In use Analytic Story

Use Case Description

AWS Cross Account Activity Cloud Security
AWS Cryptomining Cloud Security
AWS IAM Privilege Escalation Cloud Security
AWS Network ACL Activity Cloud Security
AWS Security Hub Alerts Cloud Security
AWS Suspicious Provisioning Activities Cloud Security
AWS User Monitoring Cloud Security
Access Protection Best Practices
Active Directory Password Spraying Adversary Tactics
Apache Struts Vulnerability Vulnerability
Asset Tracking Best Practices
BITS Jobs Adversary Tactics
Baron Samedit CVE-2021-3156 Adversary Tactics
Brand Monitoring Abuse
Building Correlation Searches in Splunk Workshop Content Adversary Tactics
Clop Ransomware Malware
Cloud Cryptomining Cloud Security
Cloud Federated Credential Abuse Cloud Security
Cobalt Strike Adversary Tactics
ColdRoot MacOS RAT Malware
Collection and Staging Adversary Tactics
Command and Control Adversary Tactics
Common Phishing Frameworks Adversary Tactics
Container Implantation Monitoring and Investigation Cloud Security
Credential Dumping Adversary Tactics
DHS Report TA18-074A Malware
DNS Amplification Attacks Abuse
DNS Hijacking Adversary Tactics
DarkSide Ransomware Malware
Data Exfiltration Adversary Tactics
Data Protection Abuse
Deobfuscate-Decode Files or Information Adversary Tactics
Detect Zerologon Attack Adversary Tactics
Disabling Security Tools Adversary Tactics
Domain Trust Discovery Adversary Tactics
Dynamic DNS Malware
Emotet Malware DHS Report TA18-201A Malware
Endpoint Protection Adversary Tactics
F5 TMUI RCE CVE-2020-5902 Adversary Tactics
GCP Cross Account Activity Cloud Security
HAFNIUM Group Adversary Tactics
Hidden Cobra Malware Malware
Host Redirection Abuse
Icedid Malware
Ingress Tool Transfer Adversary Tactics
JBoss Vulnerability Vulnerability
Kubernetes Scanning Activity Cloud Security
Kubernetes Sensitive Object Access Activity Cloud Security
Kubernetes Sensitive Role Activity Cloud Security
Lateral Movement Adversary Tactics
Malicious PowerShell Adversary Tactics
Masquerading - Rename System Utilities Adversary Tactics
Meterpreter Adversary Tactics
Monitor Backup Solution Best Practices
Monitor for Unauthorized Software Best Practices
Monitor for Updates Best Practices
NOBELIUM Group Adversary Tactics
Netsh Abuse Abuse
Network Protection Best Practices
Office 365 Detections Cloud Security
Orangeworm Attack Group Malware
Phishing Payloads Adversary Tactics
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Adversary Tactics
PrintNightmare CVE-2021-34527 Lateral Movement
Prohibited Traffic Allowed or Protocol Mismatch Best Practices
Ransomware Malware
Ransomware Cloud Malware
Revil Ransomware Malware
Router and Infrastructure Security Best Practices
Ryuk Ransomware Malware
SQL Injection Adversary Tactics
SamSam Ransomware Malware
Silver Sparrow Adversary Tactics
Spearphishing Attachments Adversary Tactics
Spectre And Meltdown Vulnerabilities Vulnerability
Splunk Enterprise Vulnerability Vulnerability
Splunk Enterprise Vulnerability CVE-2018-11409 Vulnerability
Sunburst Malware Adversary Tactics
Suspicious AWS EC2 Activities Cloud Security
Suspicious AWS Login Activities Cloud Security
Suspicious AWS S3 Activities Cloud Security
Suspicious AWS Traffic Cloud Security
Suspicious Cloud Authentication Activities Cloud Security
Suspicious Cloud Instance Activities Cloud Security
Suspicious Cloud Provisioning Activities Cloud Security
Suspicious Cloud User Activities Cloud Security
Suspicious Command-Line Executions Adversary Tactics
Suspicious DNS Traffic Adversary Tactics
Suspicious Emails Adversary Tactics
Suspicious GCP Storage Activities Cloud Security
Suspicious MSHTA Activity Adversary Tactics
Suspicious Okta Activity Adversary Tactics
Suspicious Regsvr32 Activity Adversary Tactics
Suspicious Rundll32 Activity Adversary Tactics
Suspicious WMI Use Adversary Tactics
Suspicious Windows Registry Activities Adversary Tactics
Suspicious Zoom Child Processes Adversary Tactics
Trickbot Malware
Trusted Developer Utilities Proxy Execution Adversary Tactics
Trusted Developer Utilities Proxy Execution MSBuild Adversary Tactics
Unusual AWS EC2 Modifications Cloud Security
Unusual Processes Malware
Use of Cleartext Protocols Best Practices
Web Fraud Detection Abuse
Windows DNS SIGRed CVE-2020-1350 Adversary Tactics
Windows Defense Evasion Tactics Adversary Tactics
Windows File Extension and Association Abuse Malware
Windows Log Manipulation Adversary Tactics
Windows Persistence Techniques Adversary Tactics
Windows Privilege Escalation Adversary Tactics
Windows Service Abuse Malware
XMRig Malware
App
Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and
Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that origina
This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation
Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches he
This story is focused around detecting Security Hub alerts generated from AWS
Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These be
Detect and investigate dormant user accounts for your AWS environment that have become active again. Becaus
Monitoring account activity and securing authentication are critical to enterprise security. This use case includes
Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environ
Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web
Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has
Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into in
This is the companion app for the Building Correlation Searches with Splunk Enterprise Security workshop.
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransom
Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that o
This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are u
Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate t
Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote
Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers s
Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate comm
Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed t
Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of pot
Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and at
Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activitie
DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic S
Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized ch
Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ra
The stealing of data by an adversary.
Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches t
Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.
Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a M
Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral
Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. A
Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, ins
Use the included searches to set up continuous monitoring for some of the most common threats in your networ
Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerab
Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and
HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-268
Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may
Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--poten
Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID bank
Adversaries may transfer tools or other files from an external system into a compromised environment. Files ma
In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JB
This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information o
This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such a
This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against c
Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterp
Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the end
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage o
Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run c
Address common concerns when monitoring your backup processes. These searches can help you reduce risks
Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behav
Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously ex
Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovere
Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewa
Detect anomalous activity that may indicate that an adversary has penetrated your network. This use case monit
This story is focused around detecting Office 365 Attacks.
Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently t
Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing at
Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP thr
The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as
Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-st
Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--s
Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. T
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransom
Validate the security configuration of network infrastructure and verify that only authorized users and systems ar
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ranso
Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts cha
Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ra
Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious so
Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing at
Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this A
Keeping your Splunk deployment up to date is critical and may help you reduce the risk of CVE-2016-4859, an op
Reduce the risk of CVE-2018-11409, an information disclosure vulnerability within some older versions of Splunk
Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovere
Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity an
Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help
Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and s
Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious
Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates t
Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual loca
Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual loca
Detect and investigate suspicious activities by users and roles in your cloud environments.
Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is
Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attem
Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. De
Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity a
Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code
Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating ov
Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious co
Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.
Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated u
Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infi
Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processe
Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot ban
Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious cod
Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious co
Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your E
Quickly identify systems running new or unusual processes in your environment that could be indicators of susp
Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encr
Monitor your environment for activity consistent with common attack techniques bad actors use when attemptin
Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerab
Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg
Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious
Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monito
Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that
Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, includin
Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact
Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig mone
Last Updated Bookmark
Splunk Security Essentials 4-Jun-18 Bookmark disabled
Splunk Security Essentials 8-Mar-18 Bookmark disabled
ES Content Updates 8-Mar-21 Bookmark disabled
Splunk Security Essentials 21-May-18 Bookmark disabled
Splunk Security Essentials 4-Aug-20 Bookmark disabled
Splunk Security Essentials 16-Mar-18 Bookmark disabled
Splunk Security Essentials 12-Mar-18 Bookmark disabled
DA-ESS-AccessProtection 13-Sep-18 Bookmark disabled
ES Content Updates 7-Apr-21 Bookmark disabled
Splunk Security Essentials 6-Dec-18 Bookmark disabled
Splunk Security Essentials 13-Sep-17 Bookmark disabled
ES Content Updates 26-Mar-21 Bookmark disabled
ES Content Updates 27-Jan-21 Bookmark disabled
Splunk Security Essentials 19-Dec-17 Bookmark disabled
Correlation Search Workshop 20-Mar-19 Bookmark disabled
ES Content Updates 17-Mar-21 Bookmark disabled
Splunk Security Essentials 2-Oct-19 Bookmark disabled
ES Content Updates 26-Jan-21 Bookmark disabled
ES Content Updates 16-Feb-21 Bookmark disabled
Splunk Security Essentials 9-Jan-19 Bookmark disabled
Splunk Security Essentials 3-Feb-20 Bookmark disabled
Splunk Security Essentials 1-Jun-18 Bookmark disabled
Splunk Security Essentials 29-Apr-19 Bookmark disabled
Splunk Security Essentials 20-Feb-20 Bookmark disabled
Splunk Security Essentials 4-Feb-20 Bookmark disabled
Splunk Security Essentials 22-Jan-20 Bookmark disabled
Splunk Security Essentials 13-Sep-16 Bookmark disabled
Splunk Security Essentials 4-Feb-20 Bookmark disabled
ES Content Updates 12-May-21 Bookmark disabled
Splunk Security Essentials 21-Oct-20 Bookmark disabled
Splunk Security Essentials 14-Sep-17 Bookmark disabled
ES Content Updates 24-Mar-21 Bookmark disabled
Splunk Security Essentials 18-Sep-20 Bookmark disabled
Splunk Security Essentials 4-Feb-20 Bookmark disabled
ES Content Updates 25-Mar-21 Bookmark disabled
Splunk Security Essentials 6-Sep-18 Bookmark disabled
Splunk Security Essentials 27-Jan-20 Bookmark disabled
DA-ESS-EndpointProtection 5-Nov-18 Bookmark disabled
Splunk Security Essentials 2-Aug-20 Bookmark disabled
Splunk Security Essentials 1-Sep-20 Bookmark disabled
ES Content Updates 3-Mar-21 Bookmark disabled
Splunk Security Essentials 22-Jan-20 Bookmark disabled
Splunk Security Essentials 14-Sep-17 Bookmark disabled
ES Content Updates 29-Jul-21 Bookmark disabled
ES Content Updates 24-Mar-21 Bookmark disabled
Splunk Security Essentials 14-Sep-17 Bookmark disabled
Splunk Security Essentials 15-Apr-20 Bookmark disabled
Splunk Security Essentials 20-May-20 Bookmark disabled
Splunk Security Essentials 20-May-20 Bookmark disabled
Splunk Security Essentials 4-Feb-20 Bookmark disabled
Splunk Security Essentials 23-Aug-17 Bookmark disabled
ES Content Updates 26-Apr-21 Bookmark disabled
ES Content Updates 8-Jun-21 Bookmark disabled
Splunk Security Essentials 12-Sep-17 Bookmark disabled
Splunk Security Essentials 15-Sep-17 Bookmark disabled
Splunk Security Essentials 15-Sep-17 Bookmark disabled
ES Content Updates 14-Dec-20 Bookmark disabled
Splunk Security Essentials 5-Jan-17 Bookmark disabled
DA-ESS-NetworkProtection 5-Nov-18 Bookmark disabled
Splunk Security Essentials 16-Dec-20 Bookmark disabled
Splunk Security Essentials 22-Jan-20 Bookmark disabled
Splunk Security Essentials 29-Apr-19 Bookmark disabled
Splunk Security Essentials 22-Jan-20 Bookmark disabled
ES Content Updates 1-Jul-21 Bookmark disabled
Splunk Security Essentials 11-Sep-17 Bookmark disabled
Splunk Security Essentials 4-Feb-20 Bookmark disabled
Splunk Security Essentials 27-Oct-20 Bookmark disabled
ES Content Updates 4-Jun-21 Bookmark disabled
Splunk Security Essentials 12-Sep-17 Bookmark disabled
Splunk Security Essentials 6-Nov-20 Bookmark disabled
Splunk Security Essentials 19-Sep-17 Bookmark disabled
Splunk Security Essentials 13-Dec-18 Bookmark disabled
ES Content Updates 24-Feb-21 Bookmark disabled
ES Content Updates 29-Apr-19 Bookmark disabled
Splunk Security Essentials 8-Jan-18 Bookmark disabled
Splunk Security Essentials 19-Sep-17 Bookmark disabled
Splunk Security Essentials 14-Jun-18 Bookmark disabled
Splunk Security Essentials 14-Dec-20 Bookmark disabled
Splunk Security Essentials 9-Feb-18 Bookmark disabled
Splunk Security Essentials 1-May-19 Bookmark disabled
Splunk Security Essentials 24-Jul-18 Bookmark disabled
Splunk Security Essentials 7-May-18 Bookmark disabled
Splunk Security Essentials 4-Jun-20 Bookmark disabled
Splunk Security Essentials 25-Aug-20 Bookmark disabled
Splunk Security Essentials 20-Aug-18 Bookmark disabled
Splunk Security Essentials 4-Sep-20 Bookmark disabled
Splunk Security Essentials 3-Feb-20 Bookmark disabled
Splunk Security Essentials 18-Sep-17 Bookmark disabled
Splunk Security Essentials 27-Jan-20 Bookmark disabled
Splunk Security Essentials 5-Aug-20 Bookmark disabled
Splunk Security Essentials 3-Feb-20 Bookmark disabled
Splunk Security Essentials 2-Apr-20 Bookmark disabled
ES Content Updates 29-Jan-21 Bookmark disabled
ES Content Updates 3-Feb-21 Bookmark disabled
 Splunk Security Essentials 23-Oct-18 Bookmark disabled
Splunk Security Essentials 31-May-18 Bookmark disabled
Splunk Security Essentials 13-Apr-20 Bookmark disabled
ES Content Updates 20-Apr-21 Bookmark disabled
ES Content Updates 12-Jan-21 Bookmark disabled
ES Content Updates 21-Jan-21 Bookmark disabled
Splunk Security Essentials 9-Apr-18 Bookmark disabled
Splunk Security Essentials 4-Feb-20 Bookmark disabled
Splunk Security Essentials 15-Sep-17 Bookmark disabled
Splunk Security Essentials 8-Oct-18 Bookmark disabled
Splunk Security Essentials 28-Jul-20 Bookmark disabled
Splunk Security Essentials 31-May-18 Bookmark disabled
Splunk Security Essentials 26-Jan-18 Bookmark disabled
Splunk Security Essentials 12-Sep-17 Bookmark disabled
Splunk Security Essentials 31-May-18 Bookmark disabled
Splunk Security Essentials 4-Feb-20 Bookmark disabled
Splunk Security Essentials 2-Nov-17 Bookmark disabled
on, killing other malware or other coin miner) and hacking tools including Telegram as mean of command and control (C2) t
mmand and control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to sol
d systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One co
ervice availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and e
currency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and
o negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are
d-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems
user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.
ency mining.