M = 4.18, SD = 0.61), Splunk rule quality (M = 4.09, SD = 0.66), threat detection effectiveness (M = 4.16, SD = 0.58), and overall threat hunting success (M = 4.12, SD = 0.60). Reliability values were satisfactory, with Cronbach’s alpha ranging from 0.78 to 0.86. Significant positive relationships were found between ATT&CK alignment and threat detection effectiveness (r = .68, p < .001), Splunk rule quality and triage efficiency (r = .63, p < .001), technique coverage adequacy and SOC performance (r = .59, p < .001), and precision noise balance and response efficiency (r = .61, p < .001). Regression results showed that the model explained 64.0% of the variance in threat hunting success (R² = .640, F = 42.37, p < .001), with ATT&CK alignment emerging as the strongest predictor (β = .31, p = .002). The study implies that organizations can strengthen SOC performance by aligning detection logic with adversary behavior, improving rule precision, and closing technique coverage gaps, particularly in lateral movement and exfiltration.