Você está na página 1de 414

ES v5.0.

0 Correlation Searches

Security
Domain Title
Endpoint Abnormally High Number of Endpoint Changes By User

Network Abnormally High Number of HTTP Method Events By Src

Access Account Deleted

Identity Activity from Expired User Identity

Confidential 07/26/2018 Page 1


ES v5.0.0 Correlation Searches

Audit Anomalous Audit Trail Activity Detected

Endpoint Anomalous New Listening Port

Endpoint Anomalous New Process

Confidential 07/26/2018 Page 2


ES v5.0.0 Correlation Searches

Endpoint Anomalous New Service

Identity Asset Ownership Unspecified

Access Brute Force Access Behavior Detected

Access Brute Force Access Behavior Detected Over One Day

Access Cleartext Password At Rest Detected

Access Completely Inactive Account

Confidential 07/26/2018 Page 3


ES v5.0.0 Correlation Searches

Access Concurrent Login Attempts Detected

Access Default Account Activity Detected

Access Default Account At Rest Detected

Network Excessive DNS Failures

Network Excessive DNS Queries

Access Excessive Failed Logins

Confidential 07/26/2018 Page 4


ES v5.0.0 Correlation Searches

Network Excessive HTTP Failure Responses

Audit Expected Host Not Reporting

Access Geographically Improbable Access Detected

Endpoint High Number of Hosts Not Updating Malware Signatures

Endpoint High Number Of Infected Hosts

Endpoint High Or Critical Priority Host With Malware Detected

Access High or Critical Priority Individual Logging into Infected Machine

Confidential 07/26/2018 Page 5


ES v5.0.0 Correlation Searches

Endpoint High Process Count

Identity High Volume Email Activity to Non-corporate Domains by User

Network High Volume of Traffic from High or Critical Host Observed

Endpoint Host Sending Excessive Email

Endpoint Host With A Recurring Malware Infection

Endpoint Host With High Number Of Listening ports

Confidential 07/26/2018 Page 6


ES v5.0.0 Correlation Searches

Endpoint Host With High Number Of Services

Endpoint Host With Multiple Infections

Endpoint Host With Old Infection Or Potential Re-Infection

Access Inactive Account Activity Detected

Access Insecure Or Cleartext Authentication Detected

Confidential 07/26/2018 Page 7


ES v5.0.0 Correlation Searches

Endpoint Multiple Primary Functions Detected

Network Network Change Detected

Network Network Device Rebooted

Endpoint New User Account Created On Multiple Hosts

Endpoint Outbreak Detected

Audit Personally Identifiable Information Detected

Audit Potential Gap in Data

Confidential 07/26/2018 Page 8


ES v5.0.0 Correlation Searches

Network Prohibited Port Activity Detected

Endpoint Prohibited Process Detected

Endpoint Prohibited Service Detected

Confidential 07/26/2018 Page 9


ES v5.0.0 Correlation Searches

Threat Same Error On Many Servers Detected

Access Short-lived Account Detected

Endpoint Should Timesync Host Not Syncing

Network Substantial Increase In Events

Network Substantial Increase In Port Activity

Threat Threat Activity Detected


UEBA Anomaly Detected (Risk)
Threat UEBA Threat Detected
UEBA Threat Detected (Risk)

Confidential 07/26/2018 Page 10


ES v5.0.0 Correlation Searches

Network Unroutable Activity Detected

Untriaged Notable Events


Network Unusual Volume of Network Activity

Network Vulnerability Scanner Detected (by events)

Network Vulnerability Scanner Detected (by targets)

Threat Watchlisted Event Observed

Identity Web Uploads to Non-corporate Sites by Users

Confidential 07/26/2018 Page 11


ES v5.0.0 Correlation Searches

Description
Detects an abnormally high number of endpoint changes by user account, as they
relate to restarts, audits, filesystem, user, and registry modifications.

Alerts when a host has an abnormally high number of HTTP requests by http method.

Detects user and computer account deletion

Alerts when an event is discovered from a user associated with identity that is now
expired (that is, the end date of the identity has been passed).

Confidential 07/26/2018 Page 12


ES v5.0.0 Correlation Searches

Discovers anomalous activity such as the deletion of or clearing of log files. Attackers
oftentimes clear the log files in order to hide their actions, therefore, this may
indicate that the system has been compromised.

Alerts a series of hosts begin listening on a new port within 24 hours. This may be an
indication that the devices have been compromised or have had new (and potentially
vulnerable) software installed.

Alerts when an anomalous number hosts are detected with a new process.

Confidential 07/26/2018 Page 13


ES v5.0.0 Correlation Searches

Alerts when an anomalous number hosts are detected with a new service.

Alerts when there are assets that define a specific priority and category but do not
have an assigned owner.

Detects excessive number of failed login attempts along with a successful attempt
(this could indicate a successful brute force attack)

Detects an excessive number of failed login attempts, along with a successful


attempt, over a one day period (this could indicate a successful brute force attack)

Detects cleartext passwords being stored at rest (such as in the Unix passwd file)

Discovers accounts that are no longer used. Unused accounts should be disabled and
are oftentimes used by attackers to gain unauthorized access.

Confidential 07/26/2018 Page 14


ES v5.0.0 Correlation Searches

Alerts on concurrent access attempts to an app from different hosts. These are good
indicators of shared passwords and potential misuse.

Discovers use of default accounts (such as admin, administrator, etc.). Default


accounts have default passwords and are therefore commonly targeted by attackers
using brute force attack tools.

Discovers the presence of default accounts even if they are not being used. Default
accounts should be disabled in order to prevent an attacker from using them to gain
unauthorized access to remote hosts.

Alerts when a host receives many DNS failures in a short span

Alerts when a host starts sending excessive DNS queries

Detects excessive number of failed login attempts (this is likely a brute force attack)

Confidential 07/26/2018 Page 15


ES v5.0.0 Correlation Searches

Alerts when a host generates a lot of HTTP failures in a short span of time

Discovers hosts that are longer reporting events but should be submitting log events.
This rule is used to monitor hosts that you know should be providing a constant
stream of logs in order to determine why the host has failed to provide log data.

Alerts on access attempts that are improbably based on time and geography.

Alerts when a high number of hosts not updating malware signatures have been
discovered. These hosts should be evaluated to determine why they are not
updating their malware signatures.

Alerts when a high total number of infected hosts is discovered.

Alerts when an infection is noted on a host with high or critical priority.

Detects users with a high or critical priority logging into a malware infected machine

Confidential 07/26/2018 Page 16


ES v5.0.0 Correlation Searches

Alerts when host has a high number of processes. This may be due to an infection or
a runaway process.

Alerts on high volume email activity by a user to non-corporate domains.

Alerts when a host of high or critical severity generates a high volume of outbound
traffic. This may indicate that the host has been compromised.

Alerts when an host not designated as an e-mail server sends excessive e-mail to one
or more target hosts.

Alerts when a host has an infection that has been re-infected remove multiple times
over multiple days.

Alerts when host has a high number of listening services. This may be an indication
that the device is running services that are not necessary (such as a default
installation of a server) or is not running a firewall.

Confidential 07/26/2018 Page 17


ES v5.0.0 Correlation Searches

Alerts when host has a high number of services. This may be an indication that the
device is running services that are not necessary (such as a default installation of a
server).

Alerts when a host with multiple infections is discovered.

Alerts when a host with an old infection is discovered (likely a re-infection).

Discovers previously inactive accounts that are now being used. This may be due to
an attacker that successfully gained access to an account that was no longer being
used.

Detects authentication requests that transmit the password over the network as
cleartext (unencrypted)

Confidential 07/26/2018 Page 18


ES v5.0.0 Correlation Searches

Multiple Primary Functions Detected

Detects changes to policies of the network protection devices (such as firewall policy
changes).
Increases the risk score of network devices that have been rebooted.

Alerts when numerous new accounts are created for a username accounts multiple
hosts.

Alerts when a potential outbreak is observed based on newly infected systems all
exhibiting the same infection

Detects personally identifiable information (PII) in log files. Some software will
inadvertently provide sensitive information in log files and thus causing the
information to be exposed unnecessarily to those reviewing the log files.
Detects gaps caused by the failure of the search head. If saved searches do not
execute then there may be gaps in summary data.

Confidential 07/26/2018 Page 19


ES v5.0.0 Correlation Searches

Detects the use of ports that are prohibited. Useful for detecting the installation of
new software or a successful compromise of a host (such as the presence of a
backdoor or a system communicating with a botnet).

Alerts when a service in the prohibited process list is detected.

Alerts when a service in the prohibited service list is detected.

Confidential 07/26/2018 Page 20


ES v5.0.0 Correlation Searches

Alerts when multiple systems are exhibiting the same errors

Detects when a account or credential is created and then removed a short time later.
This may be an indication of malicious activities.

Detects when hosts that are required to synchronize their clocks have failed to do so.
Time synchronization is important because it ensures that the event logs are
stamped with the proper time. Additionally, this is required by some regulatory
compliance standards (such as PCI).

Alerts when a statistically significant increase in a particular event is observed.

Alerts when a statistically significant increase in events on a given port is observed.

Alerts when any activity matching threat intelligence is detected.

Detects UEBA threat events

Confidential 07/26/2018 Page 21


ES v5.0.0 Correlation Searches

Alerts when activity to or from a host that is unrouteable is detected.

Alerts when notable events have not been triaged


Detects unusual network traffic that may be indicative of a DoS attack as indicated by
a high number of unique sources or a high volume of firewall packets

Detects a potential vulnerability scanner by detecting devices that have triggered a


large number of unique events. Vulnerability scanners generally trigger a high
number unique events when scanning a host since each vulnerability check tends to
trigger a unique event.

Detects a potential vulnerability scanner by detecting devices that have triggered


events against a large number of unique targets. Vulnerability scanners generally
trigger events against a high number of unique hosts when they are scanning a
network for vulnerable hosts.

Alerts when an event is discovered including text has been identified as important.
This rule triggers whenever an event is discovered with the tag of "watchlist".

Alerts on high volume web uploads by a user to non-corporate domains.

Confidential 07/26/2018 Page 22


ES v5.0.0 Correlation Searches

Example Data Source(s)


Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,
Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Proxy and web logs (e.g. Blue Coat, Palo Alto, Bro IDS, Splunk Stream (HTTP) ,
OpenDNS, Zscaler, Websense, Cisco ESA, Apache, IIS, Squid)

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Confidential 07/26/2018 Page 23


ES v5.0.0 Correlation Searches

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Confidential 07/26/2018 Page 24


ES v5.0.0 Correlation Searches

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Active Directory, Asset Discovery Tools, Cisco ISE, Configuration Management


Database (CMDB), Lightweight Directory Access Protocol (LDAP) , McAfee ePO,
Microsoft SCOM, ServiceNow, Sophos, XML/CSV

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Any device that produces clear text or other insecure authentication activity, such as
Windows Security, telnet, and others
Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Confidential 07/26/2018 Page 25


ES v5.0.0 Correlation Searches

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

DNS, Splunk Stream (DNS), Bro IDS, Infoblox

DNS, Splunk Stream (DNS), Bro IDS, Infoblox

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Confidential 07/26/2018 Page 26


ES v5.0.0 Correlation Searches

Proxy and web logs (e.g. Blue Coat, Palo Alto, Bro IDS, Splunk Stream (HTTP) ,
OpenDNS, Zscaler, Websense, Cisco ESA, Apache, IIS, Squid)

Splunk internal data

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Kaspersky Lab, McAfee ePO, Sophos, Symantec, Trend Micro, FireEye

Kaspersky Lab, McAfee ePO, Sophos, Symantec, Trend Micro, FireEye

Kaspersky Lab, McAfee ePO, Sophos, Symantec, Trend Micro, FireEye

(Assets + Identities + Anti-malware)

Confidential 07/26/2018 Page 27


ES v5.0.0 Correlation Searches

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Mail server logs (e.g. Splunk Stream (SMTP), Microsoft Exchange, Bro IDS, Cisco ESA)

Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper)

Mail server logs (e.g. Splunk Stream (SMTP), Microsoft Exchange, Bro IDS, Cisco ESA)

Kaspersky Lab, McAfee ePO, Sophos, Symantec, Trend Micro, FireEye

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Confidential 07/26/2018 Page 28


ES v5.0.0 Correlation Searches

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Kaspersky Lab, McAfee ePO, Sophos, Symantec, Trend Micro, FireEye

Kaspersky Lab, McAfee ePO, Sophos, Symantec, Trend Micro, FireEye

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Any device that produces clear text or other insecure authentication activity, such as
Windows Security, telnet, and others

Confidential 07/26/2018 Page 29


ES v5.0.0 Correlation Searches

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Policy manager (e.g. Tripwire Enterprise CCM)

Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper)

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Kaspersky Lab, McAfee ePO, Sophos, Symantec, Trend Micro, FireEye

All machine data sources

Splunk internal data

Confidential 07/26/2018 Page 30


ES v5.0.0 Correlation Searches

Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper), Endpoints (e.g.
Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,
Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften)

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Confidential 07/26/2018 Page 31


ES v5.0.0 Correlation Searches

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

Windows Security, Active Directory, Unix SSH, Linux AuditD, CyberArk, VPN, RSA,
Okta, Google Authenticator, RADIUS)

Microsoft EMET, Microsoft System Center, Microsoft Sysmon, Tripwire Enterprise,


Carbon Black, SolidCore, McAfee IntruShield, fschange, OSSEC, Tanium, IBM BigFix,
ServiceNow, Cylance, Ziften

All machine data sources

Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper)

Theat feeds/intelligence
Splunk UBA
Splunk UBA
Splunk UBA

Confidential 07/26/2018 Page 32


ES v5.0.0 Correlation Searches

Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper)

Splunk internal data


Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper)

IDS (e.g. Bro IDS, Check Point, Suricata, Cisco WSA, Trend Micro)

IDS (e.g. Bro IDS, Check Point, Suricata, Cisco WSA, Trend Micro)

When any event with a tag=watchlist is reported.

Proxy and web logs (e.g. Blue Coat, Palo Alto, Bro IDS, Splunk Stream (HTTP) ,
OpenDNS, Zscaler, Websense, Cisco ESA, Apache, IIS, Squid)

Confidential 07/26/2018 Page 33


ES v5.0.0 Correlation Searches

Example CIM-compliant Apps & TAs


Splunk Add-on for Microsoft Windows
Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for Blue Coat ProxySG


Palo Alto Networks Add-on for Splunk
Splunk Add-on for Bro IDS
Splunk Add-on for Websense Content Gateway
Splunk Add-on for Cisco ESA
Splunk Add-on for Apache Web Server
Splunk Add-on for Microsoft IIS
Splunk Add-on for Squid Proxy

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Confidential 07/26/2018 Page 34


ES v5.0.0 Correlation Searches

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Confidential 07/26/2018 Page 35


ES v5.0.0 Correlation Searches

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Supporting Add-on for Active Directory


Splunk Add-on for Cisco Identity Services
Splunk Add-on for McAfee
Splunk Add-on for Microsoft System Center Operations Manager
Splunk Add-on for ServiceNow
Splunk Add-on for Sophos

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Confidential 07/26/2018 Page 36


ES v5.0.0 Correlation Searches

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for Microsoft Windows DNS


Splunk Stream
Splunk Add-on for Bro IDS
Splunk Add-on for Infoblox

Splunk Add-on for Microsoft Windows DNS


Splunk Stream
Splunk Add-on for Bro IDS
Splunk Add-on for Infoblox

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Confidential 07/26/2018 Page 37


ES v5.0.0 Correlation Searches

Splunk Add-on for Blue Coat ProxySG


Palo Alto Networks Add-on for Splunk
Splunk Add-on for Bro IDS
Splunk Add-on for Websense Content Gateway
Splunk Add-on for Cisco ESA
Splunk Add-on for Apache Web Server
Splunk Add-on for Microsoft IIS
Splunk Add-on for Squid Proxy

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for McAfee


Splunk Add-on for Sophos
Splunk Add-on for Symantec Endpoint Protection
Trend Micro Deep Security for Splunk
FireEye Add-on for Splunk Enterprise

Splunk Add-on for McAfee


Splunk Add-on for Sophos
Splunk Add-on for Symantec Endpoint Protection
Trend Micro Deep Security for Splunk
FireEye Add-on for Splunk Enterprise

Splunk Add-on for McAfee


Splunk Add-on for Sophos
Splunk Add-on for Symantec Endpoint Protection
Trend Micro Deep Security for Splunk
FireEye Add-on for Splunk Enterprise

Confidential 07/26/2018 Page 38


ES v5.0.0 Correlation Searches

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for Microsoft Exchange


Splunk Add-on for Bro IDS
Splunk Add-on for Cisco ESA

Palo Alto Networks Add-on for Splunk


Fortinet FortiGate Add-On for Splunk
Splunk Add-on for Check Point OPSEC LEA
Splunk Add-on for Cisco ASA
Splunk Add-on for Juniper

Splunk Add-on for Microsoft Exchange


Splunk Add-on for Bro IDS
Splunk Add-on for Cisco ESA

Splunk Add-on for McAfee


Splunk Add-on for Sophos
Splunk Add-on for Symantec Endpoint Protection
Trend Micro Deep Security for Splunk
FireEye Add-on for Splunk Enterprise

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Confidential 07/26/2018 Page 39


ES v5.0.0 Correlation Searches

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for McAfee


Splunk Add-on for Sophos
Splunk Add-on for Symantec Endpoint Protection
Trend Micro Deep Security for Splunk
FireEye Add-on for Splunk Enterprise

Splunk Add-on for McAfee


Splunk Add-on for Sophos
Splunk Add-on for Symantec Endpoint Protection
Trend Micro Deep Security for Splunk
FireEye Add-on for Splunk Enterprise

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Confidential 07/26/2018 Page 40


ES v5.0.0 Correlation Searches

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Tripwire Enterprise Add-on for Splunk

Palo Alto Networks Add-on for Splunk


Fortinet FortiGate Add-On for Splunk
Splunk Add-on for Check Point OPSEC LEA
Splunk Add-on for Cisco ASA
Splunk Add-on for Juniper

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for McAfee


Splunk Add-on for Sophos
Splunk Add-on for Symantec Endpoint Protection
Trend Micro Deep Security for Splunk
FireEye Add-on for Splunk Enterprise

Confidential 07/26/2018 Page 41


ES v5.0.0 Correlation Searches

Palo Alto Networks Add-on for Splunk


Fortinet FortiGate Add-On for Splunk
Splunk Add-on for Check Point OPSEC LEA
Splunk Add-on for Cisco ASA
Splunk Add-on for Juniper
Splunk Add-on for Microsoft Windows
Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Confidential 07/26/2018 Page 42


ES v5.0.0 Correlation Searches

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Splunk Add-on for Microsoft Windows


Splunk Supporting Add-on for Active Directory
Splunk Add-on for Unix and Linux
Linux Auditd
Splunk Add-on for CyberArk
Technology Add-on for RSA SecurID
Splunk Add-on for Okta

Splunk Add-on for Microsoft Windows


Splunk Add-on for Microsoft System Center Operations Manager
Add-on for Microsoft Sysmon
Tripwire Enterprise Add-on for Splunk
Splunk Add-on for Bit9 Carbon Black
Splunk Add-on for McAfee
Splunk Add-on for OSSEC
Splunk Add-on for ServiceNow
CylancePROTECT Add-on for Splunk Enterprise
Ziften Zenith Add-on

Palo Alto Networks Add-on for Splunk


Fortinet FortiGate Add-On for Splunk
Splunk Add-on for Check Point OPSEC LEA
Splunk Add-on for Cisco ASA
Splunk Add-on for Juniper

Confidential 07/26/2018 Page 43


ES v5.0.0 Correlation Searches

Palo Alto Networks Add-on for Splunk


Fortinet FortiGate Add-On for Splunk
Splunk Add-on for Check Point OPSEC LEA
Splunk Add-on for Cisco ASA
Splunk Add-on for Juniper

Palo Alto Networks Add-on for Splunk


Fortinet FortiGate Add-On for Splunk
Splunk Add-on for Check Point OPSEC LEA
Splunk Add-on for Cisco ASA
Splunk Add-on for Juniper

Splunk Add-on for Bro IDS


Splunk Add-on for Check Point OPSEC LEA
Splunk TA for Suricata
Splunk Add-on for Cisco WSA
Trend Micro TippingPoint app for Splunk
Trend Micro Deep Security for Splunk

Splunk Add-on for Bro IDS


Splunk Add-on for Check Point OPSEC LEA
Splunk TA for Suricata
Splunk Add-on for Cisco WSA
Trend Micro TippingPoint app for Splunk
Trend Micro Deep Security for Splunk

Splunk Add-on for Blue Coat ProxySG


Palo Alto Networks Add-on for Splunk
Splunk Add-on for Bro IDS
Splunk Add-on for Websense Content Gateway
Splunk Add-on for Cisco ESA
Splunk Add-on for Apache Web Server
Splunk Add-on for Microsoft IIS
Splunk Add-on for Squid Proxy

Confidential 07/26/2018 Page 44


Analytic Story
Account Monitoring and Controls

Apache Struts Vulnerability

Asset Tracking

AWS Cryptomining

AWS Network ACL Activity

AWS Suspicious Provisioning Activities

AWS User Monitoring


Brand Monitoring

Collection and Staging

Data Protection
DHS Report TA18-074A

Disabling Security Tools

DNS Amplification Attacks


Dynamic DNS

Host Redirection

JBoss Vulnerability
Lateral Movement

Malicious PowerShell

Monitor Backup Solution

Monitor for Unauthorized Software

Monitor for Updates


Netsh Abuse

Prohibited Traffic Allowed or Protocol Mismatch

Ransomware
Router & Infrastructure Security

Spectre And Meltdown Vulnerabilities

Splunk Enterprise Vulnerability

SQL Injection

Suspicious AWS EC2 activities

Suspicious AWS Login Activities


Suspicious Command Line Executions

Suspicious DNS Traffic

Suspicious Emails

Suspicious WMI Use


Unusual AWS EC2 Modifications

Unusual Processes

Use of Cleartext Protocols

Windows Defense Evasion Tactics

Windows File Extension and Association Abuse


Windows Log Manipulation

Windows Persistence Techniques

Windows Privilege Escalation

Windows Service Abuse


Description Category
This Analytic Story helps analysts actively manage the lifecycle of Best Practices
system and application accounts. Specifically, it helps analysts navigate
account creation, use, dormancy, and deletion. The goal of this Analytic
Story is to allow analysts to minimize the opportunities for attackers to
leverage accounts and gain unauthorised access.

This analytic story provides searches to detect activity that may Vulnerability
indicate behaviors associated with Apache Struts vulnerabilities.

This analytic story allows you to actively inventory, track, and monitor Best Practices
all devices on the network, helping you identify authorized assets and
investigate unauthorized and unmanaged devices, to ensure that there
are no rogue devices.

Monitor your AWS EC2 instances for activities related to cryptomining. Cloud Security

Monitor your AWS Network infrastructure using your CloudTrail logs. Cloud Security

Monitor your AWS provisioning activities for behaviors from suspicious Cloud Security
or unknown locations.

Monitor your AWS user activities. Cloud Security


This analytic story helps you detect activity that may indicate that an Abuse
adversary is attempting to abuse your brand by using a fully qualified
domain name (FQDN) that looks very similar to the real one, in an
attempt to fool your employees or customers into interacting with
malicious infrastructure. It allows you to specify the FQDNs that you
care about and will generate alternate permutations from that domain
and monitor your infrastructure for indication of DNS activity to those
faux domains.

This analytic story is focused on the "Collection" tactic, as represented Adversary Tactics
in the Mitre ATT&CK framework. It can help you detect adversaries that
may be harvesting and exfiltrating sensitive data and prevent further
post-compromise damage.

Data protection encompasses a variety of methods to mitigate the Abuse


possibility of data exfiltration, while ensuring its confidentiality and
integrity. This analytic story provides seaches to fortify your data-
protection arsenal.
Monitor for suspicious activities associated with DHS Technical Alert: Malware
US-CERT TA18-074A.

This Analytic Story looks for activities and techniques associated with Adversary Tactics
the disabling of security tools on a Windows system.

DNS poses a serious threat as a Denial of Service (DOS) amplifier if it Abuse


responds to <code>ANY</code> queries. This analytic story can help
you detect attackers who may be abusing your company's DNS
infrastructure to launch DNS amplification attacks causing Denial of
Service to other victims.
This analytic story features searches focused on detecting hosts in your Malware
environment that may be communicating with domains associated
with DDNS infrastructure.

This analytic story looks for techniques that can be used to redirect Abuse
traffic from a host to a destination other than the one
intended&#151;potentially one that is part of an adversary's attack
infrastructure.

In March of 2016, adversaries were seen using JexBoss&#151;an open- Vulnerability


source utility used for testing and exploiting JBoss application servers.
This story looks for evidence of these attacks.
Detect and investigate tactics, techniques, and procedures around how Adversary Tactics
attackers move laterally within the enterprise.

Attackers are finding stealthy ways "live off the land," leveraging Adversary Tactics
utilities and tools that come standard on the endpoint&#151;such as
PowerShell&#151;to achieve their goals without downloading binary
files. The searches within this analytic story can help you detect and
investigate PowerShell command-line options that may be indicative of
malicious intent.

Reduce risks from ransomware, device theft, or denial of physical Best Practices
access to a host by backing up data on endpoints. Learn how to address
common concerns when monitoring your backup processes.

This analytic story helps identify and investigate prohibited software or Best Practices
processes that may be running within the environment.

Monitor your enterprise to ensure that your endpoints are being Best Practices
patched and updated.
Detect activities and various techniques associated with the abuse of Abuse
netsh.exe.

Detect instances of prohibited network traffic allowed in the Best Practices


environment, as well as protocols running on non-standard ports. Both
of these types of behaviors typically violate policy and can be leveraged
by attackers.

Activities, techniques, and best practices associated with detecting, Malware


investigating, and mitigating your risk to ransomware
Core routing and switching infrastructure are strategic targets for Best Practices
attackers. This Analytic Story helps ensure the security configuration of
network infrastructure and that only authorized users and systems are
accessing these critical assets.

This analytic story helps you assess your risk to the Spectre and Vulnerability
Meltdown CPU vulnerabilities.

This Analytic Story is associated with the detection of CVE-2016-4859 Vulnerability


an open redirection vulnerability within Splunk Enterprise.

This analytic story includes searches that help to detect Structure Adversary Tactics
Query Language (SQL) injection attempts.

Monitor your AWS EC2 instance activities using your CloudTrail logs. Cloud Security

Monitor your AWS authentication events using your CloudTrail logs. Cloud Security
This Analytic Story focuses on the adversary's use of the Command- Adversary Tactics
Line Interface. Leveraging the Windows Command-Line Interface (CLI)
or "command shell", is one of the techniques most often-used by
attackers and is also detailed in the MITRE ATT&CK framework. This
Analytic Story consists of a variety of methods for identifying unusual
or suspicious use of the CLI on Windows systems.

Domain Name System (DNS) is a foundational protocol that is found in Adversary Tactics
all enterprises. Attackers often seek to hide within high volume
protocols such as DNS, or abuse the protocol in various ways.

Email remains one of the primary means for attackers to gain an initial Adversary Tactics
foothold within modern enterprises. This Analytic Story contains
searches that help you detect and investigate suspicious emails in your
environment.

Attackers are increasingly abusing Windows Management Adversary Tactics


Instrumentation (WMI), a framework and associated utilities available
on all modern Windows operating systems which can be leveraged to
manage both local and remote systems.
Monitor for AWS EC2 instances being modified by unusual users or in Cloud Security
an unusual ways.
Systems that have unusual processes running on them. Malware

This Analytic Story includes searches that detect cleartext network Best Practices
protocols that may leak credentials or should otherwise be encrypted.

This analytic story looks for tactics used by malware to evade defenses Adversary Tactics
on Windows endpoints.

Detect and investigate suspected abuse of file extensions and Windows Malware
file associations.
Suspicious activity surrounding manipulation to the various logs on Adversary Tactics
Windows

This Analytic Story looks for activities and techniques associated with Adversary Tactics
maintaining persistence on a Windows system.

This Analytic Story looks for activities and techniques associated with Adversary Tactics
elevating privileges on a Windows system.

This analytic story looks for indications that Windows services are Malware
being modified or created in a suspicious manner. Windows services
are often used by attackers for persistence and the ability to load
drivers or otherwise interact with the Windows kernel.
CIS NIST
Kill Chain Phases Controls MITRE ATT&CK Tactics/Techniques Category
16 Valid Accounts PR.IP

Delivery 18 Exploitation of Vulnerability ID.RA


Actions on Objective 4 Defense Evasion RS.MI
12 Execution PR.PT
3 System Information Discovery PR.IP
Discovery DE.AE
PR.MA
DE.CM

Delivery 1 Defense Evasion ID.AM


Actions on Objective PR.DS
Reconnaissance

Actions on Objective 12 Defense Evasion ID.AM


13 Execution DE.AE
1 DE.DP
PR.AC
PR.DS

Actions on Objective 11 Persistence DE.AE


DE.DP
1 ID.AM

– –

Actions on Objective 16 Credential Access ID.AM


Execution PR.DS
DE.DP
PR.AC
DE.AE
DE.CM
Delivery 7 PR.IP
Actions on Objective

Actions on Objective 7 Commonly Used Port PR.PT


8 Data Staged DE.AE
Email Collection DE.CM
Collection

Command and Control 12 Commonly Used Port PR.PT


Actions on Objective 13 Exfiltration PR.DS
Installation 8 Exfiltration Over Command and Control Channel DE.CM
Defense Evasion DE.AE
Command and Control
Command and Control 8 New Service ID.AM
Actions on Objective 7 Modify Registry PR.DS
Installation 12 AppInit DLLs PR.IP
5 Modify Existing Service PR.PT
2 Commonly Used Port PR.AC
3 Authentication Package PR.AT
16 Command-Line Interface DE.CM
Scheduled Task DE.AE
Disabling Security Tools
Lateral Movement
Credential Access
Registry Run Keys / Start Folder
Valid Accounts
Scripting
Privilege Escalation
Defense Evasion
Execution
PowerShell
Persistence

Actions on Objective 5 New Service PR.PT


Installation 3 Modify Registry PR.AT
8 Modify Existing Service DE.CM
Command-Line Interface PR.AC
Disabling Security Tools PR.IP
Privilege Escalation
Defense Evasion
Execution
Persistence

Actions on Objective 11 PR.PT


12 DE.AE
PR.IP

Command and Control 12 Commonly Used Port PR.PT
Actions on Objective 13 Exfiltration PR.DS
8 Exfiltration Over Command and Control Channel DE.CM
Defense Evasion DE.AE

Command and Control 12 Command and Control PR.PT


3 Exfiltration DE.AE
8 DE.CM
PR.AC
PR.IP

Delivery 18 Exploitation of Vulnerability ID.RA


Reconnaissance 12 Defense Evasion PR.IP
4 System Information Discovery PR.PT
Discovery DE.AE
PR.MA
DE.CM
Actions on Objective 5 Commonly Used Port DE.AE
3 Scheduled Task PR.PT
16 Remote Services PR.AT
9 Pass the Hash PR.AC
Lateral Movement PR.IP
Execution
Remote Desktop Protocol
Persistence

Command and Control 7 Execution PR.PT


Actions on Objective 3 PowerShell DE.CM
8 Scripting PR.IP

10 PR.IP

– –

Command and Control 2 Execution ID.AM


Actions on Objective PR.DS
Installation

18 PR.PT
PR.MA
– –
Actions on Objective 8 Execution PR.PT
Command-Line Interface DE.CM
Persistence

Command and Control 12 Command and Control PR.PT


Actions on Objective 13 Exfiltration Over Command and Control Channel DE.AE
Delivery 8 Commonly Used Port DE.CM
9 Exfiltration Over Alternative Protocol PR.AC
Exfiltration PR.DS
Defense Evasion

Command and Control 10 Command and Control DE.DP


Actions on Objective 8 Windows Management Instrumentation PR.IP
Delivery 9 Masquerading PR.PT
6 Commonly Used Port PR.AC
12 Indicator Removal on Host DE.AE
5 Exfiltration Over Alternative Protocol DE.CM
3 Scheduled Task PR.AT
Exfiltration
Registry Run Keys / Start Folder
AppInit DLLs
Lateral Movement
Defense Evasion
Execution
Authentication Package
Persistence
Actions on Objective 11 PR.PT
PR.AC
PR.IP

4 DE.CM
ID.RA
RS.MI
PR.IP

– –

Delivery 18 Exploitation of Vulnerability ID.RA


4 Defense Evasion PR.IP
3 PR.PT
PR.AC
RS.MI
DE.CM

Delivery 18 Exploitation of Vulnerability PR.PT


4 Commonly Used Port PR.DS
13 Defense Evasion DE.CM
Execution ID.RA
PR.IP

Actions on Objective 12 Defense Evasion DE.AE


13 Execution DE.DP
PR.AC
PR.DS

Actions on Objective 16 Credential Access DE.AE


DE.DP
PR.AC
PR.DS
Exploitation 8 Defense Evasion PR.PT
Actions on Objective Execution DE.CM
Command-Line Interface
Masquerading

Command and Control 8 Command and Control ID.AM


Actions on Objective 9 Exfiltration Over Command and Control Channel PR.DS
12 Commonly Used Port PR.IP
13 Exfiltration Over Alternative Protocol PR.PT
3 Exfiltration DE.AE
1 Standard Application Layer Protocol DE.CM
Defense Evasion

Delivery 7 Defense Evasion DE.AE


12 Execution PR.IP
3

Actions on Objective 5 Windows Management Instrumentation PR.PT


3 Execution PR.AT
PR.AC
PR.IP
1 ID.AM
– –
Command and Control 2 Defense Evasion ID.AM
Actions on Objective 8 Execution PR.PT
Installation Rundll32 PR.DS
Masquerading DE.CM

Actions on Objective 14 Lateral Movement PR.PT


Reconnaissance 9 Credential Access DE.AE
Collection PR.AC
PR.DS

Actions on Objective 8 Defense Evasion PR.PT


Modify Registry DE.CM
Persistence

Actions on Objective 3 Execution PR.PT


8 Change Default File Association DE.CM
Persistence PR.IP
Actions on Objective 6 Indicator Removal on Host DE.DP
10 Defense Evasion PR.IP
5 Execution PR.PT
3 PR.AC
8 DE.AE
DE.CM
PR.AT

Actions on Objective 5 New Service PR.IP


Installation 3 Modify Existing Service PR.PT
8 Local Port Monitor PR.AC
Scheduled Task DE.AE
Application Shimming DE.CM
Registry Run Keys / Start Folder PR.AT
AppInit DLLs
Privilege Escalation
Defense Evasion
Execution
Authentication Package
Persistence

Actions on Objective 2 Privilege Escalation ID.AM


8 Execution PR.PT
Accessibility Features PR.DS
Persistence DE.CM

Installation 5 Privilege Escalation PR.PT


3 New Service PR.AT
8 Persistence DE.CM
Modify Existing Service PR.AC
PR.IP
Data Models Providing Technologies
Authentication Active Directory
Change_Analysis Linux
Identity_Management Microsoft Windows
Risk Splunk Enterprise Security
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Authentication Bro
Identity_Management Linux
Network_Sessions Microsoft Windows
Risk Splunk Enterprise Security
Splunk Stream
macOS

AWS

AWS
– Splunk Enterprise Security
AWS

AWS
Splunk Enterprise Security


Application_State Bluecoat
Authentication Bro
Email Carbon Black Response
Network_Resolution CrowdStrike Falcon
Risk Linux
Web Microsoft Exchange
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Bro
Authentication Carbon Black Response
Change_Analysis CrowdStrike Falcon
Network_Traffic Linux
Risk Microsoft Windows
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Bro
Authentication Carbon Black Response
Change_Analysis CrowdStrike Falcon
Network_Resolution Linux
Risk Microsoft Windows
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS
Application_State Bro
Authentication Carbon Black Response
Change_Analysis CrowdStrike Falcon
Network_Traffic Linux
Risk Microsoft Windows
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS

Network_Resolution Bro
Risk Splunk Enterprise Security
Splunk Stream
Application_State Bro
Authentication Carbon Black Response
Network_Resolution CrowdStrike Falcon
Network_Traffic Linux
Risk Microsoft Windows
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Bluecoat
Authentication Bro
Change_Analysis Carbon Black Response
Risk CrowdStrike Falcon
Web Linux
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Authentication Apache
Risk Bro
Web Linux
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
macOS
Application_State Bro
Authentication Carbon Black Response
Network_Traffic CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS

Risk Netbackup
Splunk Enterprise Security

Application_State Bluecoat
Authentication Bro
Risk Carbon Black Response
Web CrowdStrike Falcon
Linux
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Authentication Linux
Risk Microsoft Windows
Updates Splunk Enterprise Security
macOS
Application_State Bluecoat
Authentication Bro
Risk Carbon Black Response
Web CrowdStrike Falcon
Linux
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Bluecoat
Authentication Bro
Network_Resolution Linux
Network_Traffic Microsoft Windows
Risk Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
macOS

Application_State Bluecoat
Authentication Bro
Change_Analysis Carbon Black Response
Network_Traffic CrowdStrike Falcon
Risk Linux
Updates Microsoft Windows
Vulnerabilities Nessus
Web Netbackup
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS
Authentication Active Directory
Risk Linux
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
macOS

Authentication Carbon Black Response


Change_Analysis CrowdStrike Falcon
Risk Linux
Vulnerabilities Microsoft Windows
Nessus
Qualys
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS

Authentication Linux
Risk Microsoft Windows
Splunk Enterprise
Splunk Enterprise Security
macOS

Authentication Bro
Risk Linux
Web Microsoft Windows
Splunk Enterprise Security
Splunk Stream
macOS

AWS
Splunk Enterprise Security

AWS
Splunk Enterprise Security

Application_State Bluecoat
Authentication Bro
Web Carbon Black Response
CrowdStrike Falcon
Linux
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Bro
Authentication Carbon Black Response
Network_Resolution CrowdStrike Falcon
Network_Traffic Linux
Risk Microsoft Windows
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Authentication Bluecoat
Email Bro
Risk Linux
Web Microsoft Exchange
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS
AWS
- Splunk Enterprise Security
Application_State Bluecoat
Authentication Bro
Risk Carbon Black Response
Web CrowdStrike Falcon
Linux
Microsoft Windows
Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream
Sysmon
Tanium
Ziften
macOS

Application_State Bluecoat
Network_Traffic Bro
Risk Palo Alto Firewall
Splunk Enterprise Security
Splunk Stream

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Change_Analysis Linux
Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS
Application_State Carbon Black Response
Authentication CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Change_Analysis Linux
Risk Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Change_Analysis Linux
Risk Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS

Application_State Carbon Black Response


Authentication CrowdStrike Falcon
Risk Linux
Microsoft Windows
Splunk Enterprise Security
Sysmon
Tanium
Ziften
macOS
Detection Searches
Identify New User Accounts
Short Lived Windows Accounts
Detect Excessive User Account Lockouts
Detect Excessive Account Lockouts From Endpoint

Unusually Long Content-Type Length


Web Servers Executing Suspicious Processes

Detect Unauthorized Assets by MAC address

EC2 Instance Started In Previously Unseen Region


Abnormally High AWS Instances Launched by User
EC2 Instance Started With Previously Unseen Instance Type
EC2 Instance Started With Previously Unseen AMI
EC2 Instance Started With Previously Unseen User

AWS Network Access Control List Created with All Open Ports
AWS Network Access Control List Deleted
AWS Cloud Provisioning From Previously Unseen Country
AWS Cloud Provisioning From Previously Unseen Region
AWS Cloud Provisioning From Previously Unseen City
AWS Cloud Provisioning From Previously Unseen IP Address

Detect AWS API Activities From Unapproved Accounts


Detect Spike in AWS API Activity
Monitor DNS For Brand Abuse
Monitor Email For Brand Abuse
Monitor Web Traffic For Brand Abuse

Suspicious writes to windows Recycle Bin


Suspicious writes to System Volume Information
Email files written outside of the Outlook directory
Hosts receiving high volume of network traffic from email server
Email servers sending high volume traffic to hosts

Detection of DNS Tunnels


Detect USB device insertion
Detect hosts connecting to dynamic domain providers
SMB Traffic Spike
Processes launching netsh
Suspicious Reg.exe Process
Sc.exe Manipulating Windows Services
Registry Keys Used For Persistence
Create local admin accounts using net.exe
Single Letter Process On Endpoint
Scheduled Task Name Used by Dragonfly Threat Actors
Malicious PowerShell Process - Execution Policy Bypass
Detect Outbound SMB Traffic
Detect New Local Admin account
Detect PsExec With accepteula Flag

Sc.exe Manipulating Windows Services


Suspicious Reg.exe Process
Processes launching netsh
Attempt To Stop Security Service
Attempt To Add Certificate To Untrusted Store

Large Volume of DNS ANY Queries


Detect hosts connecting to dynamic domain providers

Windows hosts file modification

Detect malicious requests to exploit JBoss servers


Detect attackers scanning for vulnerable JBoss servers
Schtasks scheduling job on remote system
Remote Desktop Process Running On System
Remote Desktop Network Traffic
Detect Activity Related to Pass the Hash Attacks

Malicious PowerShell Process - Connect To Internet With Hidden Window


Malicious PowerShell Process - Encoded Command
Malicious PowerShell Process - Multiple Suspicious Command Line Arguments
Malicious PowerShell Process With Obfuscation Techniques

Unsuccessful Netbackup backups


Extended Period Without Succesful Netbackup Backups

Prohibited Software On Endpoint

No Windows Updates in Timeframe


Processes created by netsh
Processes launching netsh

TOR Traffic
Prohibited Network Traffic Allowed
Protocol or Port Mismatch
Detect hosts connecting to dynamic domain providers

Windows Event Log Cleared


Suspicious wevtutil Usage
USN Journal Deletion
Deleting Shadow Copies
Spike in File Writes
Prohibited Network Traffic Allowed
SMB Traffic Spike
Common Ransomware Extensions
Common Ransomware Notes
System Processes Run From Unexpected Locations
Remote Process Instantiation via WMI
TOR Traffic
Registry Keys Used For Persistence
Unusually Long Command Line
Scheduled tasks used in BadRabbit ransomware
Schtasks used for forcing a reboot
Detect New Login Attempts to Routers

Spectre and Meltdown Vulnerable Systems

Open Redirect in Splunk Web

SQL Injection with Long URLs

AWS Instance started in a new region


Abnormally High AWS Instances Terminated by User
Abnormally High AWS Instances Launched by User

Detect new user AWS Console Login


Unusually Long Command Line
Detect Prohibited Applications Spawning cmd.exe
Detect Use of cmd.exe to Launch Script Interpreters
System Processes Run From Unexpected Locations

Excessive DNS Failures


Clients Connecting to Multiple DNS Servers
DNS Query Length With High Standard Deviation
DNS Query Requests Resolved by Unauthorized DNS Servers
Detect Long DNS TXT Record Response
Detection of DNS Tunnels
Detect hosts connecting to dynamic domain providers

Suspicious Email Attachment Extensions


Email Attachments With Lots Of Spaces

Remote WMI Command Attempt


Remote Process Instantiation via WMI
EC2 Instance Modified With Previously Unseen User

Unusually Long Command Line


Detect Rare Executables
System Processes Run From Unexpected Locations
RunDLL Loading DLL By Ordinal

Protocols passing authentication in cleartext

Suspicious Reg.exe Process


Disabling Remote User Account Control
Attrib.exe used to hide files/directories via commandline
Reg.exe used to hide files/directories via registry keys

Execution of File with Multiple Extensions


Execution of File With Spaces Before Extension
Suspicious Changes to File Associations
Deleting Shadow Copies
Windows Event Log Cleared
Suspicious wevtutil Usage
USN Journal Deletion

Registry Keys for Creating SHIM Databases


Shim Database Installation With Suspicious Parameters
Shim Database File Creation
Registry Keys Used For Persistence
Schtasks used for forcing a reboot
Sc.exe Manipulating Windows Services
Attrib.exe used to hide files/directories via commandline
Reg.exe used to hide files/directories via registry keys
Detect Path Interception via creation of program.exe
Monitor Registry Keys for Print Monitors

Overwriting Accessibility Binaries


Registry Keys Used For Privilege Escalation
Uncommon Processes On Endpoint

Sc.exe Manipulating Windows Services


Investigative Searches
Get Logon Rights Modifications For User
Get Logon Rights Modifications For Endpoint

Investigate Suspicious Strings in HTTP Header

AWS Investigate User Activities By ARN

Get All AWS Activity From City


Get All AWS Activity From Country
Get All AWS Activity From Region
Get All AWS Activity From IP Address

Investigate AWS User Activities by user field


Get Email Info
Get Emails From Specific Sender
Investigate Web Activity From Host
Get DNS Server History for a host
Get Process responsible for the DNS traffic

Get Process Info


Get Parent Process Info

Get DNS Server History for a host


Get Process responsible for the DNS traffic
Get Process Info
Get Parent Process Info

["ESCU - Get Process Info", "ESCU - Get Parent


Process Info"]
Get DNS Server History for a host
Get DNS traffic ratio
Get Process responsible for the DNS traffic

Investigate Web Activity From Host


Get DNS Server History for a host
Get Process responsible for the DNS traffic


Get Process Info

Get Process Info

All backup logs for host

Get Process Info


Investigate Web Activity From Host


Get Process Info
Get Parent Process Info
Investigate Web Activity From Host

Get Process Information For Port Activity

Get Process Info


Get Process Information For Port Activity
Investigate Web Activity From Host
Get Parent Process Info

Investigate AWS activities via region name


AWS Investigate User Activities By ARN

AWS Investigate User Activities By ARN


Get Process Info
Get Parent Process Info
Investigate Web Activity From Host

Get DNS Server History for a host


Get DNS traffic ratio
Get Process responsible for the DNS traffic

Get Email Info


Get Emails From Specific Sender
Investigate Web Activity From Host

Get Process Info


AWS Investigate User Activities By ARN

Get Process Info


Investigate Web Activity From Host

Get Process Information For Port Activity

Get Process Info


Get Parent Process Info

Get Process Info


Get Parent Process Info
Get Process Info

Get Process Info


Get Parent Process Info

Get Process Info


Get Parent Process Info

Get Process Info


Get Parent Process Info
Support Searches

Count of assets by category

Previously Seen AWS Regions


Previously Seen EC2 Launches By User
Previously Seen EC2 Instance Types
Previously Seen EC2 AMIs


Previously Seen AWS Provisioning Activity Sources

Create a list of approved AWS service accounts


Baseline of API Calls per User ARN
DNSTwist Domain Names




Identify Systems Using Remote Desktop
Identify Systems Creating Remote Desktop Traffic
Identify Systems Receiving Remote Desktop Traffic

Monitor Successful Backups


Monitor Unsuccessful Backups

Add Prohibited Processes to Enterprise Security


Count of Unique IPs Connecting to Ports

Monitor Successful Backups


Monitor Unsuccessful Backups
Windows Updates Install Failures
Windows Updates Install Successes

Systems Ready for Spectre-Meltdown Windows Patch

Previously seen AWS Regions

Previously seen users in CloudTrail



Previously Seen EC2 Modifications By User



Security
Title Domain
Abnormally High AWS Instances Launched by
User Network
Abnormally High AWS Instances Terminated by
User Network

Attempt To Add Certificate To Untrusted Store Endpoint


Attempt To Stop Security Service Endpoint
AWS Cloud Provisioning From Previously
Unseen City Endpoint
AWS Cloud Provisioning From Previously
Unseen Country Endpoint
AWS Cloud Provisioning From Previously
Unseen IP Address Endpoint
AWS Cloud Provisioning From Previously
Unseen Region Endpoint
AWS Network Access Control List Created with
All Open Ports Network

AWS Network Access Control List Deleted Network

Clients Connecting to Multiple DNS Servers Network


Common Ransomware Extensions Endpoint

Common Ransomware Notes Endpoint


Create local admin accounts using net.exe Endpoint

Deleting Shadow Copies Endpoint


Detect Activity Related to Pass the Hash
Attacks Access
Detect attackers scanning for vulnerable JBoss
servers Network

Detect AWS API Activities From Unapproved


Accounts Access
Detect Excessive Account Lockouts From
Endpoint Access
Detect Excessive User Account Lockouts Access
Detect hosts connecting to dynamic domain
providers Network

Detect Long DNS TXT Record Response Network


Detect malicious requests to exploit JBoss
servers Network
Detect New Local Admin account Access

Detect New Login Attempts to Routers Network

Detect new user AWS Console Login Network

Detect Outbound SMB Traffic Network


Detect Path Interception By Creation Of
program.exe Endpoint
Detect Prohibited Applications Spawning
cmd.exe Endpoint

Detect PsExec With accepteula Flag Endpoint

Detect Rare Executables Endpoint

Detect Spike in AWS API Activity Network

Detect Unauthorized Assets by MAC address Network

Detect USB device insertion Endpoint


Detect Use of cmd.exe to Launch Script
Interpreters Endpoint
Detection of DNS Tunnels Network

Disabling Remote User Account Control Endpoint

DNS Query Length With High Standard


Deviation Network
DNS Query Requests Resolved by
Unauthorized DNS Servers Network
EC2 Instance Modified With Previously Unseen
User Endpoint
EC2 Instance Started In Previously Unseen
Region Network
EC2 Instance Started With Previously Unseen
AMI Endpoint
EC2 Instance Started With Previously Unseen
Instance Type Endpoint
EC2 Instance Started With Previously Unseen
User Endpoint

Email Attachments With Lots Of Spaces Network


Email files written outside of the Outlook
directory Endpoint
Email servers sending high volume traffic to
hosts Network

Excessive DNS Failures Network

Execution of File with Multiple Extensions Endpoint

Execution of File With Spaces Before Extension Endpoint


Extended Period Without Succesful Netbackup
Backups Endpoint

Hiding Files And Directories With Attrib.exe Endpoint


Hosts receiving high volume of network traffic
from email server Network
Identify New User Accounts Access

Large Volume of DNS ANY Queries Network

Malicious PowerShell Process - Connect To


Internet With Hidden Window Endpoint

Malicious PowerShell Process - Encoded


Command Endpoint

Malicious PowerShell Process - Execution


Policy Bypass Endpoint

Malicious PowerShell Process - Multiple


Suspicious Command-Line Arguments Endpoint
Malicious PowerShell Process With
Obfuscation Techniques Endpoint

Monitor DNS For Brand Abuse Network

Monitor Email For Brand Abuse Network

Monitor Registry Keys for Print Monitors Endpoint


Monitor Web Traffic For Brand Abuse Network

No Windows Updates in Timeframe Endpoint


Open Redirect in Splunk Web Network

Overwriting Accessibility Binaries Endpoint

Processes created by netsh Endpoint


Processes launching netsh Endpoint

Prohibited Network Traffic Allowed Network


Prohibited Software On Endpoint Endpoint

Protocol or Port Mismatch Network

Protocols passing authentication in cleartext Network


Reg.exe used to hide files/directories via
registry keys Endpoint

Registry Keys for Creating SHIM Databases Endpoint

Registry Keys Used For Persistence Endpoint

Registry Keys Used For Privilege Escalation Endpoint

Remote Desktop Network Traffic Network

Remote Desktop Process Running On System Endpoint


Remote Process Instantiation via WMI Endpoint
Remote WMI Command Attempt Endpoint

RunDLL Loading DLL By Ordinal Endpoint


Sc.exe Manipulating Windows Services Endpoint
Scheduled Task Name Used by Dragonfly
Threat Actors Endpoint
Scheduled tasks used in BadRabbit
ransomware Endpoint
Schtasks scheduling job on remote system Endpoint

Schtasks used for forcing a reboot Endpoint

Shim Database File Creation Endpoint

Shim Database Installation With Suspicious


Parameters Endpoint
Short Lived Windows Accounts Access
Single Letter Process On Endpoint Endpoint
SMB Traffic Spike Network
Spectre and Meltdown Vulnerable Systems Endpoint
Spike in File Writes Endpoint
SQL Injection with Long URLs Network

Suspicious Changes to File Associations Endpoint


Suspicious Email Attachment Extensions Network

Suspicious Reg.exe Process Endpoint

Suspicious wevtutil Usage Endpoint


Suspicious writes to System Volume
Information Endpoint
Suspicious writes to windows Recycle Bin Endpoint
System Processes Run From Unexpected
Locations Endpoint

TOR Traffic Network


Uncommon Processes On Endpoint Endpoint
Unsuccessful Netbackup backups Endpoint
Unusually Long Command Line Endpoint
Unusually Long Content-Type Length Network

USN Journal Deletion Endpoint

Web Servers Executing Suspicious Processes Endpoint


Windows Event Log Cleared Endpoint
Windows hosts file modification Endpoint
Description

This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.
This search looks for CloudTrail events where an abnormally high number of instances were successfully terminated
10-minute window

Attempt to add a certificate to the untrusted certificate store


This search looks for attempts to stop security-related services on the endpoint.
This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined br
event that begins with "Run" or "Create."
This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined
any event that begins with "Run" or "Create."
This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defi
as any event that begins with "Run" or "Create."
This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a
United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create."

The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specifi

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict acces
instance. After the attacker has gained control of the AWS console by compromising an admin account, they can dele
ACL and gain access to the instance from anywhere. This search will query the CloudTrail logs to detect users deletin
ACLs.
This search allows you to identify the endpoints that have connected to more than five DNS servers over the time fra
search.
The search looks for file modifications with extensions commonly used by Ransomware
The search looks for files created with a name that matches one of those typically used for the 'note' file left behind
the victim how to get their data back.
This search looks for the creation of local administrator accounts using net.exe.
The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Wind
Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.
This search looks for specific authentication events from the Windows Security Event logs to detect potential attemp
the Pass-the-Hash technique.
This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to
vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity.
This search will look for successful CloudTrail activity by user accounts that are not listed in the identity table or
<code>aws_service_accounts.csv</code> and will return the count, the first time, the last time, and the values of th
names grouped by users.

This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.
This search detects accounts that have been locked out a relatively high number of times in a short period.
Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command an
nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to
firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search w
DNS queries made from within your infrastructure to suspicious dynamic domains.
This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queri
using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls ca
detected by noting unusually large volumes of DNS traffic.
This search is used to detect malicious HTTP requests crafted to exploit jmx-console in JBoss servers. The malicious r
a long URL length, as the payload is embedded in the URL.
This search looks for newly created accounts that have been elevated to local administrators.
The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Fra
identify connections that have not been seen before in the last 30 days.

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, the
the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fire
has logged into the console for the first time within the last hour

This search looks for outbound SMB connections made by hosts within your network to the internet. Server Message
(SMB) traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrievi
credential hash using an SMB request made to a compromised server controlled by the threat actor.
The search is looking for the creation of file C:\program.exe. The creation of this file in the C:\ drive is driven by a m
perform path interception.
This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and does not typ
cmd.exe.

This search looks for events where <code>PsExec.exe</code> is run with the <code>accepteula</code> flag in the co
PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for c
applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors l
extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will b
to accept the end-user license agreement (EULA), which can be passed as the argument <code>accepteula</code> w
command line.
This search will create a table of statistically rare processes and the number of distinct hosts running them. The mac
filter_process_whitelist can be used to filter out known, benign, process names that do not execute very often.
This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache fil
in the latest data.

By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices t
to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when th
to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is ch
against the list of known devices, and reports on those that are not found.

The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read f
removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we a
the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host i
high in the ES Assets and Identity Framework.
This search looks for the execution of cscript.exe or wscript.exe with a parent of cmd.exe. The search will return the
command-lines for these executions, as well as the target system, sorted by time.
This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. T
also filters out potential false positives by filtering out queries made to internal systems and the queries originating f
DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and c
evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.

The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (U

This search allows you to identify DNS requests and compute the standard deviation on the length of the names bein
then filter on two times the standard deviation to show you those queries that are unusually large for your environm
This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identifi
Enterprise Security Assets and Identity Framework.

This search looks for EC2 instances being modified by users who have not previously modified them.
This search looks for CloudTrail events where an instance is started in a particular region in the last one hour and the
it to a lookup file of previously seen regions where an instance was started

This search looks for EC2 instances being created with previously unseen AMIs.

This search looks for EC2 instances being created with previously unseen instance types.

This search looks for EC2 instances being created by users who have not created them before.
Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages wi
attachments that have many spaces within the filename.
The search looks at the Change Analysis data model and detects email files that are created outside the normal Outl
directory.
This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a
actor collecting data using your email server.
This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and
more than 50 occurrences.

This search looks for processes launched from files that have 2 extensions in the file name. This is typically done to o
"real" file extension and make it appear as though the file being accessed is a data file as opposed to executable con
This search looks for processes launched from files that have at least five spaces in the name before the extension. T
typically done to obfuscate the file extension by pushing it outside of the default view.

This search returns a list of hosts that have not successfully completed a backup in over a week.

Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that th
not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.
This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a
actor collecting data using your email server.
This detection search will help profile user accounts in your environment by identifying newly created accounts that
added to your network in the past week.
The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification atta
leveraging ANY queries.

This search looks for PowerShell processes started with parameters to modify the execution policy of the run, run in
window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding
PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet.

This search looks for PowerShell processes that have encoded the script within the command-line. Malware has bee
this parameter, as it obfuscates the code and makes it relatively easy to pass a script on the command-line.

This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scri
paramters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell executi

This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with paramet
the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This com
command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide it
user, and passes an encoded script to be run on the command-line.
This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation o
command-line.

This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abu

This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for ab

This search looks for registry activity associated with modifications made to the registry key
<code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. In this scenario, an attacker can load an a
into the Print Monitor registry by giving the full path name to the DLL and the system will execute the DLL with eleva
(SYSTEM) permissions and will also persist on a reboot.
This search looks for Web requests to faux domains similar to the one that you want to have monitored for abuse.

This search looks for Windows endpoints that have not generated an event indicating a successful Windows update i
days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not succe
applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.
This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerabilit

Microsoft Windows contains accessibility features that can be launched with a key combination before a user has log
adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in
system. This search looks for modifications to these binaries.

This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility
is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network config
computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL whe
is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via comman
This search looks for processes launching netsh.exe. Netsh.exe is a command-line scripting utility that allows you to,
or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used
persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for p
spawned by netsh.exe and executing commands via command-line.
This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup ta
"lookup_interesting_ports", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic
This could be indicative of a misconfigured network device.
This search looks for applications on the endpoint that you have marked as prohibited.

This search looks for network traffic on common ports where a higher layer protocol does not match the port that is
For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can
attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and proto
typically allowed and not well inspected.

This search looks for cleartext protocols at risk of leaking credentials. Currently, this consists of legacy protocols such
POP3, IMAP, and non-anonymous FTP sessions. While some of these protocols can be used over SSL, they typically ru
different assigned ports in those cases.

The search looks for command-line arguments used to hide a file or directory using the reg add command.
This search looks for registry activity associated with application compatibility shims, which can be leveraged by atta
various nefarious purposes.

The search looks for modifications to registry keys that can be used to launch an application or service at system star
This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under Ima
Execution Options are used to intercept calls to an executable, and can be used to attach malicious binaries to benig
binaries.

This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop t
uncommon on a network, it is usually associated with known hosts. This search allows for whitelisting both source a
destination hosts to remove them from the output of the search so you can focus on the uncommon uses of remote
your network.

This search looks for the remote desktop process, mstsc.exe, running on systems it doesn't typically run on. This is ac
by filtering out all systems that are noted in the common_rdp_source category in the Assets and Identity framework
This search looks for wmic.exe being launched with parameters to spawn a process on a remote system.
This search looks for wmic.exe being launched with parameters to operate on remote systems.

This search looks for DLLs under %AppData% being loaded by rundll32.exe that are calling the exported function at o
Calling exported functions by ordinal is not as common as calling by exported name. There was a bug fixed in IDAPro
08 that would not display functions without names. Calling functions by ordinal would overcome the lack of name a
harder for analyst to reverse engineer.
This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.
This search looks for flags passed to schtasks.exe on the command-line that indicate a task name associated with the
threat actor was created or deleted.
This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the e
Bad Rabbit ransomware were created or deleted.
This search looks for flags passed to schtasks.exe on the command-line that indicate a job is being scheduled on a re

This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system i
This search looks for shim database files being written to default directories. The sdbinst.exe application is used to in
database files (.sdb). According to Microsoft, a shim is a small library which transparently intercepts an API, changes
parameters passed, handles the operation itself, or redirects the operation elsewhere.

This search detects the process execution and arguments required to silently create a shim database. The sdbinst.ex
is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes th
parameters passed, handles the operation itself, or redirects the operation elsewhere.
This search detects accounts that were created and deleted in a short time period.
This search looks for process names that consist only of a single letter.
This search looks for spike in the number of Server Message Block (SMB) traffic connections
The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.
The search looks for a sharp increase in the number of files written to a particular host
This search looks for long URLs that have several SQL commands visible within them.
This search looks for changes to registry values that control Windows file associations, executed by a process that is
for legitimate, routine changes to this area.
This search looks for emails that have attachments with suspicious file extensions.
This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches
the parent process is usually explorer.exe. This search filters out those instances.
The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clear
application, security, setup, or system event logs.

This search detects writes to the 'System Volume Information' folder by something other than the System process.
This search detects writes to the recycle bin by a process other than explorer.exe.
This search looks for system processes that normally run out of C:\Windows\System32\ that are not run from that lo
can indicate a malicious process that is trying to hide as a legitimate process.
This search looks for network traffic identified as The Onion Router (TOR), a benign anonymity network which can be
a variety of nefarious purposes.
This search looks for applications on the endpoint that you have marked as prohibited.
This search gives you the hosts where a backup was attempted and then failed.
Command-lines that are extremely long can be indicative of malicious activity on your hosts.
This search looks for unusually long strings in the Content-Type http header that the client sends the server.

The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT
file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on th
search looks for fsutil.exe deleting the USN journal.

This search looks for suspicious processes on all systems labeled as web servers.
This search looks for Windows events that indicate one of the Windows event logs has been purged.
The search looks for modifications to the hosts file on all Windows endpoints across your environment.
Security
Domain Title Category

Network UC0001 Detection of new/prohibited web application Field

Network UC0002 Detection of prohibited protocol (application) Field

Network UC0003 Server generating email outside of approved usage Field

Network UC0004 Excessive number of emails sent from internal user Field

Endpoint UC0005 System modification to insecure state Field

Endpoint UC0006 Windows security event log purged Field

Access UC0007 Account logon successful method outside of policy Field

Access UC0008 Activity on previously inactive account Field

Access UC0009 Authenticated communication from a risky source network Field

Access UC0010 Detect unauthorized use of remote access technologies Field

Access UC0011 Improbable distance between logins Field


UC0012 Increase risk score of employees once adverse seperation is
Access identified or anticipated Field

Audit UC0013 Monitor change for high value groups Field


UC0014 Monitor use attempts of human accounts once primary
Access account is expired disabled or deleted Field
UC0015 Privileged user accessing more than expected number of
Access machines in period Field

UC0016 Successfully authenticated computer accounts accessing


Access network resources Field

Access UC0017 Unauthorized access or risky use of NHA Field

Access UC0018 Unauthorized access SSO brute force Field

UC0019 User authenticated to routine business systems while on


Access extended absense Field

UC0020 Attempted communication through external firewall not


Network explicitly granted Field
UC0021 Communication outbound to regions without business
Network relationship Field
UC0022 Endpoint communicating with an excessive number of
Network unique hosts Field

UC0023 Endpoint communicating with an excessive number of


Network unique ports Field
UC0024 Endpoint communicating with external service identified on
Network a threat list. Field

Endpoint UC0025 Endpoint Multiple devices in 48 hours in the same site Field

Endpoint UC0026 Endpoint Multiple devices in 48 hours in the same subnet Field
UC0027 Endpoint Multiple devices in 48 hours owned by users in the
Endpoint same organizational unit Field

Endpoint UC0028 Endpoint Multiple infections over short time Field

Endpoint UC0029 New malware detected by signature Field

Endpoint UC0030 Endpoint uncleaned malware detection Field

UC0031 Non human account starting processes not associated with


Endpoint the purpose of the account Field

Access UC0032 Brute force authentication attempted by IP Field

Access UC0033 Brute force authentication attempt distributed Field

Access UC0034 Brute force successful authentication Field


Access UC0035 Compromised account access testing Field

UC0036 Compromised account access testing (Critical/Sensitive


Access Resource) Field

Network UC0037 Network Intrusion - New Signatures Field

UC0038 Excessive use of Shared Secrets Field

UC0039 Use of Shared Secret for access to critical or sensitive system Field

UC0040 Use of Shared Secret for or by automated process with risky


attributes Field

Network UC0041 SSH v1 detected Field

Endpoint UC0042 SSH Authentication using unknown key Field

UC0043 Direct Authentication to NHA Field

Access UC0044 Network authentication using password auth Field


Access UC0045 Local authentication server Field

Endpoint UC0046 Endpoint failure to sync time Field

Network UC0047 Communication with newly seen domain Field

Network UC0049 Detection of DNS Tunnel Field


UC0050 Communication to an enclave network from an non-enclave
Network network Field

Access UC0051 Excessive physical access failures to CIP assets Field

Access UC0052 Non-CIP user attempts to access CIP asset Field

Network UC0053 Network Intrusion Detected Field

Network UC0054 Communication with command and control over HTTP(s) Field

UC0055 Allowed Communication from a endpoint with external


Network "risky" category Field

Endpoint UC0056 Asset exceeds risk threshold Field

Audit UC0057 Identify users of Cloud Services that may not be approved Field

Endpoint UC0065 Malware detected compliance asset Field


UC0071 Improbably short time between Remote Authentications
Access with IP change Field

Network UC0072 Detection of unauthorized using DNS resolution for WPAD Field

Endpoint UC0073 Endpoint detected malware infection from URL Field


Network UC0074 Network Intrusion Internal Network Field

Network UC0075 Network Malware Detection Field

Network UC0076 Excessive DNS Failures Field

Network UC0077 Detection Risky Referral Domains Field

UC0079 Use of accountable privileged identity to access new or rare


Access sensitive resource Field

UC0080 Trusted Individual exceeds authorization in observation of


Access other users Field

Network UC0081 Communication with unestablished domain Field

Network UC0082 Communication with enclave by default rule Field

UC0083 Communication from or to an enclave network permited by


Network previously unknown or modified firewall rule Field
Operations UC0084 Monitor Execution of Triage Activtity Field
UC0085 Alert per host where web application logs indicate a source
Network IP not classified as WAF Field

Endpoint UC0086 Detect Multiple Primary Functions Field

Endpoint UC0087 Malware signature not updated by SLA for compliance asset Field

Access UC0088 User account sharing detection by source device ownership Field

UC0089 Detection of Communication with Algorithmically Generated


Network Domain Field

Access UC0090 User account cross enclave access Field

Operations UC0091 Validate Execution of Platform Vulnerability Scan Field

Network UC0092 Exception to Approved Flow for Web Applications Field

Access UC0093 Previously active account has not accessed enclave/lifecycle Field

Access UC0094 Insecure authentication method detected Field

Network UC0095 Detect Excessive Increase in HTTP Error Codes by Src Field

Network UC0096 Network Intrusion Event Detected on Malware Infected Host Field
UC0097 Newly Seen Authentication Behavior from VIP or Executive
Access User Field

Network UC0098 Excessive Proxy Denies by Single Host Field

Network UC0099 HTTP Brute Force Activity Detected Field

Network UC0100 Newly Seen File Successfully Executed by Web Application Field

Endpoint UC0101 Newly Seen Scheduled Task Detected by Host Field

Access UC0102 Slow/Controlled Password Guessing Detected Field

Network UC0103 High Number of Newly Seen Connections to Internal Hosts Field

Endpoint UC0104 Chained Exploit Followed by Suspicious Events Detected Field

Endpoint UC0105 Detect Newly Seen Public Web Application (Internal) Field

Access UC0106 Reset of password other than by self for privileged user Field

Identity UC0107 Activity from Expired User Identity - on Category Field

Access UC0108 Brute Force Access Behavior Detected - against Category Field

UC0109 Brute Force Access Behavior Detected Over One Day - against
Access Category Field
Audit UC0110 Expected Host Not Reporting - in Category Field
Access UC0111 Land Speed Violation - against Category Field

Endpoint UC0112 Anomalous Update Service Detected - in Category Field

Endpoint UC0113 High/Critical Update Missing - on Category Field

Network UC0114 New Connection to In-Scope Device Field

Endpoint UC0115 In-Scope Device with Outdated Anti-Malware Found Field

UCTAC-Microsoft Windows-0001-Newly seen interaction with a share


Endpoint from endpoint to endpoint Tactical

Access UCTAC-Microsoft Windows-0002-Password Spraying Attack Tactical


Description

Prohibited web applications such as file sharing platforms (i.e. Box, Dropbox, etc.),
and games can be detected, and filtered by modern web proxy solutions/next
generation firewalls. Existing exceptions, or new application instances should be
reviewed to ensure appropriate usage.
Prohibited protocols such as IRC, FTP, or Gopher could indicate malicious activity on
insecure systems located on the network. Consider Intra-network communication,
and organization accepted communications from the Internet.

Server Operating Systems, and Application services often generate email to support
general purpose, or application specific functions. Configuration management is
often used to identify servers generating e-mails, as well as maintaining recipient
lists.

Excessive email generation by authorized users could indicate the presence of


malware designed to send spam, or abuse company resources. An application owner,
or admin could also be attempting to solve a business problem outside of company
policy. This use case focuses on email that is generated from endpoint networks.
Operating systems should also be considered since servers can use user credentials
to send messages; when this is allowed, false positives could be generated.
Authorized, or unauthorized users may attempt to modify existing hardened
configuration policies, or disable monitoring tools.
Manually clearing the security event log on a windows system is a violation of policy
and could indicate an attempt to cover malicious actions.
Logon event properties could indicate account misuse, or as an indication of
compromise. Compare the identified purpose of the account with the context of the
logon to determine its authority.
Excluding computer accounts in active directory, an account with new activity that
has not been active in the previous thirty days is suspicious.
An Internet facing authentication system has allowed authenticated access from a
risky source network.
Identify users gaining access via an unapproved or unknown access control. This
could indicate malicious activity or an internal control failure.
Utilizing source IP address, geolocation data, and where available for company
owned mobile devices, GPS for mobile devices. Using the Haversine algorithm,
calculate the distance between the authenticated successful connections.

Increase the risk score of users who have indication of adverse separation.
Detection of change for groups used to control access for sensitive, regulated, or
critical infrastructure systems.
A human user may own multiple accounts. When the primary account of the human
is expired, disabled, or deleted, we should expect no further activity from any other
account owned by the user.
Privileged user authenticates to more than X number of new targets successfully or is
denied access to more than Y targets in the prior Z hours.

Batch, Windows Services, App Pools, and specially constructed Windows shells can
access network resources. A small number of technical solutions will require this
type of behavior, however, after excluding a white list of hosts or shares (such as
sysvol or netlogon), such access attempts (success or fail) could indicate the presence
of malware or attempts to elevate access.

Detect the use of a Windows account designated by the organization as a non human
account (NHA) outside of the normal usage of such an account.
Single IP address attempting authentication of more than two valid users within ten
minutes where one or more unique accounts is successful, and one or more accounts
is not successful against an approved SSO System.

A user on leave, vacation, sabbatical, or other types of leave should not access
business systems. This could indicate malicious activity by the employee or a
compromised account.

Any attempted communication through the firewall not previously granted by


ingress/egress policies could indicate either a misconfiguration (causing systems
behind the firewall to be vulnerable) or malicious actions (bypassing the firewall).
Outbound communication with servers hosted in regions where the organization
does not expect to have employees, customers, or suppliers.
Endpoints attempting to communicate with an excessive number of unique hosts
over a given time period may indicate malicious code.

Endpoints communicating with an excessive number of unique destination ports


could indicate malicious code probing for vulnerabilities. Certain server applications
will arrange for communication on a high number port with the client such as ftp in
passive mode and RPC on windows server.
The endpoint has attempted (success or fail) to communicate with an external server
identified on a threat list using any protocol. An attempted communication could
indicate activity generated by malicious code.
Multiple infected devices in the same site could indicate a successful watering hole
attack.
Multiple infected devices in the same subnet could indicate lateral movement of an
adversary or a possible worm.
Multiple infected devices in the same organizational unit could indicate a successful
spear phishing attack.

Multiple infections detected on the same endpoint in a short period of time could
indicate the presence of an undetected loader malware component (apt).

When a new malware variant is detected by endpoint antivirus technology it is


possible the configuration or capability of other controls are deficient. Review the
sequence of events leading to the infection to determine if additional preventive
measures can be put in place.
Detect an endpoint with a malware detection where anti malware product
attempted to and was unable to clean, remove or quarantine.

Accounts designated for use by services and batch process should start a limited set
of child processes. Creation of new child processes other than the process name
defined in the service or batch definition may indicate compromise.

Detect when more than 10 failed authentication attempts for known accounts occur
from a single endpoint (within 3 seconds) on the organization's network.

When more than 10 failed authentication attempts for known accounts occur for a
single account from more than 2 IP addresses in 60 minutes. This could indicate an
adversary has identified a specific high value account and is attempting to gain
access.
If a source IP identified by a brute force use case authenticates successfully OR an
account identified by a brute force use case successfully authenticates after failing
once from the same source address.
Following a successful authentication, an attacker will attempt to determine what
resources may be accessed without causing host intrusion or DLP technologies to
detect activity. Commonly the attacker will enumerate and browse to shares, access
email, access web applications, or connect to databases yet perform minimal or no
activity.

Following a successful authentication, an attacker will attempt to determine what


resources may be accessed without causing host intrusion or DLP technologies to
detect activity. Commonly the attacker will enumerate and browse to shares, access
email, access web applications, or connect to databases yet not perform any or
minimal activity. Typically Critical and Sensitive systems (during routine use) would
not log access denied events.
IDS devices reporting an attack using a signature not previously encountered are
more likely be successful as new signatures are prompted by newly know attacks in
the wild.

The use of "checkout" accounts as an avoidance of accountability technique. Monitor


the checkout activity log from the credential management tool where the number of
accounts utilized by a human is greater than X number of unique shared/secret
credentials or more than 1 standard deviation from peers in the same bunit.
Use of a secret/shared secret account for access to such a system rather than
accountable credentials could indicate an attempt to avoid detection.

Usage (checkout) by an automated process such as software installation of a shared


secret or service account where the source of the retrieval is new or outside of the
change window.

Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is
inherently insecure indication of accepted SSHv1 sessions indicate a mis-configured
system. Attempted and denied sessions indicate system probing or scanning.

The public key utilized for authentication is recorded in the SSHD authentication log.
Detection of a new key should be investigated to determine the owner of the key and
validate authorization to access the resource.

Direct authentication via SSH or console session to a non human account indicates a
violation of security policy by recording the password of a non human account for
later use or by association of a SSH key to a non human account.

Even using SSH encryption, allowing password authentication to Linux/Unix systems


over the network increases the attack surface and the possible impact of a
compromised account. Investigate and resolve all instances of network
authentication utilizing password.
Following provisioning, Windows and *nix servers seldom require local
administration. Investigate any use of local authentication as it may indicate an
attempt to compromise the host via KVM or virtual console.
Failure to synchronize time will impact the usefulness of security log data from the
endpoint, and potentially prevent valid authentication.

Newly seen domain's may indicated interaction with risky or malicious servers.
Identification of new domains via web proxy logs without other IOCs allows the
analyst/threat hunter to explore the relevant data and potentially identify
weaknesses or risky behavior than could be identified.

Endpoint utilizing DNS as a method of transmission for data exfiltration, command


and control, or evasion of security controls. Detected by large total size of DNS traffic
OR large number of unique queries.
Communication to an enclave network should only occur from another enclave
network or sanitizing servers such as proxy or jump systems.

A user with continuous physical access failures could be someone searching for a
physical vulnerability within the organization. When this occurs in an area that is
protecting CIP assets, it is something that should be followed up on immediately.

CIP assets require special protections; therefore, users that have not been vetted for
CIP access, or should have had their access removed, should not have access. System
owners should be notified immediately should a non-CIP user attempt to access a CIP
asset.

Detect attempted network intrusions by src_ip when the same source is observed
with two or more unique destinations or one destination and two or more signatures

Detect communication with command and control system from a compromised


endpoint by identifying traffic allowed by the forward proxy with unknown or
uncategorized sites where the endpoint communicates in at least 15 of the last 60
minutes (bins) and the destination is not on a noise suppression white list, the Alexa
top 1M, or advertising domains list.

Detect when an endpoint is permitted external access by the web proxy where the
category is known it indicate high risk by category. This list should not include
undesirable but frequent categories such as social media, porn, time wasting, or
advertising.
Asset exceeds risk threshold (based on vulnerabilities, scanning attempts, etc.),
where the risk factors are determined by the system owner.

Utilize email logs to identify users being welcomed to a cloud service on an identified
risky list for the first time, notify the user to be aware the service is not approved and
notify the users manager if known by identity.
Malware detection on an asset designated as compliance such as PCI, CIP or HIPPA
requires review even when automatic cleaning has occurred.
For employers that allow remote external connectivity the detection of two or more
distinct values of external source IP address for successful authentications to a
remote access solution in a short period of time indicates a likely compromise of
credentials.

Detection of an endpoint utilizing DNS as a method of proxying by querying for


wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for
wpad (bare host) and wpad.* where the domain portion is not a company owned
domain.

Endpoint antimalware detection event occurred where the malicious content was
retrieved from an external URL. Possible indication of gaps in protection by web
proxy, intrusion prevention, or advanced threat prevention. Use the information
available for the event and determine how existing prevention controls can be
modified to prevent future infections.
IDS/IPS detecting or blocking an attack based on a known signature.

Internal malware detection system such as FireEye devices reporting an attack.

An endpoint utilizing DNS as a transmission method for data exfiltration, command


and control, or evasion of security controls can be detected by either a large volume
or high number of unique DNS queries.

Maintain a tracking list of public domain suffix and data source "seen" by first epoch.

Use of an identity identified as privileged to access a system for the first time within
a rolling time period will trigger a notable event for review of access reason.
Evaluate queries executed by authorized trusted individuals to determine if the user
is observing the behavior of other users for reasons not authorized as part of the
user's job function.

Egress communication with a newly seen, newly registered, or registration date


unknown domain may indicate the presence of malicious code. Assets
communicating with external services excluding Alexa TOP 1M whose reputation
score exceeds acceptable norms will be flagged.

Communication from an enclave network may indicate a misconfiguration that could


weaken the security posture of the organization or actual/attempted compromise.
Communication filtered by the default rule implies no explicit permission for
communication has been granted and should be reviewed. Consider ingress
communication allowed by the default rule, and egress communication allowed or
blocked.

Communication from a enclave network may indicate a misconfiguration that could


weaken the security posture of the organization or actual/attempted compromise.
Define and maintain event types for unsuppressed notable events separately
identifying review workflow, and triage SLA required.
Communication to any web application server without filtering by a network web
application firewall indicates a security misconfiguration.
Using network communication fingerprinting detect distinct primary functions such
as SQL, HTTP, DNS by destination asset. Alert if more than one primary function
excluding administrative protocols (RDP,SSH, iDrac).

Malware signature last updated on a asset designated as compliance such as PCI, CIP
or HIPAA beyond SLA limits. SLA in this use case refers to policy levels more than the
traditional service level agreement.

Detection of logon device by asset name (may require resolution from IP) when
logon user does not match the owner and the number of unique owned devices is
greater than two in the prior 24 hours.

Using an algorithm determine text of the registration domain is likely to be generated


by a computer excluding known cloud hosting domains, Alexa TOP 1M domains and
domains with long established communication with the organization.

Detection of logon with the same account to a production and a non production
environment. If an account (not user) has logged into more than one account, access
management controls have failed and must be remediated.

Using host based logs such as firewall or host intrusion detection for each asset with
a governance category verify communication (accept or reject) has occurred with
origination from one or more authorized platform vulnerability scanners (e.g. Rapid7,
Nessus, OpenVAS).

Using web application access logs for assets deemed high/critical or with the
governance attributed ensure the source IP address is one of the approved NLB or
WAF devices. If WAF devices are placed in front of NLB devices ensure the first "x-
forwardedfor" entry is the address of the WAF.
Identify accounts no longer in use with access to high/critical or enclave systems and
remove access when no longer required.

For each authentication technology in the network identify the values of


authentication events that positively ensure that secure authentication is in use.
Alert per authentication technology where a successful event occurs without the
required indicators.
High numbers of http error codes likely indicate a problem with the web application
or server, or can be an indicator of malicious action.

Hosts with multiple indicators are likely infected with malware or successfully
compromised.
Executive or VIP user credentials should be limited to assets that can be attributed to
them. Any unusual or newly seen authentication activity should be considered
suspect, where their credentials may be compromised.
Excessive proxy blocks can be a good indicator of a potential automated beacon or
malware phone home.
Detect excessive number of http status messages indicating error (400/500 errors),
followed by an http status of 200 by src and uri. Can be a high indicator of
unauthorized access or attempt to execute malicious commands.
Host and Network IDS event categories, detect events with a category of 'backdoor'
or 'trojan' followed by a signature categorized as 'post exploit' on a given host or
network within a given time period.
Detect attempts to gain persistence through newly seen/unauthorized scheduled
tasks per host.

Traditional brute force attacks generate hundreds or thousands of failed access


attempts against a single host. This is a variation of brute force, where the objective
is to detect password guessing attempts that do not cause account lockouts or will
not trigger other "failed access" notable events.

Detect lateral movement by searching for hosts with an unusually high number of
connections to hosts it has never connected to before, within a given time period.

Host and Network IDS event categories, detect events with a category of 'backdoor'
or 'trojan' followed by a signature categorized as 'post exploit' on a given host or
network with a given time period.

Internal web applications often contain sensitive information and should be


controlled. Multiple technologies can be used to detect rogue web applications,
including Imperva WAF and/or Splunk App for Stream. Use one of these technologies
to detect web applications in the environment that have not been seen internally
before.
Detect evasion/escalation technique where the password of a privileged user reset
by another authorized account this should be rare and supported by appropriate
trouble ticketing and authentication of the requesting user.
Alerts when an event is discovered from a user associated with identity that is now
expired (that is, the end date of the identity has been passed) and is associated with
a src or dest in CATEGORY.
Detects excessive number of failed login attempts along with a successful attempt
(this could indicate a successful brute force attack) with at least one attempt against
dest_category=CATEGORY.
Detects an excessive number of failed login attempts, along with a successful
attempt, over a one day period (this could indicate a successful brute force attack)
including at least one against dest_category=CATEGORY.
Discovers assets in asset category CATEGORY that are no longer reporting events but
should be submitting log events.
Alerts on access attempts that are improbable based on time and geography.
Detects assets in asset category CATEGORY that should be updating but have not
reported their required update service status or the status is disabled.
Detects systems in asset category CATEGORY that do not have a high or critical
update installed.

Track all connections to and from certain devices and report on any never before
seen connection. (Success, or attempt, is up to the specific customer need.) Any new
connections made to or from these devices could show evidence of misconfiguration
or potentially malicious behavior.

Alerts when an in scope host (host in a particular category) do not have malware
definitions or engines in the most recent 3 versions. This is a sign of a
misconfiguration. These hosts should be evaluated to determine why they are not
updating their malware signatures.
Using a tracker when a src endpoint operating system attempts to interact with share
from a src_category os indicating endpoint operating system to another endpoint
operating system lateral movement is likely.
Detection of more than 10 attempts from the same src to authenticate to multiple
accounts using a short list of passwords.
Event Data Sources

DS005WebProxyRequest-ET01RequestedWebAppAware

DS010NetworkCommunication-ET01TrafficAppAware

DS001Mail-ET03Send

DS001Mail-ET03Send

Any Host Logs

DS007AuditTrail-ET01Clear

DS003Authentication-ET01Success

DS003Authentication-ET01Success

DS003Authentication-ET01Success

DS010NetworkCommunication-ET01TrafficAppAware

DS003Authentication-ET01Success

DS008HRMasterData-ET02SeperationNotice

DS006UserActivity-ET04Update
DS003Authentication-ET01Success
DS003Authentication-ET02Failure

DS003Authentication-ET01Success

DS003Authentication-ET01Success

DS003Authentication-ET01Success

DS004EndPointAntiMalware

DS017PhysicalSecurity
DS003Authentication-ET01Success

DS003Authentication-ET02Failure

DS003Authentication-ET01Success

DS008HRMasterData

DS010NetworkCommunication-ET01Traffic

DS012NetworkIntrusionDetection-ET01SigDetection

DS010NetworkCommunication-ET01Traffic

DS010NetworkCommunication-ET01Traffic
DS001Mail-ET02Receive

DS002DNS-ET01Query

DS002DNS-ET01QueryResponse

DS002DNS-ET01QueryRequest

DS005WebProxyRequest

DS010NetworkCommunication-ET01Traffic

DS004EndPointAntiMalware-ET01SigDetected

DS004EndPointAntiMalware-ET01SigDetected

DS004EndPointAntiMalware-ET01SigDetected

DS004EndPointAntiMalware-ET01SigDetected

DS004EndPointAntiMalware-ET01SigDetected

DS004EndPointAntiMalware-ET01SigDetected

DS009EndPointIntel-ET01ProcessLaunch

DS003Authentication-ET02Failure

DS003Authentication-ET02Failure
DS003Authentication-ET01Success

DS003Authentication-ET02Failure
DS003Authentication-ET01Success

DS003Authentication-ET02Failure

DS012NetworkIntrusionDetection

DS006UserActivity-ET07ExecuteAs

DS006UserActivity-ET07ExecuteAs

DS006UserActivity-ET07ExecuteAs

DS003Authentication-ET01Success
DS010NetworkCommunication-ET01TrafficAppAware

DS003Authentication-ET01Success

DS003Authentication-ET01Success

DS003Authentication-ET01Success
DS003Authentication-ET01Success

DS007AuditTrail-ET03TimeSync

DS005WebProxyRequest-ET01Requested

DS002DNS-ET01Query

DS010NetworkCommunication-ET01Traffic

DS017PhysicalSecurity

DS003Authentication-ET01Success

DS003Authentication-ET02Failure

DS012NetworkIntrusionDetection-ET01SigDetection

DS005WebProxyRequest

DS005WebProxyRequest

Other

DS001Mail-ET02Receive

DS004EndPointAntiMalware-ET01SigDetected
DS003Authentication-ET01Success

DS002DNS-ET01QueryRequest

DS004EndPointAntiMalware-ET01SigDetected
DS012NetworkIntrusionDetection-ET01SigDetection

DS011MalwareDetonation-ET01Detection

DS002DNS-ET01Query

DS001Mail-ET02Receive

DS014WebServer-ET01Access

DS003Authentication-ET01Success

DS006UserActivity-ET06Search

DS002DNS-ET01QueryRequest

DS005WebProxyRequest-ET01Requested

DS010NetworkCommunication-ET01Traffic

DS010NetworkCommunication-ET01Traffic
DS013TicketManagement-ET01

DS014WebServer-ET01Access

DS010NetworkCommunication-ET01TrafficAppAware

DS004EndPointAntiMalware-ET02UpdatedSig

DS003Authentication-ET01Success

DS002DNS-ET01Query

DS003Authentication-ET01Success

DS010NetworkCommunication-ET01Traffic

DS020HostIntrustionDetection-ET01SigDetected

DS010NetworkCommunication-ET01Traffic
DS020HostIntrustionDetection-ET01SigDetected

DS003Authentication-ET01Success

DS003Authentication-ET01Success

DS014WebServer-ET01Access

DS004EndPointAntiMalware-ET01SigDetected

DS012NetworkIntrusionDetection-ET01SigDetection

DS020HostIntrustionDetection-ET01SigDetected
DS003Authentication-ET01Success

DS005WebProxyRequest-ET01Requested

DS014WebServer-ET01Access

DS014WebServer-ET01Access

Windows Security

DS003Authentication

DS010NetworkCommunication-ET01Traffic

DS012NetworkIntrusionDetection

DS020HostIntrustionDetection

DS014WebServer-ET01Access
DS026WebApplicationFW

DS006UserActivity-ET04Update

DS003Authentication-ET01Success

DS003Authentication-ET01Success

DS003Authentication-ET02FailureBadFactor
DS003Authentication-ET01Success

DS003Authentication-ET02FailureBadFactor
DS007AuditTrail
DS003Authentication-ET01Success

DS010NetworkCommunication

DS004EndPointAntiMalware-ET01SigDetected

Windows Security

Windows Security
Data Source (Category) Indicator Component of Threats Threat Types
·      Malicious AD Activity ·      Lateral Movement ·      Data Exfiltration by Compromised Account
·      Multiple Login Errors ·      Insider Threat ·      Data Exfiltration by Suspicious User or Device
·      Multiple Logins ·      Remote Account Takeover ·      Generic Data Exfiltration
·      Period with Unusual AD Activity Sequences ·      Remote Account Takeover
·      Suspicious Account Lockout
Windows Authentication Data ·      Suspicious Network Exploration
·      Suspicious Privilege Escalation
·      Unusual Activity Time
·      Unusual Windows Security Event
·      Unusual Machine Access
·      Unusual Network Activity
·      Blacklisted IP Address ·      Lateral Movement ·      Data Exfiltration by Compromised Account
·      Excessive Data Transmission ·      Remote Account Takeover ·      Generic Data Exfiltration
·      Land Speed Violation
·      Multiple Login Errors
·      Multiple Logins
·      Multiple Outgoing Connections
VPN Data
·      Unusual Activity Time
·      Unusual Windows Security Event
·      Unusual Geolocation of Communication Destination
·      Unusual Network Activity
·      Unusual VPN Login Geolocation
·      Unusually Long VPN Session
·      Blacklisted Application ·      Botnet Command & Control ·      Data Exfiltration by Malware
·      Blacklisted Domain ·      Malware Activity ·      Generic Data Exfiltration
·      Blacklisted IP Address ·      Unusual Data/Share Access ·      Insider Threat
·      Domain Name Anomaly ·      User Rules Based on User
·      Excessive Data Transmission
·      Exploit Chain
·      External Alarms
·      Flight Risk User
Outbound Web Logs (Proxy Data) ·      Machine Generated Beacon
·      Multiple Outgoing Connections
·      Possible Phishing Attempt
·      Suspicious Data Movement
·      Suspicious Domain Communication
·      Suspicious Domain Name
·      Suspicious HTTP redirects
·      Suspicious IP Address Communication
·      Unusual Web Browser
·      External Alarms ·      External Website Attack ·      Website Compromised
Inbound Web Logs (Proxy Data) ·      External Website Attack ·      Unusual Website User Activity ·      Compromised Web Server
·      Potential Webshell Activity ·      Web Application Compromise
·      Blacklisted Application ·      Botnet Command & Control ·      Data Exfiltration by Malware
·      Blacklisted Domain ·      Lateral Movement ·      Generic Data Exfiltration
·      Blacklisted IP Address ·      Malware Activity ·      Insider Threat
·      Download from Internal Server ·      Unusual Domain Access for File Sharing
·      Excessive Data Transmission
·      External Alarms
·      Flight Risk User
·      Machine Generated Beacon
·      Malicious IP
Firewall Data
·      Multiple Login Errors
·      Multiple Outgoing Connections
·      Multiple Sessions Denial
·      Network Protocol Violation
·      Scanning Activity
·      Suspicious Data Movement
·      Suspicious Domain Communication
·      Suspicious IP Address Communication
·      Unusual Network Activity
·      Multiple DLP Alarms ·      Unusual Data/Share Access ·      Insider Threat
DLP Data ·      Unusual Email Patterns
·      Unusual Data Transfer
·      External Alarms ·      Unusual Alarms ·      Insider Threat
Endpoint Data ·      Unusual Processes
·      Unusual USB Activity
·      Multiple Logins ·      Remote Account Takeover
·      Multiple Login Errors
·      Unusual Activity Sequence
·      Unusual Activity Time
Cloud Services Data
·      Land Speed Violation

·      Unusual Geolocation of Communication Destination

·      Blacklisted IP Address
IPS/IDS Data ·      External Alarm ·      Adds Supporting Evidence to All Threat Types ·      All Threat

·      Blacklisted Domain ·      Malware Activity ·      Data Exfiltration by Malware


DNS Data ·      Suspicious Domain Name ·      Unusual Data Transfer ·      Generic Data Exfiltration
·      Suspicious Domain Communication
·      Failed Access by Disabled Badge ·      Suspicious Badge Activity
·      Failed Badge Accesses on Multiple Doors
Badge Data ·      Multiple Failed Badge Access Attempts
·      Unusual Badge Reader Access
·      Unusual Time of Badge Access
Security
Domain Name

Endpoint Abnormally High Number of Endpoint Changes By User

Network Abnormally High Number of HTTP Method Events By Src

Network Access to In-Scope Resources

Network Access to In-Scope Unencrypted Resources


Access Account Deleted

Access Account logon successful method outside of policy

Identity Activity from Expired User Identity

Access Activity from Expired User Identity - on Category

Access Activity on previously inactive account

Network Allowed Communication from a endpoint with external "risky" category

Audit Anomalous Audit Trail Activity Detected

Endpoint Anomalous New Listening Port

Endpoint Anomalous New Process

Endpoint Anomalous New Service

Identity Asset Ownership Unspecified

Endpoint Attrib.exe used to hide files/directories via commandline


Data Auditing Overview of Data Processing Systems (Glass Table)

Access Authenticated communication from a risky source network

Access Authentication Against a New Domain Controller

Access AWS APIs Called More Often Than Usual Per User

Access AWS Cloud Provisioning Activity from Unusual Country

Access AWS Cloud Provisioning Activity from Unusual IP

Access AWS Instance Created by Unusual User

Access AWS Instance Modified by Unusual User

Access AWS New API Call Per Peer Group

Access AWS New API Call Per User

Access AWS Unusual Amount of Modifications to ACLs

Access Basic Brute Force Detection

Endpoint Basic Malware Outbreak


Network Basic Scanning

Network Basic TOR Traffic Detection

Other Blacklisted Application

Other Blacklisted Domain

Other Blacklisted IP Address

Access Brute Force Access Behavior Detected

Access Brute Force Access Behavior Detected - Against Category

Access Brute Force Access Behavior Detected Over One Day

Access Brute Force Access Behavior Detected Over One Day - Against Category

Endpoint Chained Exploit Followed by Suspicious Events Detected

Access Cleartext Password At Rest Detected

Network Clients Connecting to Multiple DNS Servers

Endpoint Common Filename Launched from New Path


Endpoint Common Ransomware Extensions

Endpoint Common Ransomware Notes

Network Communication outbound to regions without business relationship

Network Communication to an enclave network from an non-enclave network

Network Communication with command and control over HTTP(s)

Network Communication with enclave by default rule

Access Completely Inactive Account

Access Compromised account access testing

Access Compromised account access testing (Critical/Sensitive Resource)

Access Computer Accounts Accessing Network Resources


Endpoint Concentration of Attacker Tools by Filename

Endpoint Concentration of Attacker Tools by SHA1 Hash

Endpoint Concentration of Discovery Tools by Filename

Endpoint Concentration of Discovery Tools by SHA1 Hash

Access Concurrent Login Attempts Detected

Threat Connection to New Domain

Access Default Account Activity Detected

Access Default Account At Rest Detected

Endpoint Deleting Shadow Copies

Access Detect Activity Related to Pass the Hash Attacks

Network Detect attackers scanning for vulnerable JBOSS servers

Access Detect Excessive Account Lockouts From Endpoint


Network Detect Excessive Increase in HTTP Error Codes by Src

Access Detect Excessive User Account Lockouts

Network Detect hosts connecting to dynamic domain providers

Endpoint Detect Journal Clearing

Endpoint Detect Lateral Movement With WMI

Endpoint Detect Log Clearing With wevtutil

Network Detect Long DNS TXT Record Response

Network Detect malicious requests to exploit JBOSS servers

Network Detect New Login Attempts to Routers

Endpoint Detect Newly Seen Public Web Application (Internal)

Endpoint Detect Path Interception via creation of program.exe

Endpoint Detect Prohibited Applications Spawning cmd.exe


Endpoint Detect Rare Executables

Network Detect Unauthorized Assets by MAC address

Access Detect unauthorized use of remote access technologies

Endpoint Detect USB device insertion

Endpoint Detect Use of cmd.exe to Launch Script Interpreters

Network Detection of DNS Tunnel

Network Detection of DNS Tunnels

Network Detection of new/prohibited web application

Network Detection of prohibited protocol (application)


Network Detection of unauthorized using DNS resolution for WPAD

Network Detection Risky Referral Domains

Endpoint Disabled Update Service

Endpoint Disabling Remote User Account Control

Network DNS Query Length With High Standard Deviation

Network DNS Query Requests Resolved by Unauthorized DNS Servers

Other Domain Name Anomaly

Other Download from Internal Server

Network Email Attachments With Lots Of Spaces

Network Emails from Outside the Organization with Company Domains

Network Emails with Lookalike Domains

Network Endpoint communicating with an excessive number of unique hosts

Network Endpoint communicating with an excessive number of unique ports


Network Endpoint communicating with external service identified on a threat list.

Endpoint Endpoint detected malware infection from URL

Endpoint Endpoint failure to sync time

Endpoint Endpoint Multiple infections over short time

Access Endpoint Uncleaned Malware Detection

Network Exception to Approved Flow for Web Applications

Other Excessive Data Transmission

Network Excessive DNS Failures

Network Excessive DNS Failures

Network Excessive DNS Queries

Access Excessive Failed Logins

Network Excessive HTTP Failure Responses

Network Excessive number of emails sent from internal user


Access Excessive physical access failures to CIP assets

Network Excessive Proxy Denies by Single Host

Audit Expected Host Not Reporting

Access Expected Host Not Reporting - in Category

Other Exploit Chain

Endpoint Extended Period Without Succesful Netbackup Backups

Other External Alarms

Other External Website Attack

Endpoint Fake Windows Processes

Endpoint Familiar Filename Launched with New Path on Host

Access Fast IP Change Between Remote Authentications

Endpoint Find Processes with Renamed Executables

Endpoint Find Unusually Long CLI Commands


Data First Time Accessing an Internal Git Repository

Data First Time Accessing an Internal Git Repository Not Viewed by Peers

Access First Time Logon to New Server

Data First Time USB Usage

Other Flight Risk User

Access Geographically Improbable Access Detected

Access Geographically Improbable Access Detected against Category

Data Healthcare Worker Opening More Patient Records Than Usual

Endpoint High Number of Hosts Not Updating Malware Signatures

Endpoint High Number Of Infected Hosts

Network High Number of Newly Seen Connections to Internal Hosts

Endpoint High Or Critical Priority Host With Malware Detected

Access High or Critical Priority Individual Logging into Infected Machine

Endpoint High Process Count

Identity High Volume Email Activity to Non-corporate Domains by User


Network High Volume of Traffic from High or Critical Host Observed

Endpoint Host Sending Excessive Email

Endpoint Host With A Recurring Malware Infection

Endpoint Host With High Number Of Listening ports

Endpoint Host With High Number Of Services

Endpoint Host With Multiple Infections

Endpoint Host With Old Infection Or Potential Re-Infection

Network Hosts Sending To More Destinations Than Normal

Endpoint Hosts Where Security Sources Go Quiet

Endpoint Hosts with Varied and Future Timestamps

Network HTTP Brute Force Activity Detected

Access Identify New User Accounts

Audit Identify users of Cloud Services that may not be approved

Access In-Scope Device with Outdated Anti-Malware Found


Access In-Scope System with Windows Update Disabled

Access Inactive Account Activity Detected

Access Increase in # of Hosts Logged into

Data Increase in Pages Printed

Data Increase in Source Code (Git) Downloads

Access Increase in Windows Privilege Escalations

Access Increase Risk Score of Employees before Adverse Separation

Access Insecure Or Cleartext Authentication Detected

Data Investigate GDPR Breaches Using ES

Other Land Speed Violation

Network Large Volume of DNS ANY Queries

Network Large Web Upload

Other Machine Generated Beacon

Other Malicious AD Activity


Endpoint Malicious Command Line Executions

Other Malicious Domain

Endpoint Malicious PowerShell Process - Connect To Internet With Hidden Window

Endpoint Malicious PowerShell Process - Encoded Command

Endpoint Malicious PowerShell Process - Multiple Suspicious Command Line Arguments

Endpoint Malicious PowerShell Process With Obfuscation Techniques

Endpoint Malware detected compliance asset

Endpoint Malware signature not updated by SLA for compliance asset

Endpoint Monitor AutoRun Registry Keys

Audit Monitor change for high value groups

Network Monitor DNS For Brand Abuse

Network Monitor Email For Brand Abuse


Operations Monitor Execution of Triage Activtity

Endpoint Monitor Registry Keys for Print Monitors

Access Monitor Secondary Accounts after Primary Disabled

Operations Monitor Successful Backups

Operations Monitor Successful Windows Updates

Operations Monitor Unsuccessful Backups

Operations Monitor Unsuccessful Windows Updates

Network Monitor Web Traffic For Brand Abuse

Other Multiple DLP Alarms

Endpoint Multiple Infections on Host

Other Multiple Login Errors

Other Multiple Logins


Other Multiple Outgoing Connections

Endpoint Multiple Primary Functions Detected

Other Multiple Sessions Denial

Access Network authentication using password auth

Endpoint Network Change Detected

Network Network Device Rebooted

Network Network Intrusion - New Signatures

Network Network Intrusion Detected

Network Network Intrusion Event Detected on Malware Infected Host

Network Network Intrusion Internal Network

Network Network Malware Detection

Access New AD Domain Detected

Data New Application Accessing Salesforce.com API

Access New Connection to In-Scope Device


Data New High Risk Event Types for Salesforce.com User

Access New Interactive Logon from a Service Account

Endpoint New Local Admin Account

Access New Logon Type for User

Endpoint New malware detected by signature

Endpoint New Parent Process for cmd.exe or regedit.exe

Network New Rule allowing Traffic to or from Protected Network

Access New RunAs Host / Privileged Account Combination

Endpoint New Service Paths for Host

Endpoint New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch

Endpoint New Suspicious Executable Launch for User

Data New Tables Queried by Salesforce.com Peer Group


Data New Tables Queried by Salesforce.com User

Endpoint New User Account Created On Multiple Hosts

Access Newly Seen Authentication Behavior from VIP or Executive User

Network Newly Seen File Successfully Executed by Web Application

Endpoint Newly Seen Scheduled Task Detected by Host

Endpoint No Windows Updates in Timeframe

Access Non-CIP user attempts to access CIP asset

Access Old Passwords in Use

Network Open Redirect in Splunk Web

Endpoint Outbreak Detected

Endpoint Outdated Malware Definitions

Endpoint Overwriting Accessibility Binaries

Other Period with Unusual AD Activity Sequences


Audit Personally Identifiable Information Detected

Other Possible Phishing Attempt

Audit Potential Gap in Data

Other Potential Webshell Activity

Access Privileged Identity accessing New or Rare Sensitive Resource

Access Privileged User Accessing More Systems than Usual

Endpoint Processes with High Entropy Names

Endpoint Processes with Lookalike (typo) Filenames

Network Prohibited Network Traffic Allowed

Network Prohibited Port Activity Detected

Endpoint Prohibited Process Detected

Endpoint Prohibited Service Detected


Endpoint Prohibited Software On Endpoint

Network Protocol or Port Mismatch

Network Protocols passing authentication in cleartext

Access Public S3 Bucket in AWS

Endpoint Ransomware Extensions

Endpoint Ransomware Note Files

Endpoint Ransomware Vulnerabilities

Endpoint Recurring Infection on Host

Endpoint Reg.exe used to hide files/directories via registry keys

Endpoint Registry Keys for Creating SHIM Databases

Endpoint Registry Keys Used For Persistence

Endpoint Registry Keys Used For Privilege Escalation


Network Remote Desktop Network Traffic

Endpoint Remote Desktop Process Running On System

Endpoint Remote PowerShell Launches

Endpoint Remote Process Instantiation via WMI

Endpoint Remote WMI Command Attempt

Access Reset of password other than by self for privileged user

Endpoint RunDLL Loading DLL By Ordinal

Threat Same Error On Many Servers Detected

Endpoint Sc.exe Manipulating Windows Services

Endpoint Scheduled tasks used in BadRabbit ransomware

Endpoint Schtasks scheduling job on remote system

Endpoint Schtasks used for forcing a reboot


Network Server generating email outside of approved usage

Endpoint Service Account Starting Unexpected Processes

Endpoint Shim Database File Creation

Endpoint Shim Database Installation With Suspicious Parameters

Endpoint Short Lived Admin Accounts

Access Short-lived Account Detected

Access Significant Increase in Interactive Logons

Access Significant Increase in Interactively Logged On Users

Access Slow/Controlled Password Guessing Detected

Network SMB Traffic Allowed

Network SMB Traffic Spike

Network Sources Sending a High Volume of DNS Traffic


Network Sources Sending Many DNS Requests

Data Spike in Downloaded Documents Per User from Salesforce.com

Data Spike in Exported Records from Salesforce.com

Endpoint Spike in File Writes

Network Spike in Password Reset Emails

Network Spike in SMB Traffic

Network SQL Injection with Long URLs

Endpoint SSH Authentication using unknown key

Network SSH v1 detected

Network Substantial Increase In Events

Network Substantial Increase In Port Activity

Access Successful Login of Account for Former Employee

Other Suspicious Account Activity


Other Suspicious Data Movement

Other Suspicious Domain Communication

Other Suspicious Domain Name

Network Suspicious Email Attachment Extensions

Other Suspicious HTTP redirects

Other Suspicious IP Address Communication

Other Suspicious Network Exploration

Endpoint Suspicious Reg.exe Process

Endpoint Suspicious wevtutil Usage

Endpoint System modification to insecure state

Endpoint System Processes Run From Unexpected Locations


Threat Threat Activity Detected

Network TOR Traffic

Access Unauthorized access SSO brute force

Access Unauthorized Connection Through Firewall

Endpoint Uncommon Processes On Endpoint

Network Unroutable Activity Detected

Endpoint Unsuccessful Netbackup backups

Audit Untriaged Notable Events

Other Unusual Activity Sequence

Other Unusual Activity Time

Other Unusual AD Event


Access Unusual AWS Regions

Other Unusual Geolocation of Communication Destination

Other Unusual Machine Access

Other Unusual Network Activity

Other Unusual Processes

Other Unusual USB Activity

Network Unusual Volume of Network Activity

Other Unusual VPN Login Geolocation

Other Unusual Web Browser

Endpoint Unusually Long Command Line

Network Unusually Long Content-Type Length

Other Unusually Long VPN Session


Access User account cross enclave access

Access User account sharing detection by source device ownership

Access User authenticated to routine business systems while on extended absense

Access User Has Access to In-Scope Splunk Indexes They Should Not

Access User Logged into In-Scope System They Should Not Have

Network User with Increase in Outgoing Email

Endpoint USN Journal Deletion

Operations Validate Execution of Platform Vulnerability Scan

Network Vulnerability Scanner Detected (by events)

Network Vulnerability Scanner Detected (by targets)

Network WAF Logs Show Unexpected Source IP


Threat Watchlisted Event Observed

Endpoint Web Servers Executing Suspicious Processes

Identity Web Uploads to Non-corporate Sites by Users

Endpoint Windows Event Log Cleared

Endpoint Windows Event Log Clearing Events

Endpoint Windows hosts file modification

Endpoint Windows security event log purged


Description
Detects an abnormally high number of endpoint changes by user account, as they
relate to restarts, audits, filesystem, user, and registry modifications.
Alerts when a host has an abnormally high number of HTTP requests by http
method.
Visibility into who is accessing in-scope resources is key to your GDPR efforts.
Splunk allows easy analysis of that information.
Unencrypted communications leaves you vulnerable to a data breach -- when users
access PII data, ensure that all connections are encrypted.
Detects user and computer account deletion
Logon event properties could indicate account misuse, or as an indication of
compromise. Compare the identified purpose of the account with the context of
the logon to determine its authority.
Alerts when an event is discovered from a user associated with identity that is now
expired (that is, the end date of the identity has been passed).
The GDPR requires that only authorized individuals access personal data. Alert
when the account of a past employee is used to log into GDPR-tagged systems
Excluding computer accounts in active directory, an account with new activity that
has not been active in the previous thirty days is suspicious.

Detect when an endpoint is permitted external access by the web proxy where the
category is known it indicate high risk by category. This list should not include
undesirable but frequent categories such as social media, porn, time wasting, or
advertising.
Discovers anomalous activity such as the deletion of or clearing of log files.
Attackers oftentimes clear the log files in order to hide their actions, therefore, this
may indicate that the system has been compromised.

Alerts a series of hosts begin listening on a new port within 24 hours. This may be
an indication that the devices have been compromised or have had new (and
potentially vulnerable) software installed.

Alerts when an anomalous number hosts are detected with a new process.

Alerts when an anomalous number hosts are detected with a new service.
Alerts when there are assets that define a specific priority and category but do not
have an assigned owner.

Attackers leverage an builtin Windows binary, attrib.exe, to mark specific as hidden


by using specific flags so that the victim does not see the file. The search looks for
specific command line arguments to detect the use of attrib.exe to hide files.
Understand and monitor the compliance of API and user connections to systems
with sensitive data for GDPR Compliance.
An Internet facing authentication system has allowed authenticated access from a
risky source network.
A common indicator for lateral movement is when a user starts logging into new
domain controllers.Alert Volume: Medium

Builds a per-user baseline for how many API calls is normal, and then alerts for
deviations.

Looks for AWS Provisioning activities that occur from new IPs, using GeoIP to
resolve the Country.

Looks for AWS Provisioning activities that occur from new IPs (for organizations with
strict IP controls).

Detects the first time a user creates a new instance.

Detects the first time a user modifies an existing instance.

Looks for users that are using AWS APIs that neither they, nor their team has ever
used before.

Looks for users that are using AWS APIs that they've never used before.

Looks for a large number of Security Group ACL changes in a short period of time
for a user.

Uses a simple threshold for Windows Security Logs to alert if there are a large
number of failed logins, and at least one successful login from the same source.
Looks for the same malware occurring on multiple systems in a short period of
time.
Looks for hosts that reach out to more than 500 hosts, or more than 500 ports in a
short period of time, indicating scanning.
The anonymity of TOR makes it the perfect place to hide C&C, exfiltration, or
ransomware payment via bitcoin. This example looks for ransomware activity based
on FW logs.Alert Volume: Low

Blacklisted Application

Blacklisted Domain

Blacklisted IP Address
Detects excessive number of failed login attempts along with a successful attempt
(this could indicate a successful brute force attack)
Monitor your security controls and prove your GDPR compliance by detecting brute
force (or password guessing) attacks on GDPR-tagged systems.

Detects an excessive number of failed login attempts, along with a successful


attempt, over a one day period (this could indicate a successful brute force attack)

Monitor your security controls and prove your GDPR compliance by detecting slow
and low brute force (or password guessing) attacks on GDPR-tagged systems that
occur gradually over the day.

Host and Network IDS event categories, detect events with a category of 'backdoor'
or 'trojan' followed by a signature categorized as 'post exploit' on a given host or
network with a given time period.

Detects cleartext passwords being stored at rest (such as in the Unix passwd file)
This search allows you to identify the endpoints that have connected to more than
five DNS servers over the timeframe of the search.

Simpler malware will hide in plain sight with a filename like explorer.exe, running in
the user profile. This detection will look for new paths, for common / expected
executables. (<a href="https://car.mitre.org/wiki/CAR-2013-05-002">MITRE CAR
Reference</a>)Alert Volume: Very Low (for most companies)
The search looks for file modifications with extensions commonly used by
Ransomware

The search looks for files created with a name that matches one of those typically
used for the 'note' file left behind instructing the victim how to get their data back.
Outbound communication with servers hosted in regions where the organization
does not expect to have employees, customers, or suppliers.

Communication to an enclave network should only occur from another enclave


network or sanitizing servers such as proxy or jump systems.

Detect communication with command and control system from a compromised


endpoint by identifying traffic allowed by the forward proxy with unknown or
uncategorized sites where the endpoint communicates in at least 15 of the last 60
minutes (bins) and the destination is not on a noise suppression white list, the Alexa
top 1M, or advertising domains list.

Communication from an enclave network may indicate a misconfiguration that


could weaken the security posture of the organization or actual/attempted
compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider
ingress communication allowed by the default rule, and egress communication
allowed or blocked.
Discovers accounts that are no longer used. Unused accounts should be disabled
and are oftentimes used by attackers to gain unauthorized access.

Following a successful authentication, an attacker will attempt to determine what


resources may be accessed without causing host intrusion or DLP technologies to
detect activity. Commonly the attacker will enumerate and browse to shares, access
email, access web applications, or connect to databases yet perform minimal or no
activity.

Following a successful authentication, an attacker will attempt to determine what


resources may be accessed without causing host intrusion or DLP technologies to
detect activity. Commonly the attacker will enumerate and browse to shares, access
email, access web applications, or connect to databases yet not perform any or
minimal activity. Typically Critical and Sensitive systems (during routine use) would
not log access denied events.

Batch, Windows Services, App Pools, and specially constructed Windows shells can
access network resources. A small number of technical solutions will require this
type of behavior, however, after excluding a white list of hosts or shares (such as
sysvol or netlogon), such access attempts (success or fail) could indicate the
presence of malware or attempts to elevate access.
It's uncommon to see attacker tools used in rapid succession on an endpoint. This
search will identify tools by filename, and look for multiple executions. (<a
href="https://car.mitre.org/wiki/CAR-2013-04-002">MITRE CAR
Reference</a>)Alert Volume: Low

It's uncommon to see attacker tools used in rapid succession on an endpoint. This
search will identify tools by file hash, and look for multiple executions. (<a
href="https://car.mitre.org/wiki/CAR-2013-04-002">MITRE CAR
Reference</a>)Alert Volume: Low

It's uncommon to see many host discovery tools launched on an endpoint, except in
very specific situations. This search will identify tools by filename, and look for
many launches. (<a href="https://car.mitre.org/wiki/CAR-2016-03-001">MITRE CAR
Reference</a>)Alert Volume: Low (unless your company specifically does this)

It's uncommon to see many discovery tools launched on an endpoint, except in


specific situations. This search will identify tools by file hash, and look for several in
quick succession. (<a href="https://car.mitre.org/wiki/CAR-2016-03-001">MITRE
CAR Reference</a>)Alert Volume: Low (unless your company specifically does this)

Alerts on concurrent access attempts to an app from different hosts. These are good
indicators of shared passwords and potential misuse.

Detects when users browse to domains never before seen in your organization.

Discovers use of default accounts (such as admin, administrator, etc.). Default


accounts have default passwords and are therefore commonly targeted by attackers
using brute force attack tools.

Discovers the presence of default accounts even if they are not being used. Default
accounts should be disabled in order to prevent an attacker from using them to gain
unauthorized access to remote hosts.

The vssadmin.exe utiltiy is used to interact with the Volume Shadow Copy Service.
Wmic is an interface to the Windows Management Instrumentation. This search
looks for either of these tools being used to delete shadow copies.

This search looks for specific authentication events from the Windows Security
Event logs to detect potential attempts at using the Pass-the-Hash technique.
This search looks for specific GET/HEAD requests to web servers that are indicative
of reconnaissance attempts to identify vulnerable JBOSS servers. JexBoss is
described as the exploit tool of choice for this malicious activity.
This search identifies endpoints that have caused a relatively high number of
account lockouts in a short period of time.
High numbers of http error codes likely indicate a problem with the web application
or server, or can be an indicator of malicious action.
This search detects accounts that have been locked out a relatively high number of
times in a short period of time.

Malicious actors often abuse legitimate Dynamic DNS services to host malicious
payloads or interactive command and control nodes. Attackers will automate
domain resolution changes by routing dynamic domains to countless IP addresses
to circumvent firewall blocks, blacklists as well as frustrate a network defenders
analytic and investigative processes. This search will look for DNS queries made
from within your infrastructure to suspicious dynamic domains.

This use case looks for the fsutil process clearing the update sequence number
(USN) change journal.Alert Volume: Low

This use case looks for WMI being used for lateral movement.Alert Volume: Low

This use case looks for the wevutil process clearing the Windows Audit LogsAlert
Volume: Low

This search is used to detect attempts to use DNS tunneling, by calculating the
length of responses to DNS TXT queries. Endpoints using DNS as a method of
transmission for data exfiltration, command and control, or evasion of security
controls can often be detected by noting unusually large volumes of DNS traffic.

This search is used to detect malicious HTTP requests crafted to exploit jmx-console
in JBOSS servers. The malicious requests have a long URL length, as the payload is
embedded in the URL.

The search queries the authentication logs for assets that are categorized as routers
in the ES Assets and Identity Framework, to identify connections that have not been
seen before in the last 30 days.

Internal web applications often contain sensitive information and should be


controlled. Multiple technologies can be used to detect rogue web applications,
including Imperva WAF and/or Splunk App for Stream. Use one of these
technologies to detect web applications in the environment that have not been
seen internally before.
The search is looking for the creation of file C:\program.exe. The creation of this file
in the C:\ drive is driven by a motive to perform path interception.
This search looks for executions of cmd.exe spawned by a process that is often
abused by attackers and does not typically launch cmd.exe.
This search will create a table of statistically rare processes and the number of
distinct hosts running them. The macro filter_process_whitelist can be used to filter
out known, benign, process names that do not execute very often.

By populating the organization's assets within the assets_by_str.csv, we will be able


to detect unauthorized devices that are trying to connect with the organization's
network by inspecting DHCP request packets, which are issued by devices when
they attempt to obtain an IP address from the DHCP server. The MAC address
associated with the source of the DHCP request is checked against the list of known
devices, and reports on those that are not found.

Identify users gaining access via an unapproved or unknown access control. This
could indicate malicious activity or an internal control failure.

The search is used to detect hosts that generate Windows Event ID 4663 for
succesful attempts to write to or read from a removable storage and Event ID 4656
for failures , which occurs when a USB drive is plugged in. In this scenario we are
querying the Change_Analysis data model to look for Windows Event ID 4656 or
4663 where the priority of the affected host is marked as high in the ES Assets and
Identity Framework.

This search looks for the execution of cscript.exe or wscript.exe with a parent of
cmd.exe. The search will return the full command lines for these executions, as well
as the target system, sorted by time.

Endpoint utilizing DNS as a method of transmission for data exfiltration, command


and control, or evasion of security controls. Detected by large total size of DNS
traffic OR large number of unique queries.

This search is used to detect DNS tunneling, by calculating the sum of the length of
DNS queries and DNS answers. The search also filters out potential false positives by
filtering out queries made to internal systems and the queries originating from
internal DNS, Web, and Email servers. Endpoints using DNS as a method of
transmission for data exfiltration, command and control, or evasion of security
controls can often be detected by noting an unusually large volume of DNS traffic.

Prohibited web applications such as file sharing platforms (i.e. Box, Dropbox, etc.),
and games can be detected, and filtered by modern web proxy solutions/next
generation firewalls. Existing exceptions, or new application instances should be
reviewed to ensure appropriate usage.

Prohibited protocols such as IRC, FTP, or Gopher could indicate malicious activity on
insecure systems located on the network. Consider Intra-network communication,
and organization accepted communications from the Internet.
Detection of an endpoint utilizing DNS as a method of proxying by querying for
wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for
wpad (bare host) and wpad.* where the domain portion is not a company owned
domain.
Maintain a tracking list of public domain suffix and data source &quot;seen&quot;
by first epoch.
Splunk can detect the status of services, allowing us to find hosts where the
Windows Update service is disabled.
The search looks for modifications to registry keys that control the enforcement of
Windows User Account Control (UAC).

This search allows you to identify DNS requests and compute the standard deviation
on the length of the names being resolved, then filter on two times the standard
deviation to show you those queries that are unusually large for your environment.
This search will detect DNS requests resolved by unauthorized DNS servers.
Legitimate DNS servers should be identified in the Enterprise Security Assets and
Identity Framework.

Domain Name Anomaly

Download from Internal Server

Attackers often use spaces as a means to obfuscate an attachment's file extension.


This search looks for messages with email attachments that have a large number of
spaces within the filename.

Phishers will often try to send emails where the from address uses your
organization's domain name, e.g., emailing finance from
yourceo@yourcompany.com. Detect that now!Alert Volume: Very Low

Emailing from a domain name that is similar to your own is a common phishing
technique, such as splunk.com receiving an email from spiunk.com. This search will
detect those similar domains.Alert Volume: Very Low

Endpoints attempting to communicate with an excessive number of unique hosts


over a given time period may indicate malicious code.

Endpoints communicating with an excessive number of unique destination ports


could indicate malicious code probing for vulnerabilities. Certain server applications
will arrange for communication on a high number port with the client such as ftp in
passive mode and RPC on windows server.
The endpoint has attempted (success or fail) to communicate with an external
server identified on a threat list using any protocol. An attempted communication
could indicate activity generated by malicious code.

Endpoint antimalware detection event occurred where the malicious content was
retrieved from an external URL. Possible indication of gaps in protection by web
proxy, intrusion prevention, or advanced threat prevention. Use the information
available for the event and determine how existing prevention controls can be
modified to prevent future infections.
Failure to synchronize time will impact the usefulness of security log data from the
endpoint, and potentially prevent valid authentication.

Multiple infections detected on the same endpoint in a short period of time could
indicate the presence of an undetected loader malware component (apt).
Detect a system with a malware detection that was not properly cleaned, as they
carry a high risk of damage or disclosure of data.

Using web application access logs for assets deemed high/critical or with the
governance attributed ensure the source IP address is one of the approved NLB or
WAF devices. If WAF devices are placed in front of NLB devices ensure the first
&quot;x-forwardedfor&quot; entry is the address of the WAF.

Excessive Data Transmission

This search identifies DNS query failures by counting the number of DNS responses
that do not indicate success, and trigger on more than 50 occurrences.

Alerts when a host receives many DNS failures in a short span

Alerts when a host starts sending excessive DNS queries

Detects excessive number of failed login attempts (this is likely a brute force attack)

Alerts when a host generates a lot of HTTP failures in a short span of time

Excessive email generation by authorized users could indicate the presence of


malware designed to send spam, or abuse company resources. An application
owner, or admin could also be attempting to solve a business problem outside of
company policy. This use case focuses on email that is generated from endpoint
networks. Operating systems should also be considered since servers can use user
credentials to send messages; when this is allowed, false positives could be
generated.
A user with continuous physical access failures could be someone searching for a
physical vulnerability within the organization. When this occurs in an area that is
protecting CIP assets, it is something that should be followed up on immediately.

Excessive proxy blocks can be a good indicator of a potential automated beacon or


malware phone home.

Discovers hosts that are longer reporting events but should be submitting log
events. This rule is used to monitor hosts that you know should be providing a
constant stream of logs in order to determine why the host has failed to provide log
data.

GDPR requires an audit trail for all activities, which means we should be receiving
events constantly. Find GDPR-tagged systems that are no longer reporting events
but should be.

Exploit Chain
This search returns a list of hosts that have not successfully completed a backup in
over a week.

External Alarms

External Website Attack

This example finds processes normally run from Windows\System32 or


Windows\SysWOW64, running from some other location. This can indicate a
malicious process trying to hide as a legitimate process.Alert Volume: Low

Processes are typically launched from the same path. When those paths change, it
can be a malicious process masquerading as a valid one, to hide in task manager.
(<a href="https://car.mitre.org/wiki/CAR-2013-05-004">MITRE CAR
Reference</a>)Alert Volume: Medium

For employers that allow remote external connectivity the detection of two or more
distinct values of external source IP address for successful authentications to a
remote access solution in a short period of time indicates a likely compromise of
credentials.

Oftentimes, attackers will execute a temporary file, and rename it to something


innocuous (e.g. svchost.exe) to maintain persistence. This search will look for
renamed executables. (<a href="https://car.mitre.org/wiki/CAR-2013-05-
009">MITRE CAR Reference</a>)Alert Volume: Low

Oftentimes we're able to detect malware by looking for unusually long command
line strings.Alert Volume: Low
Find users who accessed a git repository for the first time.Alert Volume: High
Find users who accessed a git repository for the first time, where their peer group
also hasn't accessed it before.Alert Volume: Medium

Find users who logged into a new server for the first time.Alert Volume: Very High

Find systems the first time they generate Windows Event ID 20001, which for some
customers occurs when a USB drive is plugged in.Alert Volume: Medium

Flight Risk User

Alerts on access attempts that are improbable based on time and geography.

To ensure you have a GDPR-mandated audit trail with individual accounts for each
person, detect when the same account is logged into twice in a short period of time
but from locations very far away, to a GDPR-tagged system.

If a healthcare worker views more patient records than normal or more than their
peers, it could be a sign that their system is infected, or that they are exfiltrating
patient data.Alert Volume: Low
Alerts when a high number of hosts not updating malware signatures have been
discovered. These hosts should be evaluated to determine why they are not
updating their malware signatures.

Alerts when a high total number of infected hosts is discovered.

Detect lateral movement by searching for hosts with an unusually high number of
connections to hosts it has never connected to before, within a given time period.

Alerts when an infection is noted on a host with high or critical priority.

Detects users with a high or critical priority logging into a malware infected machine
Alerts when host has a high number of processes. This may be due to an infection
or a runaway process.

Alerts on high volume email activity by a user to non-corporate domains.


Alerts when a host of high or critical severity generates a high volume of outbound
traffic. This may indicate that the host has been compromised.

Alerts when an host not designated as an e-mail server sends excessive e-mail to
one or more target hosts.
Alerts when a host has an infection that has been re-infected remove multiple times
over multiple days.

Alerts when host has a high number of listening services. This may be an indication
that the device is running services that are not necessary (such as a default
installation of a server) or is not running a firewall.

Alerts when host has a high number of services. This may be an indication that the
device is running services that are not necessary (such as a default installation of a
server).

Alerts when a host with multiple infections is discovered.

Alerts when a host with an old infection is discovered (likely a re-infection).

This will typically detect scanning activity, along with lateral movement activity.Alert
Volume: Low
A frequent concern of SOCs is that their data feeds will disappear. This search will
look on a host-by-host basis for when your security sources stop reporting
home.Alert Volume: Medium
One technique for foiling correlation searches is to alter the system time. This
search will detect this scenario.Alert Volume: Low (and should be fixed)

Detect excessive number of http status messages indicating error (400/500 errors),
followed by an http status of 200 by src and uri. Can be a high indicator of
unauthorized access or attempt to execute malicious commands.

This detection search will help profile user accounts in your environment by
identifying newly created accounts that have been added to your network in the
past week.

Utilize email logs to identify users being welcomed to a cloud service on an


identified risky list for the first time, notify the user to be aware the service is not
approved and notify the users manager if known by identity.

Alerts when a GDPR-tagged system has out of date malware definitions, which
would conflict with GDPR's requirement to maintain a secure environment.
Any GDPR-tagged systems not receiving updates could jeopardize your GDPR status
due to Article 32. Detect systems where the Windows Update service is disabled.
Discovers previously inactive accounts that are now being used. This may be due to
an attacker that successfully gained access to an account that was no longer being
used.

Find users who log into more hosts than they typically do.Alert Volume: Low

Find users who printed more pages than normal.Alert Volume: Medium

Find users who have downloaded more files from git than normal.Alert Volume:
High

Privilege escalation (either via RunAs or Scheduled Tasks) create Windows Security
EventID 4648 events. This search will baseline per (original, unprivileged) user and
then track deviations.Alert Volume: Low

Increase the risk score of users who have indication of adverse separation.
Detects authentication requests that transmit the password over the network as
cleartext (unencrypted)

Meeting your compliance requirements necessitates being able to investigate


breaches. Splunk ES provides you a single place to fully understand attacker
activities.

Land Speed Violation


The search is used to identify attempts to use your DNS Infrastructure for DDoS
purposes via a DNS amplification attack leveraging ANY queries.
Uses a basic threshold to detect a large web upload, which could be exfiltration
from malware or a malicious insider.

Machine Generated Beacon

Malicious AD Activity
Ransomware and other malware variants often execute long commands using
command line arguments. This search performs statistical analysis of these CLI
arguments to detect potentially malicious executions.Alert Volume: Medium

Malicious Domain

This search looks for powershell processes started with parameters to modify the
execution policy of the run, run in a hidden window, and connect to the Internet.
This combination of command line options is suspicious because it's overriding the
default powershell execution policy, attempts to hide its activity from the user, and
connects to the Internet.

This search looks for powershell processes that have encoded the script within the
command line. Malware has been seen using this parameter, as it obfuscates the
code and makes it relatively easy to pass a script on the command line.

This search looks for powershell processes started with a base64 encoded
command line passed to it, with parameters to modify the execution policy for the
process, and those that prevent the display of an interactive prompt to the user.
This combination of command line options is suspicious because it overrides the
default powershell execution policy, attempts to hide itself from the user, and
passes an encoded script to be run on the command line.
This search looks for powershell processes launched with arguments that have
characters indicative of obfuscation on the command line.

Malware detection on an asset designated as compliance such as PCI, CIP or HIPPA


requires review even when automatic cleaning has occurred.
Malware signature last updated on a asset designated as compliance such as PCI,
CIP or HIPAA beyond SLA limits. SLA in this use case refers to policy levels more
than the traditional service level agreement.

Attackers often add malware to the <a href="https://msdn.microsoft.com/en-


us/library/windows/desktop/aa376977(v=vs.85).aspx">Windows Autorun</a>
registry keys to maintain persistence. This search looks through registry data for
suspicious activities.Alert Volume: High
Detection of change for groups used to control access for sensitive, regulated, or
critical infrastructure systems.
This search looks for DNS requests for faux domains similar to the domains that you
want to have monitored for abuse.
This search looks for emails claiming to be sent from a domain similar to one that
you want to have monitored for abuse.
Define and maintain event types for unsuppressed notable events separately
identifying review workflow, and triage SLA required.

This search looks for registry activity associated with modifications made to the
registry key "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors". In this
scenario, an attacker can load an arbitary DLL into the Print Monitor registry by
giving the full path name to the DLL and the system will execute the DLL with
elevated (SYSTEM) permissons and will also persist on a reboot.
A human user may own multiple accounts. When the primary account of the
human is expired, disabled, or deleted, we should expect no further activity from
any other account owned by the user.

With good backups, a ransomware attack goes from unrecoverable losses to a


manageable nuisance. This shows how you can track successful backups.Alert
Volume: Very High

Malware often uses operating system vulnerabilities to infect an endpoint or to


spread. This example verifies the Windows updates for specific vulnerabilities
exploited by the WannaCry ransomware.Alert Volume: Very High

With good backups, a ransomware attack goes from unrecoverable losses to a


manageable nuisance. This shows how you can analyze failed backups.Alert
Volume: Low

Keeping current with Microsoft updates for Windows is one of the best ways to
prevent malware. This example identifies hosts that have failed to implement
appropriate updates.Alert Volume: Low
This search looks for Web requests to faux domains similar to the one that you want
to have monitored for abuse.

Multiple DLP Alarms

Finds hosts that have logged multiple different infections in a short period of time.

Multiple Login Errors

Multiple Logins
Multiple Outgoing Connections

Multiple Primary Functions Detected

Multiple Sessions Denial

Even using SSH encryption, allowing password authentication to Linux/Unix systems


over the network increases the attack surface and the possible impact of a
compromised account. Investigate and resolve all instances of network
authentication utilizing password.
Detects changes to policies of the network protection devices (such as firewall
policy changes).

Increases the risk score of network devices that have been rebooted.
IDS devices reporting an attack using a signature not previously encountered are
more likely be successful as new signatures are prompted by newly know attacks in
the wild.
Detect attempted network intrusions by src_ip when the same source is observed
with two or more unique destinations or one destination and two or more
signatures

Hosts with multiple indicators are likely infected with malware or successfully
compromised.

IDS/IPS detecting or blocking an attack based on a known signature.

Internal malware detection system such as FireEye devices reporting an attack.

New AD domain names in your normal domain controller logs are a symptom of
many Pass the Hash tools. While some of the latest don't produce these artifacts,
this remains a very valuable detection mechanism.Alert Volume: Low
Salesforce.com contains the most critical information for many companies. This
search looks for users who connect to SFDC's reporting API with new clients. Alert
Volume: Low
Alert Data Protection Officers to new systems that become involved in processing
GDPR-scoped data via network communication logs, so DPOs can ensure the
systems are authorized and documented.
Salesforce.com supports a variety of different event types in their event logs. This
search detects users who suddenly query event types associated with data
exfiltrationAlert Volume: Medium

In most environments, service accounts should not log on interactively. This search
finds new user/host combinations for accounts starting with "svc_." Alert Volume:
Low

Local admin accounts are used by legitimate technicians, but they're also used by
attackers. This search looks for newly created accounts that are elevated to local
admins.Alert Volume: Medium

Windows defines several logon types (Interactive, RemoteInteractive, Network,


etc.). Established users rarely generate new logon types. This search will look for
that scenario. (<a href="https://car.mitre.org/wiki/CAR-2013-02-012">MITRE CAR
Reference</a>)Alert Volume: Low

When a new malware variant is detected by endpoint antivirus technology it is


possible the configuration or capability of other controls are deficient. Review the
sequence of events leading to the infection to determine if additional preventive
measures can be put in place.

cmd.exe and regedit.exe tend to be used in the same ways. New parent processes
can be suspicious. (<a href="https://car.mitre.org/wiki/CAR-2013-02-003">MITRE
CAR Reference</a>)Alert Volume: Medium

Communication from a enclave network may indicate a misconfiguration that could


weaken the security posture of the organization or actual/attempted compromise.
Privilege escalation (either via RunAs or Scheduled Tasks) create Windows Security
EventID 4648 events. This search will find new usernames / host combinations,
which will track privilege escalation.Alert Volume: Medium
New service creations are uncommon for most hosts. This search will look for both
new executables and executables running from new paths launched by
services.exe.Alert Volume: High

Very rarely would cmd.exe, regedit.exe, or powershell.exe be launched by


services.exe. This search will detect that malware persistence strategy. (<a
href="https://car.mitre.org/wiki/CAR-2014-05-002">MITRE CAR
Reference</a>)Alert Volume: Very Low (for most companies)

Some files rarely get used by legitimate activities, such as at.exe. This search will
detect those executables being launched, regardless of the circumstance. (<a
href="https://car.mitre.org/wiki/CAR-2013-05-004">MITRE CAR
Reference</a>)Alert Volume: Low

Salesforce.com supports a simplified query language called SOQL. This search


detects users who begin querying sensitive tables that have never been contacted
by peer group.Alert Volume: Low
Salesforce.com supports a simplified query language called SOQL. This search
detects users who begin querying new sensitive tables.Alert Volume: Low
Alerts when numerous new accounts are created for a username accounts multiple
hosts.
Executive or VIP user credentials should be limited to assets that can be attributed
to them. Any unusual or newly seen authentication activity should be considered
suspect, where their credentials may be compromised.
Host and Network IDS event categories, detect events with a category of 'backdoor'
or 'trojan' followed by a signature categorized as 'post exploit' on a given host or
network within a given time period.
Detect attempts to gain persistence through newly seen/unauthorized scheduled
tasks per host.

This search looks for Windows endpoints that have not generated an event
indicating a successful Windows update in the last 60 days. Windows updates are
typically released monthly and applied shortly thereafter. An endpoint that has not
successfully applied an update in this timeframe indicates the endpoint is not
regularly being patched for some reason.

CIP assets require special protections; therefore, users that have not been vetted
for CIP access, or should have had their access removed, should not have access.
System owners should be notified immediately should a non-CIP user attempt to
access a CIP asset.
Detect active accounts with passwords that haven't been updated in more than 120
days.
This search allows you to look for evidence of exploitation for CVE-2016-4859, the
Splunk Open Redirect Vulnerability.
Alerts when a potential outbreak is observed based on newly infected systems all
exhibiting the same infection

Looks for Symantec AV systems where we see Symantec AV events, but don't see a
malware definition update in the last few days.

Microsoft Windows contains accessibility features that can be launched with a key
combination before a user has logged in. An adversary can modify or replace these
programs so they can get a command prompt or backdoor without logging in to the
system. This search looks for modifications to these binaries.

Period with Unusual AD Activity Sequences


Detects personally identifiable information (PII) in log files. Some software can
inadvertently provide sensitive information in log files, resulting in potential
exposure to those reviewing the log files.

Possible Phishing Attempt


Detects gaps caused by the failure of the search head. If saved searches do not
execute then there may be gaps in summary data.

Potential Webshell Activity

Use of an identity identified as privileged to access a system for the first time within
a rolling time period will trigger a notable event for review of access reason.

Privileged user authenticates to more than X number of new targets successfully or


is denied access to more than Y targets in the prior Z hours.

Some malware will launch processes with randomized filenames.Alert Volume:


Medium

To evade analysts, attackers will create a service with a name similar to that of a
standard Windows service. This search looks for small differences. Idea from David
Bianco, formerly of Sqrrl (<a href="http://detect-
respond.blogspot.com/2016/11/hunting-for-malware-critical-
process.html">link</a>).Alert Volume: Very Low

This search looks for network traffic defined by port and transport layer protocol in
the Enterprise Security lookup table "lookup_interesting_ports", that is marked as
prohibited, and has an associated 'allow' action in the Network_Traffic data model.
This could be inidcative of a misconfigured network device.

Detects the use of ports that are prohibited. Useful for detecting the installation of
new software or a successful compromise of a host (such as the presence of a
backdoor or a system communicating with a botnet).

Alerts when a service in the prohibited process list is detected.

Alerts when a service in the prohibited service list is detected.


This search looks for applications on the endpoint that you have marked as
prohibited.

This search looks for network traffic on common ports where a higher layer protocol
does not match the port that is being used. For example, this search should identify
cases where protocols other than HTTP are running on TCP port 80. This can be
used by attackers to circumvent firewall restrictions, or as an attempt to hide
malicious communications over ports and protocols that are typically allowed and
not well inspected.

This search looks for cleartext protocols at risk of leaking credentials. Currently, this
consists of legacy protocols such as telnet, POP3, IMAP, and non-anonymous FTP
sessions. While some of these protocols can be used over SSL, they typically run on
different assigned ports in those cases.

Detects when new or existing S3 buckets are set to public.

This example queries your endpoint data to find encrypted files that ransomware
will create. You can often even use these extensions to identify the ransomware
affecting a given endpoint.Alert Volume: Low

Most ransomware leaves a note on the endpoint containing directions for the victim
to pay a ransom. This use case looks for these note files.Alert Volume: Low

This use case queries your Vulnerability Management logs from solutions like
Nessus in order to identify the hosts in your environment that might be vulnerable
to ransomware.Alert Volume: Low

Looks for the same malware occurring multiple times on the same host.
The search looks for command line arguments used to hide a file or directory using
the reg add command.

This search looks for registry activity associated with application compatibility
shims, which can be leveraged by attackers for various nefarious purposes.
The search looks for modifications to registry keys that can be used to launch an
application or service at system start.

This search looks for modifications to registry keys that can be used to elevate
privileges. The registry keys under Image File Execution Options are used to
intercept calls to an executable, and can be used to attach malicious binaries to
benign system binaries.
This search looks for network traffic on TCP/3389, the default port used by remote
desktop. While remote desktop traffic is not uncommon on a network, it is usually
associated with known hosts. This search allows for whitelisting both source and
destination hosts to remove them from the output of the search so you can focus
on the uncommon uses of remote desktop on your network.

This search looks for the remote desktop process, mstsc.exe, running on systems it
doesn't typically run on. This is accomplished by filtering out all systems that are
noted in the common_rdp_source category in the Assets and Identity framework.
It's unusual for new users to remotely launch PowerShell on another system. This
will track the first time per user + host combination that powershel is remotely
started.Alert Volume: Low (for most companies)
This search looks for wmic.exe being launched with parameters to spawn a process
on a remote system.
This search looks for wmic.exe being launched with parameters to operate on
remote systems.

Detect evasion/escalation technique where the password of a privileged user reset


by another authorized account this should be rare and supported by appropriate
trouble ticketing and authentication of the requesting user.

This search looks for dlls under %AppData% being loaded by rundll32.exe that are
calling the exported function at ordinal 2. Calling exported functions by ordinal is
not as common as calling by exported name. There was a bug fixed in IDAPro on
2016-08-08 that would not display functions without names. Calling functions by
ordinal would overcome the lack of name and make it harder for analyst to reverse
engineer.

Alerts when multiple systems are exhibiting the same errors


This search looks for arguments to sc.exe indicating the creation or modification of a
Windows service.

This search looks for flags passed to schtasks.exe on the command line that indicate
that task names related to the execution of Bad Rabbit ransomware were created or
deleted.

This search looks for flags passed to schtasks.exe on the command line that indicate
a job is being scheduled on a remote system.
This search looks for flags passed to schtasks.exe on the command line that indicate
that a forced reboot of system is scheduled.
Server Operating Systems, and Application services often generate email to support
general purpose, or application specific functions. Configuration management is
often used to identify servers generating e-mails, as well as maintaining recipient
lists.

Accounts designated for use by services and batch process should start a limited set
of child processes. Creation of new child processes other than the process name
defined in the service or batch definition may indicate compromise.

This search looks for shim database files being written to default directories. The
sdbinst.exe application is used to install shim database files (.sdb). According to
Microsoft, a shim is a small library which transparently intercepts an API, changes
the parameters passed, handles the operation itself, or redirects the operation
elsewhere.

This search detects the process execution and arguments required to silently create
a shim database. The sdbinst.exe application is used to install shim database files
(.sdb). A shim is a small library which transparently intercepts an API, changes the
parameters passed, handles the operation itself, or redirects the operation
elsewhere.

A technique used by attackers is to create an account, take some actions, and then
delete it right away. This search will find those accounts on the local system.Alert
Volume: Low
Detects when a account or credential is created and then removed a short time
later. This may be an indication of malicious activities.

Typically non-admin users will only interactively log into one system per day. A user
who starts loggin into many can indicate account compromise and lateral
movement. (<a href="https://car.mitre.org/wiki/CAR-2013-02-012">MITRE CAR
Reference</a>)Alert Volume: Low
Most systems will have a relatively predictable number of interactively logged on
users. This search will look for systems that have dramatically more than they
typically do, with a per-user baseline.Alert Volume: Medium

Traditional brute force attacks generate hundreds or thousands of failed access


attempts against a single host. This is a variation of brute force, where the objective
is to detect password guessing attempts that do not cause account lockouts or will
not trigger other &quot;failed access&quot; notable events.
This use case looks for any SMB traffic allowed through your firewall.Alert Volume:
Low
This search looks for spike in the number of Server Message Block (SMB) traffic
connections

A common method of data exfiltration is to send out a huge volume (in bytes) of
DNS or ping requests, embedding data into the payload. This is often not
logged.Alert Volume: Low
A common method for Data Exfiltration is to send out many DNS or Ping requests,
embedding data into the payload. This is often not logged.Alert Volume: Low
Salesforce.com contains the most critical information for many companies. This
example tracks the number of documents downloaded per day per user, to detect
exfiltration.Alert Volume: Medium

For many organizations, Salesforce.com contains the most critical information in


their company. This use case tracks the number of records exported per day (and is
based on a real set of data collection).Alert Volume: Medium

The search looks for a sharp increase in the number of files written to a particular
host
Sending password reset emails is a common phishing technique. Protect your users
by identifying spikes in the number of suspicious emails entering your
environment.Alert Volume: Very Low

This search looks for hosts with an unusually high increase in SMB network
connections.Alert Volume: Very Low
This search looks for long URLs that have several SQL commands visible within
them.

The public key utilized for authentication is recorded in the SSHD authentication log.
Detection of a new key should be investigated to determine the owner of the key
and validate authorization to access the resource.

Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is
inherently insecure indication of accepted SSHv1 sessions indicate a mis-configured
system. Attempted and denied sessions indicate system probing or scanning.

Alerts when a statistically significant increase in a particular event is observed.

Alerts when a statistically significant increase in events on a given port is observed.


You shouldn't see any successful authentication activity on the accounts of former
employees. Track this easily in Splunk.

Suspicious Account Activity


Suspicious Data Movement

Suspicious Domain Communication

Suspicious Domain Name

This search looks for emails that have attachments with suspicious file extensions.

Suspicious HTTP redirects

Suspicious IP Address Communication

Suspicious Network Exploration

This search looks for reg.exe being launched from a command prompt not started
by the user. When a user launches cmd.exe, the parent process is usually
explorer.exe. This search filters out those instances.
The wevtutil.exe application is the windows event log utility. This searches for
wevtutil.exe with parameters for clearing the application, security, setup, or system
event logs.

Authorized, or unauthorized users may attempt to modify existing hardened


configuration policies, or disable monitoring tools.
This search looks for system processes that normally run out of
C:\Windows\System32\ that are not run from that location. This can indicate a
malicious process that is trying to hide as a legitimate process.
Alerts when any activity matching threat intelligence is detected.

This search looks for network traffic identified as The Onion Router (TOR), a benign
anonymity network which can be abused for a variety of nefarious puproses.
Single IP address attempting authentication of more than two valid users within ten
minutes where one or more unique accounts is successful, and one or more
accounts is not successful against an approved SSO System.
Any communication through the firewall not explicitly granted by policy could
indicate either a misconfiguration or even malicious actions, putting your security
and compliance at risk.

This search looks for applications on the endpoint that you have marked as
prohibited.

Alerts when activity to or from a host that is unrouteable is detected.

This search gives you the hosts where a backup was attempted and then failed.

Alerts when notable events have not been triaged

Unusual Activity Sequence

Unusual Activity Time

Unusual AD Event
Looks for activity in AWS Regions that have not been used before across the
organization.

Unusual Geolocation of Communication Destination

Unusual Machine Access

Unusual Network Activity

Unusual Processes

Unusual USB Activity

Detects unusual network traffic that may be indicative of a DoS attack as indicated
by a high number of unique sources or a high volume of firewall packets

Unusual VPN Login Geolocation

Unusual Web Browser


Command lines that are extremely long can be indicative of malicious activity on
your hosts.
This search looks for unusually long strings in the Content-Type http header that the
client sends the server.

Unusually Long VPN Session


Detection of logon with the same account to a production and a non production
environment. If an account (not user) has logged into more than one account,
access management controls have failed and must be remediated.
Detection of logon device by asset name (may require resolution from IP) when
logon user does not match the owner and the number of unique owned devices is
greater than two in the prior 24 hours.
A user on leave, vacation, sabbatical, or other types of leave should not access
business systems. This could indicate malicious activity by the employee or a
compromised account.

Alerts the first time a user gains rights to search an index that they're not supposed
to according to the output of a GDPR data source and GDPR user mapping exercise.

Follow your GDPR requirement and action your data mapping exercise by tracking
employee/vendor/supplier access to systems, to ensure that they are authorized to
view the data present on any systems they log into.

Both to detect data exfiltration and compromised account, we can analyze users
that are sending out dramatically more data than normal. This search looks per
source email address for big increases in volume.Alert Volume: Low

The fsutil.exe application is a legitimate Windows utility used to perform tasks


related to the file allocation table (FAT) and NTFS file systems. The update sequence
number (USN) change journal provides a log of all changes made to the files on the
disk. This search looks for fsutil.exe deleting the USN journal.

Using host based logs such as firewall or host intrusion detection for each asset
with a governance category verify communication (accept or reject) has occurred
with origination from one or more authorized platform vulnerability scanners (e.g.
Rapid7, Nessus, OpenVAS).

Detects a potential vulnerability scanner by detecting devices that have triggered a


large number of unique events. Vulnerability scanners generally trigger a high
number unique events when scanning a host since each vulnerability check tends to
trigger a unique event.

Detects a potential vulnerability scanner by detecting devices that have triggered


events against a large number of unique targets. Vulnerability scanners generally
trigger events against a high number of unique hosts when they are scanning a
network for vulnerable hosts.
Communication to any web application server without filtering by a network web
application firewall indicates a security misconfiguration.
Alerts when an event is discovered including text has been identified as important.
This rule triggers whenever an event is discovered with the tag of
&quot;watchlist&quot;.

This search looks for suspicious processes on all systems labeled as web servers.

Alerts on high volume web uploads by a user to non-corporate domains.


This search looks for Windows events that indicate one of the Windows event logs
has been purged.
This use case looks for Windows event codes that indicate the Windows Audit Logs
were tampered with.Alert Volume: Low
The search looks for modifications to the hosts file on all Windows endpoints across
your environment.
Manually clearing the security event log on a windows system is a violation of policy
and could indicate an attempt to cover malicious actions.
Use Case Data Source(s)

Advanced Threat Detection Endpoint Detection and Response


Application Security
Advanced Threat Detection Web Proxy

Compliance Web Proxy

Compliance Web Proxy


Security Monitoring Audit Trail

Compliance Authentication
Insider Threat
Security Monitoring Authentication
Authentication
Compliance Windows Security
Advanced Threat Detection
Security Monitoring Authentication

Security Monitoring
Compliance Web Proxy

Security Monitoring
Insider Threat Audit Trail

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Compliance Configuration Management

Advanced Threat Detection Endpoint Detection and Response


CRM Logs
Compliance Audit Trail
Security Monitoring
Compliance Authentication

Advanced Threat Detection Windows Security

Advanced Threat Detection Audit Trail

Advanced Threat Detection Audit Trail

Advanced Threat Detection Audit Trail

Advanced Threat Detection Audit Trail

Advanced Threat Detection Audit Trail

Advanced Threat Detection


Insider Threat Audit Trail

Advanced Threat Detection


Insider Threat Audit Trail

Advanced Threat Detection Audit Trail

Security Monitoring Windows Security

Security Monitoring Anti-Virus


Security Monitoring Network Communication

Advanced Threat Detection Network Communication

Advanced Threat Detection


Advanced Threat Detection
Security Monitoring
Security Monitoring Network Communication

Advanced Threat Detection


Advanced Threat Detection DNS

Advanced Threat Detection


Advanced Threat Detection Audit Trail
Security Monitoring
Compliance Authentication
Authentication
Compliance Windows Security

Security Monitoring
Compliance Authentication

Authentication
Compliance Windows Security

IDS or IPS
Advanced Threat Detection Host-based IDS

Compliance Endpoint Detection and Response

Advanced Threat Detection DNS

Endpoint Detection and Response


Advanced Threat Detection Windows Security
Security Monitoring Endpoint Detection and Response

Security Monitoring Endpoint Detection and Response

Advanced Threat Detection IDS or IPS

Security Monitoring
Compliance Network Communication

Advanced Threat Detection Web Proxy

Advanced Threat Detection


Security Monitoring Network Communication
Compliance
Security Monitoring Authentication

Security Monitoring Authentication

Security Monitoring Authentication

Advanced Threat Detection Authentication


Advanced Threat Detection Endpoint Detection and Response
Security Monitoring Windows Security

Advanced Threat Detection


Security Monitoring Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response


Security Monitoring Windows Security

Advanced Threat Detection


Security Monitoring Endpoint Detection and Response

Security Monitoring
Compliance Authentication

Advanced Threat Detection Web Proxy

Security Monitoring
Compliance Authentication

Security Monitoring
Compliance Endpoint Detection and Response

Security Monitoring Endpoint Detection and Response

Advanced Threat Detection Authentication

Security Monitoring Web Server

Security Monitoring Authentication


Application Security Web Server

Security Monitoring Authentication

Advanced Threat Detection DNS

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Advanced Threat Detection DNS

Application Security Web Server

Security Monitoring Authentication

Web Server
Advanced Threat Detection Web Application Firewall

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response


Security Monitoring Endpoint Detection and Response

Compliance DHCP

Security Monitoring
Compliance Network Communication

Endpoint Detection and Response


Insider Threat DLP

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection


Insider Threat DNS

Advanced Threat Detection DNS

Security Monitoring
Compliance
Insider Threat Web Proxy

Security Monitoring
Compliance
Insider Threat Network Communication
Security Monitoring DNS
Email
Security Monitoring Web Server

Security Monitoring Other

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection DNS

Compliance DNS

Advanced Threat Detection


Advanced Threat Detection
Insider Threat DNS
Insider Threat
Security Monitoring Network Communication

Advanced Threat Detection Email

Advanced Threat Detection Email

Advanced Threat Detection Email

Advanced Threat Detection


Security Monitoring
Insider Threat Network Communication

Advanced Threat Detection


Security Monitoring
Insider Threat Network Communication
Email
DNS
Web Proxy
Advanced Threat Detection Network Communication

Advanced Threat Detection Anti-Virus

Security Monitoring Audit Trail

Advanced Threat Detection Anti-Virus


Security Monitoring
Compliance Anti-Virus

Network Communication
Application Security Host-based IDS
Insider Threat
Insider Threat Network Communication

Advanced Threat Detection DNS

Advanced Threat Detection DNS

Advanced Threat Detection DNS


Security Monitoring
Compliance Authentication

Application Security Web Server

Advanced Threat Detection


Insider Threat Email
Insider Threat Physical Security

Advanced Threat Detection


Insider Threat Web Proxy

Security Monitoring
Compliance Audit Trail

Compliance Any Host Logs

Advanced Threat Detection Web Proxy

Compliance Backup

Other IDS or IPS

Application Security Web Server

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Security Monitoring Authentication

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Advanced Threat Detection Endpoint Detection and Response


Security Monitoring Windows Security
Insider Threat
Advanced Threat Detection Source Code Respository

Insider Threat Source Code Respository

Advanced Threat Detection


Compliance Authentication
Security Monitoring Windows Security

Endpoint Detection and Response


Insider Threat DLP

Insider Threat Network Communication

Advanced Threat Detection


Compliance Authentication

Authentication
Compliance Audit Trail

Insider Threat
Advanced Threat Detection
Compliance Electronic Medical Record System

Security Monitoring
Compliance Anti-Virus

Security Monitoring Anti-Virus

Advanced Threat Detection


Security Monitoring Network Communication

Security Monitoring Anti-Virus


Authentication
Security Monitoring Anti-Virus

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection


Insider Threat Email
Security Monitoring
Insider Threat Web Proxy

Advanced Threat Detection


Insider Threat Email

Security Monitoring Anti-Virus

Advanced Threat Detection


Security Monitoring Network Communication

Advanced Threat Detection


Security Monitoring Endpoint Detection and Response

Security Monitoring Anti-Virus


Security Monitoring
Compliance Anti-Virus

Advanced Threat Detection


Security Monitoring Network Communication

Advanced Threat Detection Any Host Logs

Advanced Threat Detection Any Host Logs

Security Monitoring
Application Security Web Server

Security Monitoring
Compliance Audit Trail

Security Monitoring
Compliance Email

Security Monitoring
Compliance Anti-Virus
Security Monitoring
Compliance Other

Insider Threat
Security Monitoring Authentication
Authentication
Advanced Threat Detection Windows Security

Insider Threat Print Server Logs

Insider Threat
Advanced Threat Detection Source Code Respository

Security Monitoring Windows Security

Insider Threat HR System

Compliance Authentication

Any Host Logs


Network Communication
Web Proxy
Compliance Windows Security

Advanced Threat Detection


Security Monitoring
Security Monitoring Audit Trail

Application Security DNS


Security Monitoring
Insider Threat Web Proxy

Advanced Threat Detection


Advanced Threat Detection Network Communication

Advanced Threat Detection


Insider Threat
Security Monitoring Authentication
Compliance Windows Security
Endpoint Detection and Response
Advanced Threat Detection Windows Security

Advanced Threat Detection


Advanced Threat Detection Web Proxy

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection


Compliance Anti-Virus

Security Monitoring
Compliance Anti-Virus

Advanced Threat Detection Endpoint Detection and Response


Security Monitoring
Insider Threat Audit Trail

Security Monitoring DNS

Security Monitoring Email


Security Monitoring Ticketing System

Advanced Threat Detection Endpoint Detection and Response

Insider Threat Authentication

Security Monitoring
Compliance Backup

Security Monitoring
Compliance Other

Security Monitoring Backup

Security Monitoring Other


Web Server
Security Monitoring Web Proxy

Other DLP

Security Monitoring Anti-Virus

Advanced Threat Detection


Insider Threat
Security Monitoring
Compliance Audit Trail

Advanced Threat Detection


Insider Threat
Security Monitoring
Compliance Audit Trail
Advanced Threat Detection
Security Monitoring
Insider Threat Network Communication

Security Monitoring Network Communication

Advanced Threat Detection


Insider Threat
Application Security
Security Monitoring Network Communication

Security Monitoring
Compliance Authentication

Security Monitoring Audit Trail

Security Monitoring Configuration Management

Security Monitoring IDS or IPS

Advanced Threat Detection IDS or IPS


Anti-Virus
Advanced Threat Detection IDS or IPS
Security Monitoring Host-based IDS

Security Monitoring IDS or IPS

Security Monitoring Malware Detonation

Advanced Threat Detection Authentication


Compliance Windows Security

Compliance CRM Logs


Insider Threat Audit Trail

Security Monitoring
Compliance Network Communication
Compliance CRM Logs
Insider Threat Audit Trail

Advanced Threat Detection Windows Security

Advanced Threat Detection


Security Monitoring Audit Trail
Compliance Windows Security

Advanced Threat Detection


Security Monitoring
Compliance Windows Security

Advanced Threat Detection Anti-Virus

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Security Monitoring Network Communication

Security Monitoring Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Compliance CRM Logs


Insider Threat Audit Trail
Compliance CRM Logs
Insider Threat Audit Trail

Security Monitoring Audit Trail

Security Monitoring Authentication

Application Security Web Server

Advanced Threat Detection Windows Security

Compliance Patch Management

Insider Threat Authentication

Compliance Windows Security

Application Security Web Server

Security Monitoring Anti-Virus

Security Monitoring Anti-Virus

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Advanced Threat Detection


Insider Threat
Security Monitoring Authentication
Compliance Windows Security
Compliance
Insider Threat Any Host Logs

Advanced Threat Detection Web Proxy


Security Monitoring
Compliance Audit Trail

Application Security Web Server

Advanced Threat Detection


Security Monitoring
Insider Threat Authentication

Advanced Threat Detection


Security Monitoring
Insider Threat Authentication

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Security Monitoring
Compliance Network Communication

Advanced Threat Detection


Compliance Network Communication

Advanced Threat Detection


Security Monitoring Endpoint Detection and Response

Advanced Threat Detection


Security Monitoring Endpoint Detection and Response
Security Monitoring Endpoint Detection and Response

Security Monitoring Network Communication

Compliance Endpoint Detection and Response

Security Monitoring
Advanced Threat Detection Audit Trail

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Security Monitoring
Compliance Vulnerability Detection

Security Monitoring Anti-Virus

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response


Advanced Threat Detection Network Communication

Advanced Threat Detection Endpoint Detection and Response

Endpoint Detection and Response


Advanced Threat Detection Windows Security

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Security Monitoring Audit Trail

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection


Security Monitoring Any Host Logs

Advanced Threat Detection Endpoint Detection and Response

Security Monitoring Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Security Monitoring Endpoint Detection and Response


Advanced Threat Detection
Insider Threat Email

Security Monitoring Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Audit Trail
Advanced Threat Detection Windows Security

Security Monitoring Endpoint Detection and Response

Authentication
Advanced Threat Detection Windows Security

Authentication
Advanced Threat Detection Windows Security

Security Monitoring Authentication

Security Monitoring Network Communication

Security Monitoring Network Communication

Insider Threat Network Communication


Advanced Threat Detection
Insider Threat Network Communication

CRM Logs
Insider Threat Audit Trail

Compliance CRM Logs


Insider Threat Audit Trail

Security Monitoring
Advanced Threat Detection Endpoint Detection and Response

Security Monitoring Email

Advanced Threat Detection


Security Monitoring Network Communication

Application Security Web Server

Advanced Threat Detection


Compliance Authentication

Security Monitoring Authentication


Compliance Network Communication

Advanced Threat Detection


Security Monitoring Network Communication

Insider Threat
Advanced Threat Detection Network Communication
Security Monitoring Authentication
Insider Threat Windows Security

Advanced Threat Detection


Insider Threat
Security Monitoring Authentication
Compliance Windows Security
Advanced Threat Detection
Advanced Threat Detection
Insider Threat Network Communication

Advanced Threat Detection


Advanced Threat Detection
Insider Threat DNS

Advanced Threat Detection


Advanced Threat Detection
Insider Threat Web Proxy

Security Monitoring Email

Advanced Threat Detection Web Proxy

Advanced Threat Detection


Advanced Threat Detection
Insider Threat Network Communication

Advanced Threat Detection


Insider Threat Authentication
Security Monitoring Windows Security

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection


Security Monitoring
Compliance Any Host Logs

Advanced Threat Detection Endpoint Detection and Response


Email
DNS
Web Proxy
Endpoint Detection and Response
Security Monitoring Network Communication
Compliance Malware Detonation

Insider Threat
Security Monitoring Network Communication

Security Monitoring Authentication

Security Monitoring
Compliance Anti-Virus

Endpoint Detection and Response


Security Monitoring Windows Security

Security Monitoring Network Communication

Compliance Backup
Security Monitoring
Compliance Ticketing System

Insider Threat
Advanced Threat Detection
Compliance
Advanced Threat Detection
Advanced Threat Detection Audit Trail
Insider Threat
Security Monitoring
Compliance Audit Trail

Advanced Threat Detection


Insider Threat
Security Monitoring
Compliance VPN
Advanced Threat Detection Audit Trail

Advanced Threat Detection


Security Monitoring
Insider Threat Audit Trail

Advanced Threat Detection


Insider Threat
Security Monitoring Authentication
Compliance Windows Security

Advanced Threat Detection


Insider Threat
Security Monitoring
Insider Threat Network Communication

Advanced Threat Detection


Security Monitoring Endpoint Detection and Response

Insider Threat
Security Monitoring DLP

Insider Threat
Application Security
Advanced Threat Detection Network Communication

Advanced Threat Detection


Security Monitoring
Security Monitoring VPN

Advanced Threat Detection


Security Monitoring Web Proxy

Advanced Threat Detection Endpoint Detection and Response

Application Security Web Server

Advanced Threat Detection


Security Monitoring
Insider Threat VPN
Advanced Threat Detection
Security Monitoring
Compliance Authentication

Security Monitoring Authentication

Security Monitoring Authentication


Insider Threat HR System

Insider Threat
Compliance Other

Insider Threat Authentication


Compliance Windows Security

Advanced Threat Detection


Insider Threat Email

Security Monitoring Endpoint Detection and Response

Network Communication
Security Monitoring Host-based IDS

Security Monitoring
Compliance IDS or IPS

Security Monitoring
Compliance IDS or IPS

Application Security Web Server


Other Any Host Logs

Application Security Endpoint Detection and Response

Compliance
Insider Threat
Advanced Threat Detection Web Proxy

Advanced Threat Detection Audit Trail

Advanced Threat Detection Windows Security

Advanced Threat Detection Endpoint Detection and Response

Advanced Threat Detection Audit Trail


MITRE ATT&CK
Source/App Journey Category Tactics/Techniques
Endpoint Compromise
Splunk App for Enterprise Security Stage_3 Ransomware

Splunk App for Enterprise Security Stage_2 Web Attack

Splunk Security Essentials Stage_1 GDPR

Splunk Security Essentials Stage_1 GDPR


Splunk App for Enterprise Security Stage_2 Lateral Movement

Splunk Professional Services Stage_4 Compliance None

Splunk App for Enterprise Security Stage_2 Insider Threat

Splunk Security Essentials Stage_4 GDPR


Account Compromise
Splunk Professional Services Stage_4 Lateral Movement None

Unauthorized Software
Splunk Professional Services Stage_3 Compliance None

Endpoint Compromise
Splunk App for Enterprise Security Stage_2 Insider Threat

Endpoint Compromise
Unauthorized Software
Splunk App for Enterprise Security Stage_4 Lateral Movement
Endpoint Compromise
Splunk App for Enterprise Security Stage_3 Unauthorized Software

Endpoint Compromise
Unauthorized Software
Splunk App for Enterprise Security Stage_3 Privilege Escalation
IAM Analytics
Splunk App for Enterprise Security Stage_4 GDPR

Defense Evasion
Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence
Splunk Professional Services Stage_5 GDPR
Account Compromise
Splunk Professional Services Stage_4 IAM Analytics None

Splunk Security Essentials Stage_1 Lateral Movement Lateral Movement

Account Compromise
IAM Analytics
Splunk Security Essentials Stage_3 SaaS

Account Compromise
IAM Analytics
Account Sharing
Splunk Security Essentials Stage_3 SaaS

Account Compromise
IAM Analytics
Account Sharing
Splunk Security Essentials Stage_3 SaaS
Account Compromise
IAM Analytics
Splunk Security Essentials Stage_3 SaaS
Account Compromise
IAM Analytics
Splunk Security Essentials Stage_3 SaaS

Account Compromise
IAM Analytics
Insider Threat
Splunk Security Essentials Stage_4 SaaS

Account Compromise
IAM Analytics
Insider Threat
Splunk Security Essentials Stage_3 SaaS

Account Compromise
IAM Analytics
Data Exfiltration
Network Attack
Splunk Security Essentials Stage_3 SaaS

Account Compromise
Splunk Security Essentials Stage_1 Scanning Credential Access

Splunk Security Essentials Stage_1 Endpoint Compromise


Splunk Security Essentials Stage_1 Scanning

Command and Control Exfiltration


Splunk Security Essentials Stage_1 Endpoint Compromise Command and Control

Endpoint Compromise
Threat Intelligence
Unauthorized Software
Splunk User Behavior Analytics Stage_4 Operations None

Endpoint Compromise
Splunk User Behavior Analytics Stage_4 Threat Intelligence None

Endpoint Compromise
Splunk User Behavior Analytics Stage_4 Threat Intelligence None
Lateral Movement
Splunk App for Enterprise Security Stage_2 IAM Analytics

Splunk Security Essentials Stage_4 GDPR

Lateral Movement
Splunk App for Enterprise Security Stage_2 IAM Analytics

Splunk Security Essentials Stage_4 GDPR

Splunk Professional Services Stage_3 Endpoint Compromise None

Splunk App for Enterprise Security Stage_4 IAM Analytics


Command and Control
Enterprise Security Content Update Stage_3 Command and Control Exfiltration

Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion


Enterprise Security Content Update Stage_3 Ransomware

Enterprise Security Content Update Stage_3 Ransomware


Command and Control
Splunk Professional Services Stage_3 Endpoint Compromise None

Compliance
Operations
Splunk Professional Services Stage_3 Scanning None

Splunk Professional Services Stage_2 Command and Control None

Lateral Movement
Scanning
Splunk Professional Services Stage_4 Network Attack None

Splunk App for Enterprise Security Stage_4 IAM Analytics

Splunk Professional Services Stage_3 Account Compromise None

Splunk Professional Services Stage_2 Account Compromise None

Lateral Movement
Splunk Professional Services Stage_4 Endpoint Compromise None
Discovery
Lateral Movement
Splunk Security Essentials Stage_3 Endpoint Compromise Execution

Discovery
Lateral Movement
Splunk Security Essentials Stage_3 Endpoint Compromise Execution

Scanning
Splunk Security Essentials Stage_3 Endpoint Compromise Discovery

Scanning
Splunk Security Essentials Stage_3 Endpoint Compromise Discovery

IAM Analytics
Account Sharing
Splunk App for Enterprise Security Stage_2 Account Compromise
Command and Control
Splunk Security Essentials Stage_2 Data Exfiltration

IAM Analytics
Endpoint Compromise
Splunk App for Enterprise Security Stage_2 GDPR

Splunk App for Enterprise Security Stage_4 IAM Analytics

Enterprise Security Content Update Stage_3 Ransomware Execution

Enterprise Security Content Update Stage_1 Lateral Movement Lateral Movement

Enterprise Security Content Update Stage_2 Scanning Discovery

Enterprise Security Content Update Stage_1 Account Compromise


Splunk Professional Services Stage_2 Web Attack None

Enterprise Security Content Update Stage_1 Account Compromise

Exfiltration
Enterprise Security Content Update Stage_3 Command and Control Defense Evasion

Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion

Lateral Movement
Splunk Security Essentials Stage_3 Lateral Movement Execution

Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion

Command and Control


Enterprise Security Content Update Stage_3 Command and Control Exfiltration

Enterprise Security Content Update Stage_2 Web Attack Defense Evasion

Enterprise Security Content Update Stage_2 Operations

Splunk Professional Services Stage_4 Endpoint Compromise None


Privilege Escalation
Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution


Enterprise Security Content Update Stage_3 Unauthorized Software Execution

Enterprise Security Content Update Stage_3 Compliance Defense Evasion

Account Compromise
Compliance
Splunk Professional Services Stage_4 Unauthorized Software None

Enterprise Security Content Update Stage_4 Data Exfiltration Exfiltration

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution

Data Exfiltration
Command and Control
Splunk Professional Services Stage_4 Endpoint Compromise None

Command and Control


Enterprise Security Content Update Stage_3 Command and Control Exfiltration

Unauthorized Software
Data Exfiltration
Splunk Professional Services Stage_3 Compliance None

Unauthorized Software
Data Exfiltration
Splunk Professional Services Stage_2 Compliance None
Operations
Splunk Professional Services Stage_3 Network Attack None

Splunk Professional Services Stage_4 Unauthorized Software None

Splunk Security Essentials Stage_1 Endpoint Compromise

Enterprise Security Content Update Stage_3 Endpoint Compromise Defense Evasion

Command and Control


Enterprise Security Content Update Stage_3 Command and Control Exfiltration
Exfiltration
Command and Control
Enterprise Security Content Update Stage_4 Compliance Defense Evasion

Command and Control


Endpoint Compromise
Splunk User Behavior Analytics Stage_4 Data Exfiltration None
Insider Threat
Splunk User Behavior Analytics Stage_3 Account Compromise None

Enterprise Security Content Update Stage_3 Endpoint Compromise

Endpoint Compromise
Splunk Security Essentials Stage_3 SaaS

Endpoint Compromise
Splunk Security Essentials Stage_4 SaaS

Scanning
Lateral Movement
Splunk Professional Services Stage_3 Data Exfiltration None

Scanning
Lateral Movement
Splunk Professional Services Stage_3 Data Exfiltration None
Splunk Professional Services Stage_3 Endpoint Compromise None

Splunk Professional Services Stage_2 Endpoint Compromise None

Splunk Professional Services Stage_2 Operations None

Splunk Professional Services Stage_3 Endpoint Compromise None


GDPR
Splunk Security Essentials Stage_1 Endpoint Compromise

Splunk Professional Services Stage_4 Web Attack None


Data Exfiltration
Splunk User Behavior Analytics Stage_6 Insider Threat None

Exfiltration
Enterprise Security Content Update Stage_4 Command and Control Command and Control
Command and Control
Splunk App for Enterprise Security Stage_3 Endpoint Compromise
Command and Control
Splunk App for Enterprise Security Stage_3 Endpoint Compromise
Lateral Movement
Splunk App for Enterprise Security Stage_2 IAM Analytics

Splunk App for Enterprise Security Stage_2 Web Attack

Data Exfiltration
Lateral Movement
Splunk Professional Services Stage_4 Endpoint Compromise None
Splunk Professional Services Stage_4 Insider Threat None
Endpoint Compromise
Insider Threat
Splunk Professional Services Stage_3 Data Exfiltration None

Operations
Splunk App for Enterprise Security Stage_4 GDPR

Splunk Security Essentials Stage_4 GDPR

Splunk User Behavior Analytics Stage_4 Endpoint Compromise None

Enterprise Security Content Update Stage_1 Compliance

Splunk User Behavior Analytics Stage_4 Other None

Splunk User Behavior Analytics Stage_4 Web Attack None

Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion

Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion

Splunk Professional Services Stage_4 Account Compromise None

Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion

Splunk Security Essentials Stage_3 Endpoint Compromise Execution


Splunk Security Essentials Stage_3 Data Exfiltration Collection

Splunk Security Essentials Stage_4 Data Exfiltration Collection

Lateral Movement
Splunk Security Essentials Stage_1 GDPR Lateral Movement

Lateral Movement
Collection
Splunk Security Essentials Stage_1 Data Exfiltration Exfiltration

Splunk User Behavior Analytics Stage_4 Insider Threat None

IAM Analytics
Account Sharing
Splunk App for Enterprise Security Stage_4 Account Compromise

Splunk Security Essentials Stage_4 GDPR

Splunk Security Essentials Stage_4 Data Exfiltration Collection

Operations
Splunk App for Enterprise Security Stage_2 GDPR

Splunk App for Enterprise Security Stage_2 Endpoint Compromise

Scanning
Splunk Professional Services Stage_3 Endpoint Compromise None

Splunk App for Enterprise Security Stage_4 Endpoint Compromise


Endpoint Compromise
Splunk App for Enterprise Security Stage_4 Account Compromise

Splunk App for Enterprise Security Stage_3 Endpoint Compromise

Endpoint Compromise
Data Exfiltration
Splunk App for Enterprise Security Stage_3 Insider Threat
Endpoint Compromise
Data Exfiltration
Splunk App for Enterprise Security Stage_4 Insider Threat
Endpoint Compromise
Data Exfiltration
Splunk App for Enterprise Security Stage_4 Insider Threat

Splunk App for Enterprise Security Stage_2 Endpoint Compromise Execution

Endpoint Compromise
Unauthorized Software
Splunk App for Enterprise Security Stage_3 Lateral Movement

Endpoint Compromise
Unauthorized Software
Splunk App for Enterprise Security Stage_3 Lateral Movement

Splunk App for Enterprise Security Stage_2 Endpoint Compromise


Endpoint Compromise
Splunk App for Enterprise Security Stage_2 GDPR

Scanning
Splunk Security Essentials Stage_1 Endpoint Compromise Discovery

Splunk Security Essentials Stage_1 Endpoint Compromise Defense Evasion

Splunk Security Essentials Stage_1 Endpoint Compromise Defense Evasion

Web Attack
Splunk Professional Services Stage_3 Scanning None

Operations
Enterprise Security Content Update Stage_4 GDPR

Operations
Compliance
Splunk Professional Services Stage_4 Unauthorized Software None

GDPR
Splunk Security Essentials Stage_4 Endpoint Compromise
GDPR
Splunk Security Essentials Stage_4 Operations

Splunk App for Enterprise Security Stage_4 Insider Threat

Splunk Security Essentials Stage_1 Lateral Movement Lateral Movement

Splunk Security Essentials Stage_1 Data Exfiltration Exfiltration

Splunk Security Essentials Stage_3 Data Exfiltration Collection

Splunk Security Essentials Stage_1 Account Compromise Privilege Escalation

Splunk Professional Services Stage_4 Insider Threat None


IAM Analytics
Splunk App for Enterprise Security Stage_2 GDPR

Splunk App for Enterprise Security Stage_2 GDPR

Lateral Movement
Account Compromise
Splunk User Behavior Analytics Stage_4 Account Sharing None

Enterprise Security Content Update Stage_3 Denial of Service

Splunk Security Essentials Stage_1 Data Exfiltration

Command and Control


Splunk User Behavior Analytics Stage_6 Endpoint Compromise None

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_4 IAM Analytics None
Execution
Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion

Command and Control


Splunk User Behavior Analytics Stage_4 Endpoint Compromise None

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution

Compliance
Splunk Professional Services Stage_4 Endpoint Compromise None

Compliance
Splunk Professional Services Stage_4 Operations None

Splunk Security Essentials Stage_3 Endpoint Compromise Persistence


Insider Threat
Splunk Professional Services Stage_3 Account Compromise None

Enterprise Security Content Update Stage_3 Operations

Enterprise Security Content Update Stage_3 Operations


Splunk Professional Services Stage_5 Operations None

Persistence
Enterprise Security Content Update Stage_3 Endpoint Compromise Privilege Escalation

Splunk Professional Services Stage_3 Insider Threat None

Operations
Splunk Security Essentials Stage_1 GDPR

Operations
Splunk Security Essentials Stage_1 GDPR

Splunk Security Essentials Stage_1 Operations

Splunk Security Essentials Stage_1 Operations

Enterprise Security Content Update Stage_3 Operations

Splunk User Behavior Analytics Stage_4 Other None

Splunk Security Essentials Stage_1 Endpoint Compromise

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_4 IAM Analytics None

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_4 IAM Analytics None
Lateral Movement
Account Compromise
Splunk User Behavior Analytics Stage_4 Data Exfiltration None

Splunk App for Enterprise Security Stage_4 Operations

Lateral Movement
Data Exfiltration
Denial of Service
Splunk User Behavior Analytics Stage_4 Scanning None

Account Compromise
Compliance
Splunk Professional Services Stage_4 Network Attack None

Splunk App for Enterprise Security Stage_4 Operations

Splunk App for Enterprise Security Stage_4 Operations

Splunk Professional Services Stage_3 Network Attack None

Splunk Professional Services Stage_2 Endpoint Compromise None

Network Attack
Splunk Professional Services Stage_2 Endpoint Compromise None

Splunk Professional Services Stage_2 Network Attack None

Splunk Professional Services Stage_3 Network Attack None

Splunk Security Essentials Stage_1 Lateral Movement Lateral Movement


Data Exfiltration
GDPR
Splunk Security Essentials Stage_3 SaaS Collection

GDPR
Splunk Security Essentials Stage_4 Operations
Data Exfiltration
GDPR
Splunk Security Essentials Stage_3 SaaS Collection

Privilege Escalation
Persistence
Lateral Movement
Splunk Security Essentials Stage_1 Endpoint Compromise Defense Evasion

Defense Evasion
Splunk Security Essentials Stage_1 Endpoint Compromise Persistence

Privilege Escalation
Persistence
Splunk Security Essentials Stage_1 Account Compromise Defense Evasion

Splunk Professional Services Stage_2 Endpoint Compromise None

Discovery
Lateral Movement
Splunk Security Essentials Stage_3 Endpoint Compromise Execution

Scanning
Splunk Professional Services Stage_4 Network Attack None

Splunk Security Essentials Stage_1 Account Compromise Privilege Escalation


Persistence
Defense Evasion
Splunk Security Essentials Stage_3 Endpoint Compromise Privilege Escalation

Execution
Splunk Security Essentials Stage_3 Endpoint Compromise Privilege Escalation

Discovery
Lateral Movement
Splunk Security Essentials Stage_3 Endpoint Compromise Execution

Data Exfiltration
GDPR Discovery
Splunk Security Essentials Stage_3 SaaS Collection
Data Exfiltration
GDPR Discovery
Splunk Security Essentials Stage_3 SaaS Collection
Lateral Movement
Splunk App for Enterprise Security Stage_4 Endpoint Compromise

Account Compromise
Splunk Professional Services Stage_3 Account Sharing None

Splunk Professional Services Stage_2 Web Attack None


Privilege Escalation
Splunk Professional Services Stage_3 Endpoint Compromise None

Enterprise Security Content Update Stage_4 Compliance

Splunk Professional Services Stage_4 Insider Threat None


Compliance
Splunk Security Essentials Stage_1 GDPR

Enterprise Security Content Update Stage_1 Web Attack Defense Evasion


Lateral Movement
Splunk App for Enterprise Security Stage_2 Endpoint Compromise
Operations
Compliance
Splunk Security Essentials Stage_1 Endpoint Compromise

Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_6 IAM Analytics None
Compliance
Insider Threat
Data Exfiltration
Splunk App for Enterprise Security Stage_1 GDPR

Splunk User Behavior Analytics Stage_4 Phishing None

Splunk App for Enterprise Security Stage_1 Operations

Splunk User Behavior Analytics Stage_4 Web Attack None

Insider Threat
Lateral Movement
Splunk Professional Services Stage_4 Account Compromise None

Insider Threat
Lateral Movement
Splunk Professional Services Stage_3 Account Compromise None

Splunk Security Essentials Stage_3 Endpoint Compromise Defense Evasion

Splunk Security Essentials Stage_4 Endpoint Compromise Defense Evasion

Operations Command and Control


Enterprise Security Content Update Stage_4 GDPR Exfiltration

Lateral Movement
Endpoint Compromise
Splunk App for Enterprise Security Stage_4 GDPR

Endpoint Compromise
Splunk App for Enterprise Security Stage_4 Unauthorized Software

Endpoint Compromise
Splunk App for Enterprise Security Stage_4 Unauthorized Software
Enterprise Security Content Update Stage_4 Unauthorized Software Execution

Enterprise Security Content Update Stage_2 Operations Command and Control

Credential Access
Lateral Movement
Enterprise Security Content Update Stage_2 Compliance Collection

Data Exfiltration
Splunk Security Essentials Stage_3 SaaS

Splunk Security Essentials Stage_3 Endpoint Compromise

Splunk Security Essentials Stage_3 Endpoint Compromise

Privilege Escalation
Splunk Security Essentials Stage_4 Vulnerability Lateral Movement

Splunk Security Essentials Stage_1 Endpoint Compromise


Defense Evasion
Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence

Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence

Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence

Privilege Escalation
Enterprise Security Content Update Stage_3 Privilege Escalation Persistence
Enterprise Security Content Update Stage_2 Lateral Movement Lateral Movement

Enterprise Security Content Update Stage_3 Lateral Movement Lateral Movement

Splunk Security Essentials Stage_1 Lateral Movement Lateral Movement

Enterprise Security Content Update Stage_3 Lateral Movement Execution

Enterprise Security Content Update Stage_3 Lateral Movement Execution

Splunk Professional Services Stage_2 Account Compromise None

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution


Endpoint Compromise
Operations
Splunk App for Enterprise Security Stage_2 Lateral Movement
Persistence
Enterprise Security Content Update Stage_3 Endpoint Compromise Privilege Escalation

Persistence
Lateral Movement
Enterprise Security Content Update Stage_3 Ransomware Execution

Persistence
Lateral Movement
Enterprise Security Content Update Stage_3 Lateral Movement Execution
Persistence
Enterprise Security Content Update Stage_3 Ransomware Execution
Data Exfiltration
Lateral Movement
Splunk Professional Services Stage_4 Endpoint Compromise None

Splunk Professional Services Stage_4 Account Compromise None

Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence

Enterprise Security Content Update Stage_3 Endpoint Compromise Persistence

Defense Evasion
Splunk Security Essentials Stage_1 Endpoint Compromise Persistence

Splunk App for Enterprise Security Stage_2 Account Compromise

Splunk Security Essentials Stage_1 Lateral Movement Lateral Movement

Privilege Escalation
Splunk Security Essentials Stage_1 Endpoint Compromise Persistence

Scanning
Splunk Professional Services Stage_2 Account Compromise None
Execution
Splunk Security Essentials Stage_1 Operations Lateral Movement

Enterprise Security Content Update Stage_2 Ransomware

Exfiltration
Splunk Security Essentials Stage_1 Data Exfiltration Command and Control
Data Exfiltration Exfiltration
Splunk Security Essentials Stage_1 Endpoint Compromise Command and Control

Data Exfiltration
Splunk Security Essentials Stage_3 SaaS Collection

Data Exfiltration
GDPR
Splunk Security Essentials Stage_3 SaaS Collection

Enterprise Security Content Update Stage_2 Ransomware Execution

Account Compromise
Splunk Security Essentials Stage_3 SaaS

Discovery
Lateral Movement Execution
Splunk Security Essentials Stage_1 Scanning Lateral Movement
Defense Evasion
Enterprise Security Content Update Stage_2 Web Attack Execution

Compliance
Splunk Professional Services Stage_3 Endpoint Compromise None

Unauthorized Software
Splunk Professional Services Stage_3 Compliance None

Endpoint Compromise
Splunk App for Enterprise Security Stage_2 Operations

Splunk App for Enterprise Security Stage_2 Data Exfiltration


Account Compromise
Splunk Security Essentials Stage_4 Insider Threat

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_4 IAM Analytics None
Lateral Movement
Endpoint Compromise
Splunk User Behavior Analytics Stage_6 Data Exfiltration None

Command and Control


Endpoint Compromise
Splunk User Behavior Analytics Stage_6 Data Exfiltration None

Command and Control


Endpoint Compromise
Splunk User Behavior Analytics Stage_6 Data Exfiltration None
Execution
Enterprise Security Content Update Stage_3 Endpoint Compromise Defense Evasion

Splunk User Behavior Analytics Stage_6 Endpoint Compromise None

Command and Control


Endpoint Compromise
Splunk User Behavior Analytics Stage_6 Data Exfiltration None

Lateral Movement
Insider Threat
Splunk User Behavior Analytics Stage_4 Account Compromise None

Enterprise Security Content Update Stage_3 Endpoint Compromise Defense Evasion

Enterprise Security Content Update Stage_3 Endpoint Compromise Defense Evasion

Unauthorized Software
Compliance
Splunk Professional Services Stage_3 Endpoint Compromise None

Enterprise Security Content Update Stage_3 Endpoint Compromise Defense Evasion


Threat Intelligence
Splunk App for Enterprise Security Stage_4 GDPR

Command and Control


Enterprise Security Content Update Stage_2 Data Exfiltration Exfiltration

Scanning
Splunk Professional Services Stage_3 Account Compromise None
GDPR
Data Exfiltration
Splunk Security Essentials Stage_1 Scanning

Enterprise Security Content Update Stage_4 Unauthorized Software Execution

Splunk App for Enterprise Security Stage_2 Scanning

Enterprise Security Content Update Stage_1 Compliance


Operations
Splunk App for Enterprise Security Stage_5 GDPR

Insider Threat
Endpoint Compromise
IAM Analytics
Privilege Escalation
Splunk User Behavior Analytics Stage_6 Lateral Movement None
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_6 IAM Analytics None

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_4 IAM Analytics None
Account Compromise
Splunk Security Essentials Stage_3 SaaS

Lateral Movement
Account Compromise
Splunk User Behavior Analytics Stage_4 Data Exfiltration None

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_6 IAM Analytics None

Lateral Movement
Insider Threat
Account Compromise
Splunk User Behavior Analytics Stage_4 Data Exfiltration None

Endpoint Compromise
Splunk User Behavior Analytics Stage_4 Unauthorized Software None

Data Exfiltration
Splunk User Behavior Analytics Stage_4 Unauthorized Software None

Data Exfiltration
Splunk App for Enterprise Security Stage_2 Denial of Service

Lateral Movement
Account Compromise
Splunk User Behavior Analytics Stage_4 Account Sharing None

Endpoint Compromise
Splunk User Behavior Analytics Stage_4 Unauthorized Software None

Enterprise Security Content Update Stage_3 Endpoint Compromise Execution

Enterprise Security Content Update Stage_1 Web Attack Defense Evasion

Lateral Movement
Account Compromise
Splunk User Behavior Analytics Stage_4 Data Exfiltration None
Lateral Movement
Compliance
Account Compromise
Splunk Professional Services Stage_4 Account Sharing None

Splunk Professional Services Stage_3 Account Sharing None


Account Compromise
Insider Threat
Splunk Professional Services Stage_3 Account Sharing None
GDPR
IAM Analytics
Splunk Security Essentials Stage_4 Operations

GDPR
IAM Analytics
Lateral Movement
Splunk Security Essentials Stage_4 Operations

Data Exfiltration
Endpoint Compromise
Splunk Security Essentials Stage_3 SaaS Exfiltration

Enterprise Security Content Update Stage_3 Ransomware Defense Evasion

Splunk Professional Services Stage_4 Operations None

Splunk App for Enterprise Security Stage_4 Scanning

Splunk App for Enterprise Security Stage_4 Scanning

Splunk Professional Services Stage_3 Web Attack None


Splunk App for Enterprise Security Stage_4 Other
Defense Evasion
Execution
Enterprise Security Content Update Stage_4 Web Attack Discovery

Data Exfiltration
Insider Threat
Splunk App for Enterprise Security Stage_2 GDPR

Enterprise Security Content Update Stage_3 Endpoint Compromise Defense Evasion

Splunk Security Essentials Stage_1 Endpoint Compromise Defensive Evasion


Command and Control
Enterprise Security Content Update Stage_3 Endpoint Compromise Exfiltration

Splunk Professional Services Stage_2 Endpoint Compromise None


Kill Chain Phases

None

None

None

Actions on Objective
None

Installation
Command and Control

None

None

None

None

Command and Control

Installation
Actions on Objective
Actions on Objective

Actions on Objective

None

None

None

None

None

None

None
Exploitation

Exploitation

Exploitation

Exploitation

Actions on Objective

Actions on Objective

Reconnaissance
None

Command and Control


Actions on Objective

Actions on Objective

Installation
Actions on Objective

Actions on Objective

Command and Control

Delivery

Actions on Objective

None

Actions on Objective

Exploitation
Installation
Command and Control
Actions on Objective

Reconnaissance
Delivery
Actions on Objective

None

Installation
Actions on Objective

Exploitation

None

Command and Control


Actions on Objective

None

None
None

None

Actions on Objective

Command and Control

Command and Control

None

None

Delivery

Delivery

Delivery

None

None
None

None

None

None

None

None

Command and Control

None
None

None

None

None

None

Installation

Installation
Actions on Objective

None

Installation
Actions on Objective
Installation
Exploitation
Actions on Objective
Actions on Objective

Actions on Objective

Installation
Actions on Objective

Delivery

None

Actions on Objective

None
Reconnaissance

Actions on Objective

Actions on Objective

None

None
Installation
Actions on Objective

Actions on Objective

Actions on Objective

Installation

None

None

Actions on Objective

None

None
Installation

None

Command and Control


Actions on Objective

Command and Control


Actions on Objective

Command and Control


Actions on Objective
Command and Control
Actions on Objective

None

None

Installation

None
Delivery
Actions on Objective

Delivery
None

Actions on Objective

None

Delivery

None

None

None
None

None

None

None

None

None

None

None

Installation

Actions on Objective
Actions on Objective

Command and Control

Command and Control

Installation

None

Exploitation

None

Installation
Exploitation
Installation
Command and Control

Installation

Exploitation

Actions on Objective
Actions on Objective

None

None

None

None

Delivery

Actions on Objective

None
None

None

None

None

Installation

Installation

Delivery
Command and Control
Installation
Command and Control
Actions on Objective

Command and Control

Reconnaissance
Actions on Objective

Actions on Objective

Actions on Objective

Actions on Objective

Actions on Objective

Actions on Objective

Actions on Objective

Actions on Objective
Actions on Objective

Actions on Objective

Installation

Actions on Objective

Actions on Objective

None

Installation

Installation

Actions on Objective

Actions on Objective

Actions on Objective
None

None

Actions on Objective

Actions on Objective

Command and Control

Installation
Actions on Objective

Command and Control


Installation

None
Reconnaissance
Delivery

Actions on Objective

Command and Control


Actions on Objective
Command and Control
Actions on Objective

Actions on Objective

Actions on Objective

Actions on Objective

Delivery

Actions on Objective

Delivery

None

None

None
None

None

None

Delivery

None

None

None

Actions on Objective

Actions on Objective

None

Actions on Objective
Command and Control

None

Actions on Objective

None

None

None
None

None

None

None

None

None

None

Actions on Objective

Delivery

None
None

None

None

Actions on Objective

Actions on Objective

Actions on Objective

None

None
Actions on Objective

Actions on Objective

Actions on Objective

Command and Control

None
Use Case Description Security Impact
Looks for the fsutil process clearing the update Some ransomware will delete the update sequence number (USN) change journal log, which
Detect Journal Clearing sequence number (USN) change journal. provides a persistent log of all changes made to files on the volume.

Detect Lateral Movement With WMI Looks for WMI being used for lateral movement. WMI can be used by attackers to move laterally across networks.
Looks for the wevutil process clearing the Windows Some ransomware will clear out the audit logs in attempt to make analyzing its activities
Detect Log Clearing With wevtutil Audit Logs. harder to determine.
Looks for Windows system processes running from a Attackers often attempt to hide malware in plain sight by using the same name as legitimate
Fake Windows Processes non-Windows location. Windows system processes.

In most cases, ransomware enters an environment when a user with a vulnerable browser
visits a malicious website, or clicks a link in a phishing email. Ransomware often uses a script
to download an initial payload, or in some circumstances, the ransomware could be contained
within the script itself. This tactic is common for many kinds of scripts, including VB scripts
Looks for statistically anomalous command-line and PowerShell scripts. Also, attackers often issue multiple commands concatenated together
Malicious Command Line Executions arguments as one long command line.

The Windows AutoRun key is a registry key that specifies the programs that should run at
startup. Anything executable listed under AutoRun will start when Windows starts up. This is a
Monitor AutoRun Registry Keys Monitors Windows Autorun registry keys. popular registry key for adversaries to abuse so that their code will run after a system reboot.

Ransomware works by encrypting data that is of value to the user, and forcing the user to pay
a fee in order to decrypt the files into their original state. Good backup and recovery
processes are an essential part of a mature enterprise, and having good backups can mean the
difference between trying to regenerate the original data, restore from backup or worse case,
paying a ransom to criminal actors with no guarantees you will recover your data.
Understanding the status of your backup processes is an first important step to mitigating the
Monitor Successful Backups Verify that successful backups completed. threat caused by ransomware.

Ransomware commonly targets poorly patched systems. WannaCry and other ransomware
exploited specific Windows vulnerabilities that were not installed or installed correctly on
Monitor Successful Windows Updates Verify Windows updates for specific vulnerabilities. Windows endpoints.

Ransomware works by encrypting data that is of value to the user, and forcing the user to pay
a fee in order to decrypt the files into their original state. Good backup and recovery
processes are an essential part of a mature enterprise, and having good backups can mean the
difference between trying to regenerate the original data, restore from backup or worse case,
paying a ransom to criminal actors with no guarantees you will recover your data.
Understanding the status of your backup processes is an first important step to mitigating the
Monitor Unsuccessful Backups Monitor for indications of failed backups. threat caused by ransomware.

Ransomware commonly targets poorly patched systems. WannaCry and other ransomware
exploited specific Windows vulnerabilities that were not installed or installed correctly on
Monitor Unsuccessful Windows Updates Monitor for indications of failed Microsoft updates. Windows endpoints.
Ransomware works by identifying files it deems as data important to you (typically Microsoft
Office documents and images, as well as many others), and encrypts those files so that you
can no longer use the original content. It then removes the original. The encrypted copy is
Ransomware Extensions Search for encrypted files that ransomware creates. usually given a unique extension, so that the user knows it has been encrypted.
Most ransomware leaves a note on the endpoint containing directions for the victim to pay a
Ransomware Note Files Search for ransom note files. ransom.

Aside from social engineering tactics enticing users to execute code, another mechanism to
introduce ransomware involves exploiting unpatched vulnerabilities in Microsoft Windows.
Because of poor vulnerability management, a small number of vulnerabilities are responsible
Ransomware Vulnerabilities Ransomware Vulnerabilities for most malware/ransomware attacks.

SMB traffic is used for Windows file sharing activity. The WannaCry ransomware leveraged a
vulnerability in the SMB protocol to propagate to other systems. Best practices dictate that
SMB traffic should not be allowed into your environment from the Internet. It gives attackers
an opportunity to test credentials, potentially connect directly to endpoints, and leverage any
SMB Traffic Allowed Shows SMB traffic allowed through your firewall. vulnerabilities those endpoints might have.

SMB traffic is used for Windows file sharing activity. The WannaCry ransomware leveraged a
vulnerability in the SMB protocol to propagate to other systems. A spike in SMB traffic could
Shows unusually high increase in SMB network indicate an infected host attempting to spread ransomware to other hosts in your
Spike in SMB Traffic connections. environment.

Ransomware often communicates to command and control servers using TOR, a tool for
Identify hosts generating TOR traffic within your anonymous network communication. Attackers use TOR so they can remain anonymous and
TOR Traffic environment. still communicate with the infected hosts.
Search for Windows event codes that indicate the
Windows Event Log Clearing Events Windows Audit Logs were tampered with. Attackers often attempt to hide what they did by clearing out Windows Audit Logs.
Example Data Source(s)
Microsoft Sysmon, Carbon Black, Windows Security logs
(Process Tracking)
Microsoft Sysmon, Carbon Black, Windows Security logs,
Splunk Stream
Microsoft Sysmon, Carbon Black, Windows Security logs
(Process Tracking)
Microsoft Sysmon, Carbon Black, Windows Security logs
(Process Tracking)

Microsoft Sysmon, Carbon Black, Windows Security logs


(Process Tracking)

Microsoft Sysmon, Windows Registry, Carbon Black

Backup logs (from endpoints or central server), Microsoft


Sysmon, Windows System events, Splunk Stream

Windows System events, Windows Update logs, Microsoft


Sysmon

Backup logs (from endpoints or central server), Microsoft


Sysmon, Windows System events, Splunk Stream

Windows System events, Windows Update logs, Microsoft


Sysmon
Microsoft Sysmon, osquery, Splunk Stream (SMB), Tripwire
Enterprise, Carbon Black, Tanium, Ziften
Microsoft Sysmon, osquery, Splunk Stream (SMB), Tripwire
Enterprise, Carbon Black, Tanium, Ziften

QualysGuard, Tripwire IP360, Tenable Nessus, Rapid7


Nexpose, Vulnerability Feeds (Mitre, NVD)

Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper),


Bro IDS, Splunk Stream (SMB)

Firewalls (e.g. Palo Alto, Fortinet, Check Point, Cisco, Juniper),


Bro IDS, Splunk Stream (SMB)

Palo Alto, Check Point, Cisco ASA, Splunk Stream, Bro IDS,
Microsofty Sysmon, Windows System events

Windows System events, Windows Security logs


Category Use Case Description Details

This use case assembles healthcare providers into peer groups based on their medical
specialty. Unsupervised machine learning is then utilized to identify providers with highly
abnormal prescription drug distributions and volumes in comparison to their peers. The
Find nationwide and statewide anomalies in results may be filtered down based on geography, specialty, drug type, total claims billed and
Healthcare Fraud Find anomalous healthcare providers prescription drug claims anomalous drug %.
Details of each healthcare provider may be viewed by clicking on their name in the
Find all prescription claims, compare specific provider Anomalous Providers page. Each provider's prescription drug distribution and volumes is
Healthcare Fraud Investigate specific healthcare provider profile to typical nationwide or statewide profile shown in comparison to other providers of their specialty.

This use case uses fraud rules on card transactions to identify cards with suspect activity. Each
suspect card lists the detection rules that fired including the number of times and score
additions added. This use case includes multiple velocity based rules such as geographic and
Show most risky payment cards with summary details merchant changes which may indicate a cloned card. Clicking a suspect card number opens a
Payment Cards Fraud Risk scoring of payment cards of activity for each card view suspect card's transactions.
Show detailed transaction activity of every payment A detailed list of transactions for a card may be viewed on this screen. The view may be
Payment Cards Fraud Detailed card transactions card. Mark compromised payment cards. filtered in a number of different ways including time and merchant.

This use case identifies payment cards with highly anomalous transactions utilizing the
Machine Learning Toolkit. The Clustering algorithm considers multiple fields in the
transactions to identify the outliers. By default the "k" means clustering, k=18 algorithm is
used as it gave the best results for the use case, however you may switch to other algorithms
Leverage unsupervised learning to discover to see how the results differ. The 3D visualization is a great way to see how odd the suspect
Payment Cards Fraud Detect anomalous payment cards anomalously behaving payment cards cards are when compared to all.

This use case utilizes Splunk searches to identify merchants and card terminals that have
interactions with an exceptionally high volume of risky cards. The view may be filtered by
time, merchant name and risk rating. Clicking on a merchant name will open the "Card
Analyze risk factors and predisposition to fraudulent Transactions" view filtered for the specific merchant, so you may investigate the individual
Payment Cards Fraud Risk analysis of merchants and payment terminals activity of specific merchant and payment terminal transactions.
Detect wire transfer fraud and customer behavior
Wire Transfer Fraud Introduction: Wire Transfer Fraud Detection anomalies with Splunk
This dashboard displays aggregate metrics on wire transfer transactions, as well as, specific
potentially fraudulent transactions ready for analyst review. Each originating bank account is
identified by an IP address in this example data set. The application profiles each originating
account in terms of the transfer destination accounts and amounts. A transfer is suspect if the
destination and amount are highly anomalous based on the learned profile of the originating
account. For example, if account A has never transferred to account B and the dollar value is
Fraud status overview, Wire transfer amounts 3x the average amount transferred by account A then it is suspect. The most suspect transfers
Wire Transfer Fraud Wire Transfer Fraud Posture deviation, customer status may be fraudulent so they are exposed for an analyst to review.
This dashboard provides a more detailed view of the processing taking place on the wire
Customer profiling, Wire requests, Fraud events, Wire transfer transactions. The filters control the data displayed in the Fraud Events and Detailed
Wire Transfer Fraud Account Profiling details Matching Fraudulent Transactions panes.

This view shows details for an originating account (IP address) and participation of transfers
Learned customer profiles, Fraudulent activities, for the associated IP address. It is most useful to identify a suspect account on the Wire
Wire Transfer Fraud Account Behavior Profile Detailed notables Transfer Fraud Posture page then come here to see details for the suspect account.
View of profiled target accounts with search and This view lists the originating account (IP address) profiles used in the demo use cases. You
Wire Transfer Fraud Wire Transfer Demo Data filtering can directly search for an account from here.
Example Data Source(s)

Healthcare Insurance Billing logs

Healthcare Insurance Billing logs

Credit Card transaction logs

Credit Card transaction logs

Credit Card transaction logs

Credit Card transaction logs


Wire Transfer transaction logs

Wire Transfer transaction logs

Wire Transfer transaction logs

Wire Transfer transaction logs


PCI DSS v3.2
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel

Dashboard/Report Name Requirement(s) Guidance Dashboard/Report Description

This report provides a six month view of firewall rule usage to help
All systems must be protected from unauthorized access from identify unneeded, outdated, or incorrect rules. This report ensures
untrusted networks. Often, seemingly insignificant paths to and from that all rules allow only authorized services and ports that match
untrusted networks can provide unprotected pathways into key business justifications. Compliance managers might run this report
systems. Firewalls are a key protection mechanism for any computer more frequently to avoid unnecessary risks and avoid opening potential
Firewall Rule Activity R1: Network Traffic network. security holes.

Examination of all inbound and outbound connections allows for


inspection and restriction of traffic based on the source and/or
destination address, thus preventing unfiltered access between
untrusted and trusted environments. This prevents malicious
individuals from accessing the entity’s network via unauthorized IP
addresses or from using services, protocols, or ports in an unauthorized This report provides a six month view of network traffic activity
manner. Implementing a rule that denies all inbound and outbound between PCI domains. This report looks at traffic data produced by
traffic that is not specifically needed firewalls, routers, switches, and any other device that produces network
helps to prevent inadvertent holes that would allow unintended and traffic data. You can modify and customize the report by using different
Network Traffic Activity R1: Network Traffic potentially harmful traffic in or out. filters.

This report provides a six-month rolling view of attempts to access


cardholder systems using default user accounts. This report looks at all
Malicious individuals (external and internal to an entity) often use activity by accounts categorized in the identity table with
R2: Default Configurations vendor default passwords and other vendor default settings to tag=default. A default list of accounts is provided in the identity
R6: Patch Update Protection compromise systems. These passwords and settings are well known by table, which can be edited using the List and Lookups configuration
Default Account Access R8: Activity Accountability hacker communities and are easily determined via public information. page.
If remote administration is not done with secure authentication and
encrypted communications, sensitive administrative or operational level This reports looks at attempts to access cardholder systems using
information like administrator passwords could be revealed to an insecure protocols and services. Use this report to identify the source of
Insecure Authentication eavesdropper. PCI DSS requires that you use only secure technologies to the insecure authentication attempts so they can be evaluated and
Attempts R2: Default Configurations log into cardholder systems. eliminated if they pose a risk to the cardholder system.

Maintaining a current list of all software components running in the PCI


compliant environment enables an organization to define risk exposure This report provides visibility into software that is running on PCI assets.
and devise adequate controls. Without an automated inventory, some Monitor this report on a daily basis to ensure that no unexpected
system components could be inadvertently excluded from the services or applications are being run. Unexpected software
PCI System Inventory R2: Default Configurations organization's configuration standards. components should be investigated further.

This report looks at cardholder systems that have multiple primary


Systems within the PCI cardholder environment should be implemented functions active. The data in the Primary Functions report is generated
with only a single primary function to prevent functions that require from a lookup file (assets.csv) populated by the user. This report looks
different security levels from coexisting on the same server. The PCI at process data, service data, and port/protocol data to determine what
requirement ensures that your system configuration standards and functions are running on a system and displays them in the result. Use
related processes minimize the potential for introducing security this report to identify systems where multiple primary functions might
Primary Functions R2: Default Configurations weaknesses to the system. be running or where unexpected services could be in use.

This report looks at prohibited services data produced by the


These services and ports can have known vulnerabilities. A security services_tracker lookup. It reports on systems with prohibited services
hardening policy should be defined that clearly defines what services installed and running. Compromises often happen because of unused
and protocols are allowed to run on each system. Organizations should or insecure service and ports on systems within the cardholder
R1: Network Traffic test those systems periodically to ensure that they are patched environment or systems that have a communication path to cardholder
Prohibited Services R2: Default Configurations appropriately and unauthorized services are disabled. systems.

Malicious individuals often use vendor default configuration settings to


compromise systems and applications. These settings are well known in
hacker communities and leave systems highly vulnerable to attack. This This report provides a view of all identified system misconfigurations on
report ensures your organization's system configuration standards and PCI-relevant assets in your cardholder environment. Use this report to
related processes specifically address security settings and parameters compare the identified misconfigurations with the defined hardening
System Misconfigurations R2: Default Configurations that have known security implications. policy to determine the level of risk to the asset.

Track SSL and TLS sessions in the PCI network and identify those
encrypted by insecure SSL and TLS versions. Network traffic that uses
Weak Encrypted R2: Default Configurations those encryption protocols could be insecure and in violation of the PCI This report looks at network data to identify network sessions
Communication R4: Protect Data in Motion standard. encrypted with SSL or weak or insecure versions of the TLS protocol.
The report tracks misconfigurations found on wireless network devices.
This report provides visibility into data collected from IDS/IPS, NAC,
network scanners, and other sources of data. This report displays a list
of misconfigurations found on wireless access devices. Use this report
Implementation and/or exploitation of wireless technology within a to view the misconfiguration information and continuously monitor the
network is one of the most common paths for malicious users to gain data to identify devices that are not configured properly. Note: This
access to the network and cardholder data. Corporate controlled or report does not display unencrypted traffic directly, only
rogue access devices that are not configured with appropriate security misconfigurations that indicate the possible transmission or side-
Wireless Network configurations can allow an attacker to invisibly enter the network and channel leakage of unencrypted traffic. For a full traffic report, see
Misconfigurations R2: Default Configurations put cardholder data at risk. Network Traffic Activity.

This report looks at credit card data, found in motion or at rest, from
The cardholder data environment should be monitored for IDS, IPS, and DLP systems to provide visibility into potentially
unauthorized egress transmission of credit card data using IDS, IPS, and unauthorized transmissions of credit card data over the network or to
R3: Protect Data at Rest DLP-based technologies. PCI requires that cardholder data be protected unauthorized removable storage devices. Use this report to identify the
Credit Card Data Found R4: Protect Data in Motion from unauthorized access or distribution. source of the transmission so it can be further investigated and fixed.

This report provides a summary and detail view of all PCI assets and the
most current product versions installed. Use this report to identify any
PCI DSS requires that assets within the cardholder data environment assets that are not using the current antimalware product versions and
have anti-malware technology installed and working to protect against take appropriate measures to ensure these systems are updated.
viruses, worms, trojans, and other malware-based threats. The best Review this report at least once per day. Review this report more
Endpoint Product anti-malware software has limited effectiveness if it does not have the frequently if you are collecting data from antimalware solutions more
Deployment R5: Anti-malware Protection current antivirus product versions. frequently.

This report provides a summary and detail view of all PCI assets and the
PCI DSS requires that assets within the cardholder data environment most current product versions installed. Use this report to identify any
have anti-malware technology installed and working to protect against assets that are not using the current anti-malware product versions and
viruses, worms, trojans, and other malware-based threats. The best take appropriate measures to ensure these systems are updated.
anti-malware software has limited effectiveness if it does not have the Review this report at least once per day, or more frequently if you are
Endpoint Product Versions R5: Anti-malware Protection current antivirus product versions. collecting data from anti-malware solutions more frequently.

This report looks at malware activity data on cardholder systems


produced by anti-malware solutions or any other device that produces
malware activity data. It looks at data from IDS, IPS, and DLP systems, to
The cardholder data environment should be monitored for provide visibility into potentially unauthorized transmissions of credit
unauthorized transmission of credit card data using IDS, IPS, and DLP card data over the network or to unauthorized removable storage
based technologies. PCI requires that cardholder data be protected devices. Use this report to identify the source of the transmission so it
Malware Activity R5: Anti-malware Protection from unauthorized access or distribution. can be further investigated and fixed.

The best anti-malware software has limited effectiveness if it does not


have current signatures or if it is not active in the network or on an This report uses the information from the anti-malware solution to
individual's computer. The PCI standard requires that the anti-malware display a list of the systems within the PCI environment that are
tools are current, which includes the signatures used to detect localized updating their signatures appropriately. Use this report to identify
Malware Signature Updates R5: Anti-malware Protection threats. systems that have not updated their malware signatures as required.
The best anti-malware software has limited effectiveness if it does not This report collects data on the patch service on cardholder systems
have current signatures or if it is not active in the network or on an and uses the information from the anti-malware solution to display a
individual's computer. The PCI DSS standard requires that the anti- list of the systems within the PCI environment that are updating their
malware tools are current, which includes the signatures used to detect signatures appropriately. Use this report to identify systems that have
Update Service Status R6: Patch Update Protection localized threats. not updated their malware signatures as required.

Many attacks use widely published exploits that can be avoided if This report collects information on the patch status of cardholder
systems are patched appropriately. PCI DSS requires that systems and systems and provides visibility into the current patch state for systems
applications are protected by installing the latest vendor-supplied within the PCI cardholder data environment. Use this report to identify
System Update Status R6: Patch Update Protection patches. systems that are not patched according to policy.

Systems often need to be rebooted after patches are applied. Systems


that have not been rebooted might still be vulnerable to compromise. This report provides a list of servers that have not had been rebooted in
PCI DSS requires that high and/or critical patches be applied within 30 30 days or more. Use this report to identify systems that might be
Anomalous System Uptime R6: Patch Update Protection days. vulnerable to attack.

When configuring privileged IDs on systems, make sure you assign


individuals only the least privileges needed for the task at hand.
Assigning least privileges helps prevent users without sufficient training This report provides visibility into the commands that are run on PCI
from incorrectly or accidentally changing operational configuration or assets. Monitor this report on a daily basis to ensure that no excessively
altering security settings. Least privilege can also help to minimize the privileged commands are being run. You should investigate unexpected
PCI Command History R7: Access Monitoring amount of damage from unauthorized access to a privileged ID. commands further.

You should limit access to resources in the PCI cardholder data


environment to only those whose jobs require such access. This limits This report collects data on access attempts to PCI resources in the
the risk that an account with access to cardholder data is compromised. cardholder data environment and provides the compliance manager
R7: Access Monitoring PCI DSS requires that all authentication attempts to systems, with visibility into all authentication attempts. Use this report to
R8: Activity Accountability applications, and devices in the cardholder data environment be identify access attempts by users to ensure that access to cardholder
PCI Resource Access R10: Cardholder Data Access monitored for appropriate and legitimate access. data is legitimate.

This report collects information on system changes discovered on


PCI DSS requires that you monitor systems for changes to system level cardholder systems. It shows a list of all changes identified using Splunk
objects, critical system files, configuration files, or content files on FSChange, Splunk platform file integrity tools, and other change data
systems within the cardholder data environment. Compare these files captured within Splunk platform. Use this report to identify anomalous
R10: Cardholder Data Access and objects periodically to ensure that the integrity of these files is or unexpected changes to system objects, critical system files,
Endpoint Changes R11: Vulnerability Testing preserved. configuration files, or content files that are being monitored.

Time synchronization technology such as Network Time Protocol (NTP)


is used to keep system clocks synchronized across a network. This This report looks at system time synchronization data and provides a list
allows for log correlation between systems and establishes a clear of all assets that are not synchronizing as expected to a centralized time
System Time sequence of events when necessary. PCI DSS requires that systems in server. Use this report to identify these systems so you can further
Synchronization R10: Cardholder Data Access the cardholder data environment be synchronized. investigate and fix them.
Accounts with increased privileges, such as the administrator and root This report shows raw events associated with privileged user activity
accounts, can have an impact on the security or operational and provides you with a report of all administrative activity. Use this
functionality of a system. PCI DSS requires that all actions taken by report to evaluate privileged user accounts and review the activity to
individuals using administrative credentials be monitored for misuse identify potential security threats that can lead to potential cardholder
Privileged User Activity R10: Cardholder Data Access and abuse. data compromise.

This report provides a list of all PCI assets that have stopped logging
their data to Splunk platform or that have never logged data to Splunk
PCI DSS requires that audit logs from systems, applications, and devices platform. Use this report to ensure that all PCI assets are logging their
in the cardholder data environment be promptly backed up to a central data to Splunk platform. Use this report to repair any systems that are
PCI Asset Logging R10: Cardholder Data Access log server. non-compliant in their logging configurations.

Report on vulnerabilities discovered on PCI assets. This report looks at


Vulnerability scans of the cardholder data environment expose vulnerability scan details data produced by firewalls, routers, switches,
potential vulnerabilities in networks that could be found and exploited and any other device that produces vulnerability data. This report
by malicious individuals. When these weaknesses are identified, the shows all vulnerabilities identified for selected assets. Use this report to
organization should correct them and repeat the vulnerability scan to identify specific high and/or critical vulnerabilities on cardholder
Vulnerability Scan Details R11: Vulnerability Testing verify that they have corrected the vulnerabilities. systems that need to be fixed.

Implementation and/or exploitation of wireless technology within a


network is one of the most common paths for malicious users to gain
access to the network and cardholder data. If a wireless device or This report gathers data on unauthorized wireless access points found
network is installed without a company's knowledge, it can allow an on the network. It uses the data generated by IDS/IPS systems, network
attacker to easily and invisibly enter the network. PCI compliance scan results, or Network Access Control (NAC) logs to report on any
requires that organizations test for the presence of wireless access rogue access device detections. Use this report to see any discovered
Rogue Wireless Access devices on the network at least once every three months. More rogue access devices and more deeply explore the network, user
Point Protection R11: Vulnerability Testing frequent testing is recommended. activity, or system activity to further investigate the access points.

Intrusion detection and/or prevention systems (IDS/IPS) compare


inbound and outbound network traffic against known signatures and/or
behaviors of thousands of compromise types (hacker tools, Trojans and
other malware). Intrusion detection and/or prevention systems can be
configured to either alert or stop the intrusion attempt. Without a
proactive approach to unauthorized activity detection using these tools, This report collects data on unauthorized wireless access points found
attacks on (or misuse of) PCI resources could go unnoticed in real time. on the network and provides a summarized view of the intrusion
PCI requires that the alerts generated by these tools be monitored so activity involving an asset in the PCI domain. Use this report to identify
IDS/IPS Alert Activity R11: Vulnerability Testing that attempted intrusions can be stopped before they happen. attack trends and behavior that could indicate a more significant threat.
Relevant Data Sources

Firewalls that produce rule ID information

Any device that creates network traffic activity, such as firewalls

Windows Security, Unix SSH, and any other application, system, or


device that produces authentication data
Any device that produces clear text or other insecure authentication
activity, such as Windows Security, telnet, and others

Service, process, and port data such as the Splunk Add-on for Unix and
Linux (https://splunkbase.splunk.com/app/833/) or the Splunk Add-on
for Microsoft Windows (https://splunkbase.splunk.com/app/742/)

Service, process, and port data such as the Splunk Add-on for Unix and
Linux (https://splunkbase.splunk.com/app/833/) or the Splunk Add-on
for Microsoft Windows (https://splunkbase.splunk.com/app/742/)

Service, process, and port data such as the Splunk Add-on for Unix and
Linux (https://splunkbase.splunk.com/app/833/) or the Splunk Add-on
for Microsoft Windows (https://splunkbase.splunk.com/app/742/)

Data from configuration assessment tools that identify a misconfigured


setting on an endpoint

Any log source that tracks SSL and TLS sessions, such as firewall data,
IDS and IPS devices, streaming data from Splunk Stream, or other
network capture apps
Misconfiguration data found by wireless network monitoring products
or IDS systems, data collected from IDS/IPS, NAC, network scanners,
and other similar sources of data

Alerts from IDS, IPS, or DLP solutions and alerts from the Luhn-based
algorithm detection method implemented in the Splunk Enterprise
Security framework and used by the Splunk App for PCI Compliance

Antivirus activity, endpoint version data, or endpoint product signature


data produced by firewalls, routers, switches, and any other device that
produces endpoint data

Endpoint engine version information, such as antivirus, endpoint


protection, and others

Alerts from IDS, IPS, or DLP solutions and alerts from the Luhn-based
algorithm detection method implemented in the Splunk Enterprise
Security (https://splunkbase.splunk.com/app/263/) framework and
used by the Splunk App for PCI Compliance
(https://splunkbase.splunk.com/app/1143/)

Endpoint signature version information such as antivirus, endpoint


protection, and others produced by firewalls, routers, switches, and any
other device configured to produce malware data
Patch service data such as the Splunk Add-on for Unix and Linux
(https://splunkbase.splunk.com/app/833/) or the Splunk Add-on for
Microsoft Windows (https://splunkbase.splunk.com/app/742/)

Patch activity data from the native operating system or a patch


management tool such as Windows Update

Uptime data extracted through scripts from Windows, Unix, or other


hosts

Bash history collected by the Splunk Add-on for Unix and Linux
(https://splunkbase.splunk.com/app/833/)

Authentication data from any system, application, or device in the


cardholder data environment

Change data, inclusive to file integrity changes such as fschange, OSSEC,


Tripwire, and others

NTP failure and success data


Any data that includes a privileged user account reference

Splunk platform and audit logs

Any vulnerability data

IDS/IPS systems, network scan results, or Network Access Control (NAC)


logs

IDS/IPS systems, network scan results, or Network Access Control (NAC)


logs
Family Control
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1

System 1.2

System 1.3

System 1.4

System 1.5

System 1.6

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

System 2.1

System 2.2
System 2.3

System 2.4

Critical Security Control #3: Secure Configurations for Hardware and Software

System 3.1

System 3.2

System 3.3

System 3.4
System 3.5

System 3.6

System 3.7

Critical Security Control #4: Continuous Vulnerability Assessment and Remediation

System 4.1

System 4.2

System 4.3
System 4.4

System 4.5

System 4.6

System 4.7

System 4.8

Critical Security Control #5: Controlled Use of Administrative Privileges

System 5.1

System 5.2

System 5.3

System 5.4

System 5.5
System 5.6

System 5.7

System 5.8

System 5.9

Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs

System 6.1

System 6.2
System 6.3

System 6.4

System 6.5

System 6.6

Critical Security Control #7: Email and Web Browser Protections

System 7.1

System 7.2

System 7.3

System 7.4
System 7.5

System 7.6

System 7.7

System 7.8

Critical Security Control #8: Malware Defenses

System 8.1

System 8.2

System 8.3
System 8.4

System 8.5

System 8.6

Critical Security Control #9: Limitation and Control of Network Ports

System 9.1

System 9.2

System 9.3
System 9.4

System 9.5

System 9.6

Critical Security Control #10: Data Recovery Capability

System 10.1

System 10.2

System 10.3

System 10.4

Critical Security Control #11: Secure Configurations for Network Devices


Network 11.1

Network 11.2

Network 11.3

Network 11.4

Network 11.5

Network 11.6

Network 11.7

Critical Security Control #12: Boundary Defense

Network 12.1

Network 12.2

Network 12.3

Network 12.4
Network 12.5

Network 12.6

Network 12.7

Network 12.8

Network 12.9

Network 12.10

Critical Security Control #13: Data Protection

Network 13.1

Network 13.2

Network 13.3

Network 13.4
Network 13.5

Network 13.6

Network 13.7

Network 13.8

Network 13.9

Critical Security Control #14: Controlled Access Based on the Need to Know

Application 14.1

Application 14.2

Application 14.3
Application 14.4

Application 14.5

Application 14.6

Application 14.7

Critical Security Control #15: Wireless Access Control

Network 15.1

Network 15.2

Network 15.3

Network 15.4

Network 15.5

Network 15.6
Network 15.7

Network 15.8

Network 15.9

Critical Security Control #16: Account Monitoring and Control


Application 16.1

Application 16.2

Application 16.3

Application 16.4

Application 16.5

Application 16.6

Application 16.7

Application 16.8

Application 16.9

Application 16.10
Application 16.11

Application 16.12

Application 16.13

Application 16.14

Critical Security Control #17: Security Skills Assessment and Appropriate Training to Fill G

Application 17.1

Application 17.2

Application 17.3

Application 17.4

Application 17.5

Critical Security Control #18: Application Software Security


Application 18.1

Application 18.2

Application 18.3

Application 18.4

Application 18.5

Application 18.6

Application 18.7

Application 18.8

Application 18.9

Critical Security Control #19: Incident Response and Management


Application 19.1

Application 19.2

Application 19.3

Application 19.4
Application 19.5

Application 19.6

Application 19.7

Critical Security Control #20: Penetration Tests and Red Team Exercises

Application 20.1

Application 20.2

Application 20.3

Application 20.4

Application 20.5

Application 20.6

Application 20.7

Application 20.8
Critical Security Controls Version 6.0
Control Description
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems
connected to an organization’s public and private network(s). Both active tools that scan through IPv4 or
IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be
employed.

If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration
protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect
unknown systems.

Ensure that all equipment acquisitions automatically update the inventory system as new, approved
devices are connected to the network.

Maintain an asset inventory of all systems connected to the network and the network devices themselves,
recording at least the network addresses, machine name(s), purpose of each system, an asset owner
responsible for each device, and the department associated with each device. The inventory should
include every system that has an Internet protocol (IP) address on the network, including but not limited to
desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area
networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory
created must also include data on whether the device is a portable and/or personal device. Devices such
as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must
be identified, regardless of whether they are attached to the organization’s network.
Deploy network level authentication via 802.1x to limit and control which devices can be connected to the
network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized
systems.

Use client certificates to validate and authenticate systems prior to connecting to the private network.

ritical Security Control #2: Inventory of Authorized and Unauthorized Software


Devise a list of authorized software and version that is required in the enterprise for each type of system,
including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file
integrity checking tools to validate that the authorized software has not been modified.

Deploy application whitelisting technology that allows systems to run software only if it is included on the
whitelist and prevents execution of all other software on the system. The whitelist may be very extensive
(as is available from commercial whitelist vendors), so that users are not inconvenienced when using
common software. Or, for some special-purpose systems (which require only a small number of programs
to achieve their needed business functionality), the whitelist may be quite narrow.
Deploy software inventory tools throughout the organization covering each of the operating system types
in use, including servers, workstations, and laptops. The software inventory system should track the version
of the underlying operating system as well as the applications installed on it. The software inventory
systems must be tied into the hardware asset inventory so all devices and associated software are tracked
from a single location.

Virtual machines and/or air-gapped systems should be used to isolate and run applications that are
required for business operations but based on higher risk should not be installed within a networked
environment.

Critical Security Control #3: Secure Configurations for Hardware and Software

Establish standard secure configurations of your operating systems and software applications. Standardized
images should represent hardened versions of the underlying operating system and the applications
installed on the system. These images should be validated and refreshed on a regular basis to update their
security configuration in light of recent vulnerabilities and attack vectors.

Follow strict configuration management, building a secure image that is used to build all new systems that
are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with
the secure build. Regular updates or exceptions to this image should be integrated into the organization’s
change management processes. Images should be created for workstations, servers, and other system
types used by the organization.

Store the master images on securely configured servers, validated with integrity checking tools capable of
continuous inspection, and change management to ensure that only authorized changes to the images are
possible. Alternatively, these master images can be stored in offline machines, air-gapped from the
production network, with images copied via secure media to move them between the image storage
servers and the production network.

Perform all remote administration of servers, workstation, network devices, and similar equipment over
secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong
encryption should only be used if they are performed over a secondary encryption channel, such as SSL,
TLS or IPSEC.
Use file integrity checking tools to ensure that critical system files (including sensitive system and
application executables, libraries, and configurations) have not been altered. The reporting system should:
have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected
alterations; show the history of configuration changes over time and identify who made the change
(including the original logged-in account in the event of a user ID switch, such as with the su or sudo
command). These integrity checks should identify suspicious system alterations such as: owner and
permissions changes to files or directories; the use of alternate data streams which could be used to hide
malicious activities; and the introduction of extra files into key system areas (which could indicate
malicious payloads left by attackers or additional files inappropriately added during batch distribution
processes).

Implement and test an automated configuration monitoring system that verifies all remotely testable
secure configuration elements, and alerts when unauthorized changes occur. This includes detecting new
listening ports, new administrative users, changes to group and local policy objects (where applicable), and
new services running on a system. Whenever possible use tools compliant with the Security Content
Automation Protocol (SCAP) in order to streamline reporting and integration.

Deploy system configuration management tools, such as Active Directory Group Policy Objects for
Microsoft Windows systems or Puppet for UNIX systems that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals. They should be capable of triggering
redeployment of configuration settings on a scheduled, manual, or event-driven basis.

tical Security Control #4: Continuous Vulnerability Assessment and Remediation

Run automated vulnerability scanning tools against all systems on the network on a weekly or more
frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system
administrator along with risk scores that compare the effectiveness of system administrators and
departments in reducing risk. Use a SCAP-validated vulnerability scanner that looks for both code-based
vulnerabilities (such as those described by Common Vulnerabilities and Exposures entries) and
configuration-based vulnerabilities (as enumerated by the Common Configuration Enumeration Project).

Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should
verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should
be able to correlate attack detection events with prior vulnerability scanning results to determine whether
the given exploit was used against a target known to be vulnerable.

Perform vulnerability scanning in authenticated mode either with agents running locally on each end
system to analyze the security configuration or with remote scanners that are given administrative rights
on the system being tested. Use a dedicated account for authenticated vulnerability scans, which should
not be used for any other administrative activities and should be tied to specific machines at specific IP
addresses. Ensure that only authorized employees have access to the vulnerability management user
interface and that roles are applied to each user.
Subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the
information gained from this subscription to update the organization’s vulnerability scanning activities on
at least a monthly basis. Alternatively, ensure that the vulnerability scanning tools you use are regularly
updated with all relevant important security vulnerabilities.

Deploy automated patch management tools and software update tools for operating system and
software/applications on all systems for which such tools are available and safe. Patches should be applied
to all systems, even systems that are properly air gapped.
Monitor logs associated with any scanning activity and associated administrator accounts to ensure that
this activity is limited to the timeframes of legitimate scans.

Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed
either by patching, implementing a compensating control, or documenting and accepting a reasonable
business risk. Such acceptance of business risks for existing vulnerabilities should be periodically reviewed
to determine if newer compensating controls or subsequent patches can address vulnerabilities that were
previously accepted, or if conditions have changed, increasing the risk.

Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the
vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network
servers, desktops, laptops). Apply patches for the riskiest vulnerabilities first. A phased rollout can be
used to minimize the impact to the organization. Establish expected patching timelines based on the risk
rating level.

Critical Security Control #5: Controlled Use of Administrative Privileges

Minimize administrative privileges and only use administrative accounts when they are required.
Implement focused auditing on the use of administrative privileged functions and monitor for anomalous
behavior.

Use automated tools to inventory all administrative accounts and validate that each person with
administrative privileges on desktops, laptops, and servers is authorized by a senior executive.

Before deploying any new devices in a networked environment, change all default passwords for
applications, operating systems, routers, firewalls, wireless access points, and other systems to have values
consistent with administration-level accounts.
Configure systems to issue a log entry and alert when an account is added to or removed from a domain
administrators’ group, or when a new local administrator account is added on a system.

Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account.
Use multifactor authentication for all administrative access, including domain administrative access. Multi-
factor authentication can include a variety of techniques, to include the use of smart cards, certificates,
One Time Password (OTP) tokens, biometrics, or other similar authentication methods.

Where multi-factor authentication is not supported, user accounts shall be required to use long passwords
on the system (longer than 14 characters).

Administrators should be required to access a system using a fully logged and non-administrative account.
Then, once logged on to the machine without administrative privileges, the administrator should transition
to administrative privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, and other similar
facilities for other types of systems.

Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access.
This machine shall be isolated from the organization's primary network and not be allowed Internet
access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.

itical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs

Include at least two synchronized time sources from which all servers and network equipment retrieve
time information on a regular basis so that timestamps in logs are consistent.

Validate audit log settings for each hardware device and the software installed on it, ensuring that logs
include a date, timestamp, source addresses, destination addresses, and various other useful elements of
each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries
or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a
standardized format, log normalization tools can be deployed to convert logs into such a format.
Ensure that all systems that store logs have adequate storage space for the logs generated on a regular
basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally
signed on a periodic basis.

Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs.
They should then actively review the anomalies, documenting their findings.

Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound
proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device.

Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and
consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system
administrators and security personnel should devise profiles of common events from given systems so that
they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies,
and prevent overwhelming analysts with insignificant alerts.

Critical Security Control #7: Email and Web Browser Protections


Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers provided by the vendor in order to take
advantage of the latest security functions and fixes.

Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on
applications. Each plugin shall utilize application / URL whitelisting and only allow the use of the
application for pre-approved domains.

Limit the use of unnecessary scripting languages in all web browsers and email clients. This includes the
use of languages such as ActiveX and JavaScript on systems where it is unnecessary to support such
capabilities.

Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order
to identify potentially malicious activity and assist incident handlers with identifying potentially
compromised systems.
Deploy two separate browser configurations to each system. One configuration should disable the use of
all plugins, unnecessary scripting languages, and generally be configured with limited functionality and be
used for general web browsing. The other configuration shall allow for more browser functionality but
should only be used to access specific websites that require the use of such functionality.

The organization shall maintain and enforce network based URL filters that limit a system's ability to
connect to websites not approved by the organization. The organization shall subscribe to URL
categorization services to ensure that they are up-to-date with the most recent website category
definitions available. Uncategorized sites shall be blocked by default. This filtering shall be enforced for
each of the organization's systems, whether they are physically at an organization's facilities or not.

To lower the chance of spoofed e-mail messages, implement the Sender Policy Framework (SPF) by
deploying SPF records in DNS and enabling receiver-side verification in mail servers.

Scan and block all e-mail attachments entering the organization's e-mail gateway if they contain malicious
code or file types that are unnecessary for the organization's business. This scanning should be done
before the e-mail is placed in the user's inbox. This includes e-mail content filtering and web content
filtering.

Critical Security Control #8: Malware Defenses

Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus,
anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be
sent to enterprise anti-malware administration tools and event log servers.

Employ anti-malware software that offers a centralized infrastructure that compiles information on file
reputations or have administrators manually push updates to all machines. After applying an update,
automated systems should verify that each system has received its signature update.

Limit use of external devices to those with an approved, documented business need. Monitor for use and
attempted use of external devices. Configure laptops, workstations, and servers so that they will not auto-
run content from removable media, like USB tokens (i.e., “thumb drives”), USB hard drives, CDs/DVDs,
FireWire devices, external serial advanced technology attachment devices, and mounted network shares.
Configure systems so that they automatically conduct an anti-malware scan of removable media when
inserted.
Enable anti-exploitation features such as Data Execution Prevention (DEP), Address Space Layout
Randomization (ASLR), virtualization/containerization, etc. For increased protection, deploy capabilities
such as Enhanced Mitigation Experience Toolkit (EMET) that can be configured to apply these protections
to a broader set of applications and executables.

Use network-based anti-malware tools to identify executables in all network traffic and use techniques
other than signature-based detection to identify and filter out malicious content before it arrives at the
endpoint.

Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2
domains.

Critical Security Control #9: Limitation and Control of Network Ports

Ensure that only ports, protocols, and services with validated business needs are running on each system.

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all
traffic except those services and ports that are explicitly allowed.

Perform automated port scans on a regular basis against all key servers and compared to a known effective
baseline. If a change that is not listed on the organization’s approved baseline is discovered, an alert
should be generated and reviewed.
Verify any server that is visible from the Internet or an untrusted network, and if it is not required for
business purposes, move it to an internal VLAN and give it a private address.

Operate critical services on separate physical or logical host machines, such as DNS, file, mail, web, and
database servers.

Place application firewalls in front of any critical servers to verify and validate the traffic going to the
server. Any unauthorized services or traffic should be blocked and an alert generated.

Critical Security Control #10: Data Recovery Capability

Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems
storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the
operating system, application software, and data on a machine should each be included in the overall
backup procedure. These three components of a system do not have to be included in the same backup
file or use the same backup software. There should be multiple backups over time, so that in the event of
malware infection, restoration can be from a version that is believed to predate the original infection. All
backup policies should be compliant with any regulatory or official requirements.

Test data on backup media on a regular basis by performing a data restoration process to ensure that the
backup is properly working.

Ensure that backups are properly protected via physical security or encryption when they are stored, as
well as when they are moved across the network. This includes remote backups and cloud services.

Ensure that key systems have at least one backup destination that is not continuously addressable through
operating system calls. This will mitigate the risk of attacks like CryptoLocker which seek to encrypt or
damage data on all addressable data shares, including backup destinations.
Critical Security Control #11: Secure Configurations for Network Devices
Compare firewall, router, and switch configuration against standard secure configurations defined for each
type of network device in use in the organization. The security configuration of such devices should be
documented, reviewed, and approved by an organization change control board. Any deviations from the
standard configuration or updates to the standard configuration should be documented and approved in a
change control system.

All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through
network security devices, such as firewalls and network-based IPS, should be documented and recorded in
a configuration management system, with a specific business reason for each change, a specific individual’s
name responsible for that business need, and an expected duration of the need.

Use automated tools to verify standard device configurations and detect changes. All alterations to such
files should be logged and automatically reported to security personnel.

Manage network devices using two-factor authentication and encrypted sessions.

Install the latest stable version of any security-related updates on all network devices.

Network engineers shall use a dedicated machine for all administrative tasks or tasks requiring elevated
access. This machine shall be isolated from the organization's primary network and not be allowed
Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the
Internet.

Manage the network infrastructure across network connections that are separated from the business use
of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for
management sessions for network devices.
Critical Security Control #12: Boundary Defense
Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access
only to trusted sites (whitelists). Tests can be periodically carried out by sending packets from logon source
IP addresses (non-routable or otherwise unused IP addresses) into the network to verify that they are not
transmitted through network perimeters. Lists of logon addresses are publicly available on the Internet
from various sources, and indicate a series of IP addresses that should not be used for legitimate traffic
traversing the Internet.

On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as
a separate technology) to record at least packet header information, and preferably full packet header and
payloads of the traffic destined for or passing through the network border. This traffic should be sent to a
properly configured Security Information Event Management (SIEM) or log analytics system so that events
can be correlated from all devices on the network.

Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for
unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors
may detect attacks
Network-based IPS through the usebe
devices should ofdeployed
signatures,
to network behavior
complement analysis,
IDS by blockingorknown
other mechanisms to or
bad signatures
analyze traffic.
the behavior of potential attacks. As attacks become automated, methods such as IDS typically delay the
amount of time it takes for someone to react to an attack. A properly configured network-based IPS can
provide automation to block bad traffic. When evaluating network-based IPS products, include those using
techniques other than signature-based detection (such as virtual machine or sandbox-based approaches)
for consideration.
Design and implement network perimeters so that all outgoing network traffic to the Internet must pass
through at least one application layer filtering proxy server. The proxy should support decrypting network
traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to
implement a black list, and applying whitelists of allowed sites that can be accessed through the proxy
while blocking all other sites. Organizations should force outbound traffic to the Internet through an
authenticated proxy server on the enterprise perimeter.

Require all remote login access (including VPN, dial-up, and other forms of access that allow login to
internal systems) to use two-factor authentication.

All enterprise devices remotely logging into the internal network should be managed by the enterprise,
with remote control of their configuration, installed software, and patch levels. For third-party devices
(e.g., subcontractors/vendors), publish minimum security standards for access to the enterprise network
and perform a security scan before allowing access.

Periodically scan for back-channel connections to the Internet that bypass the DMZ, including
unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other
networks via wireless, dial-up modems, or other mechanisms.

Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity.

To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session
tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually
long time for the given organization and firewall device, alerting personnel about the source and
destination addresses associated with these long sessions.

Critical Security Control #13: Data Protection


Perform an assessment of data to identify sensitive information that requires the application of encryption
and integrity controls

Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.

Deploy an automated tool on network perimeters that monitors for sensitive information (e.g., personally
identifiable information), keywords, and other document characteristics to discover unauthorized attempts
to exfiltrate data across network boundaries and block such transfers while alerting information security
personnel.

Conduct periodic scans of server machines using automated tools to determine whether sensitive data
(e.g., personally identifiable information, health, credit card, or classified information) is present on the
system in clear text. These tools, which search for patterns that indicate the presence of sensitive
information, can help identify if a business or technical process is leaving behind or otherwise leaking
sensitive information.
If there is no business need for supporting such devices, configure systems so that they will not write data
to USB tokens or USB hard drives. If such devices are required, enterprise software should be used that can
configure systems to allow only specific USB devices (based on serial number or other unique property) to
be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all
authorized devices must be maintained.

Use network-based DLP solutions to monitor and control the flow of data within the network. Any
anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address
them.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption. Attackers often
use an encrypted channel to bypass network security devices. Therefore it is essential that organizations
be able to detect rogue connections, terminate the connection, and remediate the infected system.

Block access to known file transfer and e-mail exfiltration websites.

Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied off a server. In most
organizations, access to the data is controlled by ACLs that are implemented on the server. Once the data
have been copied to a desktop system, the ACLs are no longer enforced and the users can send the data to
whomever they want.

Critical Security Control #14: Controlled Access Based on the Need to Know
Segment the network based on the label or classification level of the information stored on the servers.
Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized
individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.

All communication of sensitive information over less-trusted networks should be encrypted. Whenever
information flows over a network with a lower trust level, the information should be encrypted.

All network switches will enable Private Virtual Local Area Networks (VLANs) for segmented workstation
networks to limit the ability of devices on a network to directly communicate with other devices on the
subnet and limit an attackers ability to laterally move to compromise neighboring systems.
All information stored on systems shall be protected with file system, network share, claims, application, or
database specific access control lists. These controls will enforce the principal that only authorized
individuals should have access to the information based on their need to access the information as a part
of their responsibilities.

Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication
mechanism, not integrated into the operating system, in order to access the information.

Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data.

Archived data sets or systems not regularly accessed by the organization shall be removed from the
organization's network. These systems shall only be used as stand alone systems (disconnected from the
network) by the business unit needing to occasionally use the system or completely virtualized and
powered off until needed.

Critical Security Control #15: Wireless Access Control


Ensure that each wireless device connected to the network matches an authorized configuration and
security profile, with a documented owner of the connection and a defined business need. Organizations
should deny access to those wireless devices that do not have such a configuration and profile.

Configure network vulnerability scanning tools to detect wireless access points connected to the wired
network. Identified devices should be reconciled against a list of authorized wireless access points.
Unauthorized (i.e., rogue) access points should be deactivated.

Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack
attempts and successful compromises. In addition to WIDS, all wireless traffic should be monitored by
WIDS as traffic passes into the wired network.

Where a specific business need for wireless access has been identified, configure wireless access on client
machines to allow access only to authorized wireless networks. For devices that do not have an essential
wireless business purpose, disable wireless access in the hardware configuration (basic input/output
system or extensible firmware interface).

Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with
at least Wi-Fi Protected Access 2 (WPA2) protection.

Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-
Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication.
Disable peer-to-peer wireless network capabilities on wireless clients.

Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a
documented business need.

Create separate virtual local area networks (VLANs) for BYOD systems or other untrusted devices. Internet
access from this VLAN should go through at least the same border as corporate traffic. Enterprise access
from this VLAN should be treated as untrusted and filtered and audited accordingly.

Critical Security Control #16: Account Monitoring and Control


Review all system accounts and disable any account that cannot be associated with a business process and
owner.
Ensure that all accounts have an expiration date that is monitored and enforced.
Establish and follow a process for revoking system access by disabling accounts immediately upon
termination of an employee or contractor. Disabling instead of deleting accounts allows preservation of
audit trails.

Regularly monitor the use of all accounts, automatically logging off users after a standard period of
inactivity.

Configure screen locks on systems to limit access to unattended workstations.

Monitor account usage to determine dormant accounts, notifying the user or user’s manager. Disable such
accounts if not needed, or document and monitor exceptions (e.g., vendor maintenance accounts needed
for system recovery or continuity operations). Require that managers match active employees and
contractors with each account belonging to their managed staff. Security or system administrators should
then disable accounts that are not assigned to valid workforce members.

Use and configure account lockouts such that after a set number of failed login attempts the account is
locked for a standard period of time.

Monitor attempts to access deactivated accounts through audit logging.

Configure access for all accounts through a centralized point of authentication, for example Active
Directory or LDAP. Configure network and security devices for centralized authentication as well.

Profile each user’s typical account usage by determining normal time-of-day access and access duration.
Reports should be generated that indicate users who have logged in during unusual hours or have
exceeded their normal login duration. This includes flagging the use of the user’s credentials from a
computer other than computers on which the user generally works.
Require multi-factor authentication for all user accounts that have access to sensitive data or systems.
Multi-factor authentication can be achieved using smart cards, certificates, One Time Password (OTP)
tokens, or biometrics.
Where multi-factor authentication is not supported, user accounts shall be required to use long passwords
on the system (longer than 14 characters).
Ensure that all account usernames and authentication credentials are transmitted across networks using
encrypted channels.
Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without
root or administrator privileges. Audit all access to password files in the system.
Security Control #17: Security Skills Assessment and Appropriate Training to Fill Gaps

Perform gap analysis to see which skills employees need and which behaviors employees are not adhering
to, using this information to build a baseline training and awareness roadmap for all employees.

Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training. A second
option is to have outside teachers provide training onsite so the examples used will be directly relevant. If
you have small numbers of people to train, use training conferences or online training to fill the gaps.

Implement an security awareness program that (1) focuses only on the methods commonly used in
intrusions that can be blocked through individual action, (2) is delivered in short online modules
convenient for employees (3) is updated frequently (at least annually) to represent the latest attack
techniques, (4) is mandated for completion by all employees at least annually, and (5) is reliably monitored
for employee completion.

Validate and improve awareness levels through periodic tests to see whether employees will click on a link
from suspicious e-mail or provide sensitive information on the telephone without following appropriate
procedures for authenticating a caller; targeted training should be provided to those who fall victim to the
exercise.

Use security skills assessments for each of the mission-critical roles to identify skills gaps. Use hands-on,
real-world examples to measure mastery. If you do not have such assessments, use one of the available
online competitions that simulate real-world scenarios for each of the identified jobs in order to measure
skills mastery.

Critical Security Control #18: Application Software Security


For all acquired application software, check that the version you are using is still supported by the vendor.
If not, update to the most current version and install all relevant patches and vendor security
recommendations.

Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to
the web application for common web application attacks, including but not limited to cross-site scripting,
SQL injection, command injection, and directory traversal attacks. For applications that are not web-based,
specific application firewalls should be deployed if such tools are available for the given application type. If
the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the
traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be
deployed.

For in-house developed software, ensure that explicit error checking is performed and documented for all
input, including for size, data type, and acceptable ranges or formats.

Test in-house-developed and third-party-procured web applications for common security weaknesses
using automated remote web application scanners prior to deployment, whenever updates are made to
the application, and on a regular recurring basis. In particular, input validation and output encoding
routines of application software should be reviewed and tested.
Do not display system error messages to end-users (output sanitization).
Maintain separate environments for production and nonproduction systems. Developers should not
typically have unmonitored access to production environments.
For applications that rely on a database, use standard hardening configuration templates. All systems that
are part of critical business processes should also be tested.
Ensure that all software development personnel receive training in writing secure code for their specific
development environment.
For in-house developed applications, ensure that development artifacts (sample data and scripts; unused
libraries, components, debug code; or tools) are not included in the deployed software, or accessible in the
production environment.
Critical Security Control #19: Incident Response and Management
Ensure that there are written incident response procedures that include a definition of personnel roles for
handling incidents. The procedures should define the phases of incident handling.
Assign job titles and duties for handling computer and network incidents to specific individuals.
Define management personnel who will support the incident handling process by acting in key decision-
making roles.

Devise organization-wide standards for the time required for system administrators and other personnel to
report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind
of information that should be included in the incident notification. This reporting should also include
notifying the appropriate Community Emergency Response Team in accordance with all legal or regulatory
requirements for involving that organization in computer incidents.
Assemble and maintain information on third-party contact information to be used to report a security
incident (e.g., maintain an e-mail address of security@organization.com or have a web page
http://organization.com/security).

Publish information for all personnel, including employees and contractors, regarding reporting computer
anomalies and incidents to the incident handling team. Such information should be included in routine
employee awareness activities.

Conduct periodic incident scenario sessions for personnel associated with the incident handling team to
ensure that they understand current threats and risks, as well as their responsibilities in supporting the
incident handling team.
Critical Security Control #20: Penetration Tests and Red Team Exercises

Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that
can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the
network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within
its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.

Any user or system accounts used to perform penetration testing should be controlled and monitored to
make sure they are only being used for legitimate purposes, and are removed or restored to normal
function after testing is over.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to
respond quickly and effectively.

Include tests for the presence of unprotected system information and artifacts that would be useful to
attackers, including network diagrams, configuration files, older penetration test reports, e-mails or
documents containing passwords or other information critical to system operation.

Plan clear goals of the penetration test itself with blended attacks in mind, identifying the goal machine or
target asset. Many APT-style attacks deploy multiple vectors—often social engineering combined with web
or network exploitation. Red Team manual or automated testing that captures pivoted and multi-vector
attacks offers a more realistic assessment of security posture and risk to critical assets.

Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning
assessments should be used as a starting point to guide and focus penetration testing efforts.

Wherever possible, ensure that Red Teams results are documented using open, machine-readable
standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that
results can be compared over time.

Create a test bed that mimics a production environment for specific penetration tests and Red Team
attacks against elements that are not typically tested in production, such as attacks against supervisory
control and data acquisition and other control systems.
Example Data Sources

Nmap, Nessus, RedSeal, Qualys, IP360, and Nexpose.

DHCP logs

Asset Inventory DB, CMDB

Asset Inventory DB, CMDB, MDM (ex. AirWatch,


MobileIron, Apple Profile Manager)

Asset Inventory DB, CMDB, Network Devices, Active


Directory, Windows Event Logs

Registry Entries
Running processes
Splunk Scripted Inputs, Windows/Linux/Unix System
Logs, Software Change Management, Whitelisting
and Vulnerability Management Tools (Tanium, IBM
BigFix, Microsoft System Center, ServiceNow, and
Bit9 Security Platform)
Tanium
Cylance
Ziften
Registry Entries
Running processes
Splunk Scripted Inputs, Windows/Linux/Unix System
Logs, Software Change Management, Whitelisting
and Vulnerability Management Tools (Tanium, IBM
BigFix, Microsoft System Center, ServiceNow, and
Bit9 Security Platform)
Tanium
Cylance
Ziften

IBM BigFix
Tripwire CCM & Enterprise
Symantec CSP
McAfee ePolicy Orchestrator
VMware vCenter Configuration Manager
Tanium
Cylance
Ziften

Security Policy

Splunk Stream
Bro
Windows & Linux system logs
IBM BigFix
Tripwire CCM & Enterprise
Symantec CSP
McAfee ePolicy Orchestrator
VMware vCenter Configuration Manager

NIST SCAP Validated Tools:


Microsoft SCCM (with SCAP extension)
Qualys SCAP Auditor
Tripwire Enterprise

Active Directory Logs


Puppet

QualysGuard
Tripwire IP360
Tenable Nessus, PVS
Nmap
Rapid7 Nexpose
ServiceNow
Threat Intelligence Feeds
Vulnerability Feeds (Mitre, NVD)
QualysGuard
Tripwire IP360
Tenable Nessus, PVS
Nmap
Rapid7 Nexpose
ServiceNow
Threat Intelligence Feeds
Vulnerability Feeds (Mitre, NVD)

Microsoft System Center


Active Directory
Sudo
Cyber Ark
Okta
Google Authenticator
Radius

Microsoft System Center


Active Directory
Sudo
Cyber Ark

Windows/Linux/Unix System Logs


Active Directory
Microsoft System Center

Security Policy

All machine data sources


All machine data sources

Proxy/Network:
Forward Proxy Logs
Blue Coat
Bro IDS
Splunk Stream

Endpoint:
IBM BigFix
Tripwire CCM & Enterprise
Symantec CSP
McAfee ePolicy Orchestrator
VMware vCenter Configuration Manager
Active Directory (Group Policy)

Forward Proxy Logs


Blue Coat
Palo Alto
Bro IDS
Stream
Threat intelligence feeds
Security Policy

Blue Coat
OpenDNS
Zscaler
Websense
Cisco ESA

Dig
Mail Server Logs (Exchange)

Mail Server Logs (Exchange)


Threat intelligence feeds (file hashes)

Intel Security Endpoint Protection


Symantec Endpoint Protection

Intel Security Endpoint Protection


Symantec Endpoint Protection

Active Directory
Tanium
Cylance
Ziften
Active Directory

Stream
Bro IDS

DNS
Threat Intelligence

Port/Vuln Scanning:
Nmap
Tripwire IP360
Nessus
Qualys
Rapid7 Nexpose

Proxy/Network Security:
Forward Proxy Logs
Blue Coat
Bro IDS
Splunk Stream

Firewalls (Palo Alto, Fortinet, Check Point , Cisco)

Nmap
Tripwire IP360
Nessus
Qualys
Nmap
Tripwire IP360
Nessus
Qualys
Shodan

Security Policy

Firewalls (Palo Alto, Fortinet, Check Point , Cisco)

Windows/Linux System Logs


Code42 CrashPlan
AWS
EMC, IBM, Commvault, Symantec and HP backup
solutions

Security Policy

Security Policy

Security Policy
Tripwire CCM

Trac
Git
Puppet
Google
AWS

Tripwire CCM

Bro
Stream
ServiceNow

Security Policy

Security Policy

Firewalls (Palo Alto, Fortinet, Check Point , Cisco)


IPS
Threat Intelligence Feeds

Stream
Bro IDS
Snort
Suricata
NetFlow
Forward Proxy Logs
Blue Coat
Palo Alto
Bro IDS
Stream
Threat intelligence feeds

Microsoft System Center


Active Directory
Cyber Ark

VPN logs
DHCP logs
Wireless Routers

NetFlow

Firewalls (Palo Alto, Fortinet, Check Point , Cisco)


IPS
Threat Intelligence Feeds

CMDB
Active Directory
Tripwire Enterprise

BitLocker
Check Point
MDM (AirWatch etc.)
Active Directory (EFS enforcement)

Bro IDS
Stream
Forward Web Proxies
Blue Coat

Tripwire Enterprise
PowerShell
Active Directory/System Center

Check Point DLP Software Blade


Fortinet FortiGate
McAfee Total Protection for DLP
Intel Security/McAfee
RSA DLP
Symantec DLP
Trend Micro DLP and SecureCloud
BlueCoat DLP

Firewalls (PaloAlto, Fortinet, Check Point , Cisco)

Check Point DLP Software Blade


Fortinet FortiGate
McAfee Total Protection for DLP
Intel Security/McAfee
RSA DLP
Symantec DLP
Trend Micro DLP and SecureCloud
BlueCoat DLP

Security Policy

Security Policy

Security Policy
Active Directory
Enterprise Access Management (HyTrust, Vormetric,
CyberArk, IBM, Oracle and Microsoft)

Splunk core competency

Security Policy

WIPS (Cisco, Aruba, AirTight, AirDefense)


Nmap

Security Policy

Security Policy

Security Policy
Security Policy

Security Policy

Security Policy

Active Directory
LDAP
Active Directory

Ticketing/Helpdesk (ServiceNow)
HR systems

Active Directory
LDAP
Active Directory
LDAP

Active Directory
LDAP
Security Policy

Active Directory
LDAP
Windows/Linux System Logs
Active Directory

Active Directory/LDAP
User Behavior Analytics
Active Directory/LDAP
User Behavior Analytics

Security Policy
Forward Proxy
Blue Coat
Active Directory
McAfee ePolicy Orchestrator
Tripwire Enterprise
QualysGuard WAS
Whitehat Sentinel
Tripwire Webapp360

Imperva SecureSphere
Barracuda WAF Vx
Cisco ACE

Splunk core competency


Splunk Mint

Security Policy
Security Policy

Tripwire Enterprise
McAfee ePolicy Orchestrator

Security Policy

Security Policy

Security Policy
Security Policy
Security Policy

Helpdesk/Ticketing (ServiceNow, etc.)


Security Policy

Security Policy

Security Policy

Security Policy

Security Policy

Security Policy

Security Policy

Security Policy

Security Policy

Security Policy

Security Policy
Splunk Use Cases

Splunk can be used to collect DHCP server logs and update the asset inventory with the IP addresses,
host names, and MAC addresses found in those logs

When new devices are connected to the network, authorized devices included in the asset inventory
should provide information regarding the asset owner. Newly connected unauthorized devices should
generate an alert (email, ticket) within 24 hours.

If Vulnerability Management data is consumed by ES and used to


populate asset data, the Vulnerability Operations dashboard provides
evidence of proper asset scan activity.

ES contains an interactive data visualization called the Asset


Investigator. This visualization allows a security investigator to view an
asset and all notable events related to that asset over time. Information
available from external sources is also brought into this view to provide
business context.

Splunk can gather all data about installed software and patches on systems using scripted inputs and
the Splunk Add-Ons for Windows and Unix/Linux for reporting and alerting.

Splunk accepts data from any software change management, whitelisting or vulnerability management
tool.

ES identifies processes and services of interest via lookup files that can be statically or dynamically
populated. Lookup files can define whitelisted or blacklisted processes.

ES Update Center and Update Search dashboards display information


about patch levels of systems are also available in ES. The Endpoint
Changes dashboard can identify the number of changes happening in the
Splunk can gather all data about installed software and patches on systems using scripted inputs and
the Splunk Add-Ons for Windows and Unix/Linux for reporting and alerting.

Splunk accepts data from any software change management, whitelisting or vulnerability management
tool.

ES identifies processes and services of interest via lookup files that can be statically or dynamically
populated. Lookup files can define whitelisted or blacklisted processes.

ES Update Center and Update Search dashboards display information


about patch levels of systems are also available in ES. The Endpoint
Changes dashboard can identify the number of changes happening in the
environment.

Establish benign test environment where one or more systems are not configured to standard
(additional services, open ports, config changes), perform test across multiple segments (physical or
virtual). Splunk alerts must be triggered within 24 hours of detection of system drift. Alerts should
include location of affected system and remediation steps taken (if automated).

File integrity checking tools must be run on a regular basis. Any changes to critical operating system,
software version, patch levels, services, and configuration files must be checked on an hourly basis.
Any changes must be detected and either blocked (by endpoint security tool) or trigger an alert in
Splunk.

Splunk will detect the disabling of system logging, as well as the truncation, modification or deletion of
log files (deletion or truncation of logs, modification of past log events, owner or permission)

When misconfigured systems are exploited, there is generally anomalous


behavior that can be tied back to rogue services, processes, or behavior.
ES contains correlation rules to identify these anomalies and related
misconfigurations such as improper password lengths or expiry
timeframes. It also provides dashboards, such as Traffic Search, System
Center and Time Center, which can display systems that do not meet the
secure configuration standards.
With Splunk you can detect use of insecure protocols (e.g. FTP, Finger, Portmapper, and Telnet) and
tools with network security monitoring tools (Splunk for Stream, Bro) as well as failed logins (system,
root user attempts etc.)

Splunk ES also provides specific Protocol Analysis dashboards for


network data collected by the Splunk App for Stream as well as other
sources, which can contain evidence of misconfiguration (e.g. improper
When misconfigured systems are exploited, there is generally anomalous
behavior that can be tied back to rogue services, processes, or behavior.
ES contains correlation rules to identify these anomalies and related
misconfigurations such as improper password lengths or expiry
timeframes. It also provides dashboards, such as Traffic Search, System
Center and Time Center, which can display systems that do not meet the
secure configuration standards.
With Splunk you can detect use of insecure protocols (e.g. FTP, Finger, Portmapper, and Telnet) and
tools with network security monitoring tools (Splunk for Stream, Bro) as well as failed logins (system,
root user attempts etc.)

Splunk ES also provides specific Protocol Analysis dashboards for


network data collected by the Splunk App for Stream as well as other
sources, which can contain evidence of misconfiguration (e.g. improper
network protocols/services in use, or expired/rogue SSL certificate
Splunk accepts scheduled reports from security configuration management tools in several formats.
When this data is ingested Splunk can identify disparities that can indicate system drift and anomalous
behavior. Correlation of configuration data, vulnerability information and CMDB can identify systems
that are out of compliance as well as indicate risk.

Use Splunk to verify that scanning tools have successfully completed their weekly or daily scans for the
previous 30 cycles of scanning by reviewing archived alerts and reports to ensure that the scan was
completed. If a scan could not be completed in that timeframe an alert should be generated in Splunk
indicating that the scan did not finish.

Information from vulnerability scans drives the Vulnerability Center,


Operations and Search dashboards within Splunk Enterprise Security
providing a complete view of vulnerability management activities and
sourced data across the entire environment. Using the dashboards
provides visibility into first time vulnerabilities and allow filtering to
show vulnerabilities by age, and which have been remediated.
Integration with helpdesk and ticket systems provides workflow around remediation of vulnerabilities
and patching.
completed. If a scan could not be completed in that timeframe an alert should be generated in Splunk
indicating that the scan did not finish.

Information from vulnerability scans drives the Vulnerability Center,


Operations and Search dashboards within Splunk Enterprise Security
providing a complete view of vulnerability management activities and
sourced data across the entire environment. Using the dashboards
provides visibility into first time vulnerabilities and allow filtering to
show vulnerabilities by age, and which have been remediated.
Integration with helpdesk and ticket systems provides workflow around remediation of vulnerabilities
and patching.

ES compiles information from approximately 20 (configurable) threat lists and correlates the
information with threat list data found in the environment. These threat lists can contain CVE
descriptions, file hash values, malicious registry keys, IP addresses, domain names, and any other IOC
definable within a common format such as STIX, CyBox, or OpenIOC.

Splunk consumes authentication logs from across the environment that detail account activity.
Authentication logs come from, but are not limited to: host devices, domain controllers, directory
servers, network devices, Radius, TACACS, application logs and many others.

Detect attempts to gain access to devices using default administrative passwords.

Detect attempts to log-in remotely to machines using administrative accounts directly and verify that
this is disallowed by policy.

Detect attempts to log-in directly to a workstation or server with root or administrator accounts.
Verify that this is disallowed by policy.

Detect attempts to gain access to password files within the system using unauthorized accounts. Verify
that access is disallowed and that attempts are logged and reported.

Detect attempts to elevate to a privileged account on the system. Verify that the administrator
password is required to perform the elevation and that the elevation is logged and reported by the
system. Verify that traceability within the audit logs is provided to detail the user account that
Detect attempts to log-in remotely to machines using administrative accounts directly and verify that
this is disallowed by policy.

Detect attempts to log-in directly to a workstation or server with root or administrator accounts.
Verify that this is disallowed by policy.

Detect attempts to gain access to password files within the system using unauthorized accounts. Verify
that access is disallowed and that attempts are logged and reported.

Detect attempts to elevate to a privileged account on the system. Verify that the administrator
password is required to perform the elevation and that the elevation is logged and reported by the
system. Verify that traceability within the audit logs is provided to detail the user account that
performed the elevation.

Detect attempts to configure weak administrator passwords that are non-compliant with established
policy. Verify that the system does not allow weak passwords to be used.

Detect attempts to re-use an administrator password that was previously used for the account. Verify
that the system requires unique new passwords during each update.

Splunk UBA has several models that track user behavior by creating a baseline per account. If accounts
with admin privileges are being used in unusual ways, UBA will generate anomalies and threats that
surface this behavior

For baseline competency of control 6 the following devices must have log data ingested and tested in
Splunk: two routers, two firewalls, two switches, 10 servers, and 10 client systems. It must be verified
that the systems generate audit logs and, if not, an alert regarding the failed logging must be sent
within 24 hours and must verify that the system data provides details of the location of each machine,
including information about the asset owner.

Log data can be delivered to Splunk software in flat-file format, Windows Event Logs, syslog, direct
REST API ingestion and a multitude of other methods.

Logs can be delivered in a compressed and optionally encrypted manner.

Tools are provided to ensure the security and tamper-proof nature of the centralized log store.

Splunk software allows the security investigator to apply security and audit logic at will, with options
for real -time or historical modes.

Security and audit logic can be converted into reports, alerts, dashboards, feeds and actions and
Splunk: two routers, two firewalls, two switches, 10 servers, and 10 client systems. It must be verified
that the systems generate audit logs and, if not, an alert regarding the failed logging must be sent
within 24 hours and must verify that the system data provides details of the location of each machine,
including information about the asset owner.

Log data can be delivered to Splunk software in flat-file format, Windows Event Logs, syslog, direct
REST API ingestion and a multitude of other methods.

Logs can be delivered in a compressed and optionally encrypted manner.

Tools are provided to ensure the security and tamper-proof nature of the centralized log store.

Splunk software allows the security investigator to apply security and audit logic at will, with options
for real -time or historical modes.

Security and audit logic can be converted into reports, alerts, dashboards, feeds and actions and
integrated into incident response workflow.

Logs can be analyzed in full fidelity and can be kept as long as necessary, provided you have the disk
space —there is no data “rollup,” so you do not lose any granularity.

Build query to look at the logs from the forward proxy and extract the user-agent field for vulnerable
browser versions.

Create dashboards on how many unsupported web browsers have been detected on the
organization's systems?

From endpoint security and SAM tools create dashboards showing unsupported email clients have
been detected on the organization's systems (by business unit)?

Log and report on number URLs of interest from organizations systems.

From correlation of Active Directory group policy and CMDB what percentage of devices are not
required to utilize network based URL filters to limit access to potentially malicious websites?
been detected on the organization's systems (by business unit)?

Log and report on number URLs of interest from organizations systems.

From correlation of Active Directory group policy and CMDB what percentage of devices are not
required to utilize network based URL filters to limit access to potentially malicious websites?

Check for existence of SPF records and log output "dig @ns1.nameserver1.com domain.com txt"

Correlate email attachments with known malware hashes

Ensure malware protections are enabled in Exchange configuration (EAC)

Create dashboard/report of systems have not been deployed with enabled and up-to-date anti-
malware systems.

Create dashboard/report of instances of malicious code have been detected recently by host and
network based anti-malware systems

Identify benchmark metrics regarding how long it takes to identify any malicious software that is
installed, attempted to be installed, executed, or attempted to be executed on a system

How long does it take the organization to completely remove the malicious code from the system after
it has been identified (helpdesk metrics )
malware systems.

Create dashboard/report of instances of malicious code have been detected recently by host and
network based anti-malware systems

Identify benchmark metrics regarding how long it takes to identify any malicious software that is
installed, attempted to be installed, executed, or attempted to be executed on a system

How long does it take the organization to completely remove the malicious code from the system after
it has been identified (helpdesk metrics )

Benchmark metrics showing percentage of the organization's systems that are not currently running a
host based firewall

Dashboard/report showing unauthorized services are currently running on the organization's business
systems

Dashboard/report many deviations from approved service baselines have been discovered recently on
the organization's business systems

Trigger alerts and provide trend analysis of any new unauthorized listening network ports that are
installed on network systems

Dashboard/report showing how long it takes to close or authorize newly detected system services
(helpdesk metrics e.g. ServiceNow)
the organization's business systems

Trigger alerts and provide trend analysis of any new unauthorized listening network ports that are
installed on network systems

Dashboard/report showing how long it takes to close or authorize newly detected system services
(helpdesk metrics e.g. ServiceNow)

Create report of the organization's systems have not recently had their operating system or application
binaries backed up.

Create report on system backups that have not recently been tested by the organization's personnel.

Create report on percentage of the organization's systems do not have a current backup that is not
available to online operating system calls.

Create metrics on average length of time it take to notify system personnel that a backup has failed to
properly take place on a system

Dashboards can be created to display critical and sensitive systems (for example, those designated as
containing or processing cardholder data) and their backup status.
Create report of network devices that are not currently configured with a security configuration that
matches the organization's approved configuration standard.

Create report showing network devices that do not require two-factor authentication to administer.

Trigger alerts when configuration changes are detected on a network system.

When a misconfigured network device is exploited, generally anomalous


ports or traffic will be seen in the environment, which can be tied back to
the unauthorized configurations. ES contains several correlation rules to
look for this kind of behavior. Additionally, Port & Protocol Tracker, Traffic
Center, Network Changes, Web Center, and Time Center dashboards can
all be used to display evidence of network devices that do not meet the
secure configuration standard.

Firewalls and IDS/IPS produce vast amounts of log data that Splunk can easily ingest. Most commonly,
this data arrives at Splunk in the form of syslog data, but some firewalls, such as Check Point, have
proprietary logging mechanisms that Splunk software can also use. There are a number of free apps
available on splunkbase.splunk.com that support common firewall vendors including Cisco, Palo Alto
and Fortinet.

Splunk can analyze traffic for possible exfiltration to dump servers or communication with command
and control machines, which are often registered with new, transient domain names.

Create report on organization's remote access users are not required to use two-factor authentication
to remotely access the organization's network
Firewalls and IDS/IPS produce vast amounts of log data that Splunk can easily ingest. Most commonly,
this data arrives at Splunk in the form of syslog data, but some firewalls, such as Check Point, have
proprietary logging mechanisms that Splunk software can also use. There are a number of free apps
available on splunkbase.splunk.com that support common firewall vendors including Cisco, Palo Alto
and Fortinet.

Splunk can analyze traffic for possible exfiltration to dump servers or communication with command
and control machines, which are often registered with new, transient domain names.

Create report on organization's remote access users are not required to use two-factor authentication
to remotely access the organization's network

Trigger alerts when unauthorized network packets are detected when passing through perimeter
systems

Create reports of unauthorized traffic blocked passing through perimeter systems

Report and alert on unauthorized data exfiltration attempts detected by Data Loss Prevention (DLP)
system

Create report on plain text sensitive data detected by the organization's automated scanning software
Report and alert on unauthorized data exfiltration attempts detected by Data Loss Prevention (DLP)
system

Create report on plain text sensitive data detected by the organization's automated scanning software
tools

Report and alert on access to known file transfer and email exfiltration website

Correlation can be done against usernames seen in the data and directory servers and CMDB to
determine whether a user should have access to data, based on an established classification scheme.

Splunk ingests authentication logs from all systems to determine who is signing into which applications
and where access is taking place. Object (usually file, registry or database) access auditing logs are also
ingested in Splunk software, which can then correlate across the data to report on who is rightfully
(and wrongfully) accessing sensitive information.

ES contains an Identity Center and Asset Center. This functionality allows


Splunk administrators to map assets and identities to business units and
categories. ES then correlates any activity seen back to these assets and
identities so the security investigator can tell at a glance whether a
particular identity should be
Correlation can be done against usernames seen in the data and directory servers and CMDB to
determine whether a user should have access to data, based on an established classification scheme.

Splunk ingests authentication logs from all systems to determine who is signing into which applications
and where access is taking place. Object (usually file, registry or database) access auditing logs are also
ingested in Splunk software, which can then correlate across the data to report on who is rightfully
(and wrongfully) accessing sensitive information.

ES contains an Identity Center and Asset Center. This functionality allows


Splunk administrators to map assets and identities to business units and
categories. ES then correlates any activity seen back to these assets and
identities so the security investigator can tell at a glance whether a
particular identity should be
accessing a particular asset.

ES also contains interactive data visualization tools called Asset


Investigator and Identity Investigator that allow the security investigator
to view an asset and all notable events that have occurred surrounding
that asset or identity over time. Information available from external
sources is also brought into this view to provide business context, such
as the business unit.

Wireless access control is accomplished with wireless-protection specific tools (WIPS) or generic tools
that scan networks for new and unknown devices, such as IDS/IPS systems, network discovery tools or
network access control (NAC) logs. Splunk software can monitor the log file output from these tools
and leverage the information in correlation searches to alert about rogue access points.

Splunk software accepts regularly generated log files from WIPS tools and has free technology add-ons
for specific WIPS, such as Motorola AirDefense, available in Splunk Enterprise Security.

When a wireless access point is detected, Splunk software can correlate the MAC address with an
asset database to ensure that it is an authorized device. If the CMDB contains the management status
of the device, Splunk can correlate that information as well.

The Splunk App for PCI-DSS contains a Wireless Network


Misconfigurations dashboard. This report can be easily copied to Splunk
Enterprise or to Splunk Enterprise Security.
Create alerts and reports on rogue wireless access points
for specific WIPS, such as Motorola AirDefense, available in Splunk Enterprise Security.

When a wireless access point is detected, Splunk software can correlate the MAC address with an
asset database to ensure that it is an authorized device. If the CMDB contains the management status
of the device, Splunk can correlate that information as well.

The Splunk App for PCI-DSS contains a Wireless Network


Misconfigurations dashboard. This report can be easily copied to Splunk
Enterprise or to Splunk Enterprise Security.
Create alerts and reports on rogue wireless access points

Create alerts on unauthorized wireless devices to be isolated/removed from the network

Create reports on invalid login attempts, trigger alerts on repeated failures within set amount of time

Log and alert on attempts to gain access to password files in the system

Splunk software ingests authentication logs from all systems to determine who is logging into which
applications and where access is taking place. Splunk can then correlate across the data to report on
when accounts are being used that are not on a whitelist. Other interesting correlations include being
able to determine

Create alerts when multiple accounts access data using the same IP address

Create alerts when account that belongs to an “expired” user is being used

Alert when an account that has long been dormant is suddenly showing activity

Report on accounts are being used to access critical resources

Alert on accounts that are being used to access critical resources that are associated with users that
have had a change in life status (marital, death in family) or that have been placed on a performance
plan or termination list
Report on accounts are being used to access critical resources

Alert on accounts that are being used to access critical resources that are associated with users that
have had a change in life status (marital, death in family) or that have been placed on a performance
plan or termination list

Splunk software can be used to assess user behavior and determine which populations of users require
security awareness training. For example, by looking at the following types of behavior available from
Splunk searches against activity and web access/proxy logs, additional required training can be
identified.

Which users are accessing inappropriate websites?

Which users are accessing resources with default/shared account names?

Which users are using unapproved web browsers?

Which users clicked on a link in a fake phishing email?

Which users are putting the company at risk with long VPN sessions?
Splunk accepts regularly generated reports from any vulnerability and application scanners. These
reports are usually in XML, CSV or similar formats.

Web application firewalls provide web firewall, access, audit and system logs, all of which can be
gathered in Splunk software for analysis.

During application development, penetration testing is often part of the QA cycle. Developers should
use Splunk software to analyze the application logs during this process and to understand how the
application responds to the scans, allowing them to identify vulnerabilities before production.

Create report on SQL injection attempts from web logs

Splunk's ability to quickly search through mountains of security and non-security related data and
apply business context to it is invaluable when time is of the essence and false positives cannot be
tolerated.

Security professionals need to have all data at their fingertips when investigating an incident. By
having all of the information centralized and searchable, Splunk software allows individuals and teams
to respond quickly and accurately, limiting the organization’s exposure.
Splunk's ability to quickly search through mountains of security and non-security related data and
apply business context to it is invaluable when time is of the essence and false positives cannot be
tolerated.

Security professionals need to have all data at their fingertips when investigating an incident. By
having all of the information centralized and searchable, Splunk software allows individuals and teams
to respond quickly and accurately, limiting the organization’s exposure.

During penetration tests, Splunk software gives team members significant information about the
environment. Splunk software provides deep granularity into real-time and historical (often a year or
more is available online for instant searching) data. Using this data, pen testers/red team members can
better plan a target list or create new target lists from dashboards such as Traffic Analysis.

During pen testing and red team activities, Splunk software can display the status of any successful or
failed breach attempts.

Accounts associated with successful or failed breach attempts found during pen testing and red team
activities can be fed back into Splunk software to understand how the account has been used
historically.

ES contains Asset Center and Identity Center capabilities, where known


information about assets and identities are centralized into a series of
lookup tables. Pen testers and red team members can use this
information after activities are carried out to understand which assets or
identities are of high value to the organization.
Apps & TAs

Splunk App for Discovery (NMAP)


Splunk Add-on for Nessus
RedSeal App
Qualys App
Tripwire IP360 App
Rapid7 Nexpose App

Splunk Scripted Inputs


Splunk Add-on for Microsoft Windows
TA-Microsoft-Sysmon
Splunk Add-on for Unix and Linux
Tanium Splunk App
Splunk for BigFix
SCCM App for Splunk
Splunk Add-on for Microsoft System Center
Operations Manager
Splunk App & Add-On for ServiceNow
Splunk App & Add-On for Bit9
Threat Intelligence (bad hashes)
Splunk Scripted Inputs
Splunk Add-on for Microsoft Windows
TA-Microsoft-Sysmon
Splunk Add-on for Unix and Linux
Tanium Splunk App
Splunk for BigFix
SCCM App for Splunk
Splunk Add-on for Microsoft System Center
Operations Manager
Splunk App & Add-On for ServiceNow
Splunk App & Add-On for Bit9
Threat Intelligence (bad hashes)
WinHostMon

Splunk App for Big Fix


Splunk App for Tripwire Enterprise
Splunk Add-on for McAfee
Splunk App for VMware
Splunk Stream
Splunk Add-on for Bro IDS
Splunk Add-on for Microsoft Windows
Splunk Add-on for Unix and Linux
Splunk App for Windows Infrastructure
Splunk App for Puppet
Splunk App for Tanium
WinHostMon
Splunk Add-on for McAfee
Splunk App for VMware
Splunk Stream
Splunk Add-on for Bro IDS
Splunk Add-on for Microsoft Windows
Splunk Add-on for Unix and Linux
Splunk App for Windows Infrastructure
Splunk App for Puppet
Splunk App for Tanium
WinHostMon

Splunk App for Qualys


Splunk App for Tripwire IP360
Splunk Add-on for Nessus
Tenable Network Security PVS App for Splunk
Hurricane Labs App for Vulnerability Management
Splunk for Asset Discovery
Rapid7 App for Splunk Enterprise
Mitre CVE Data Feed
Splunk App for Qualys
Splunk App for Tripwire IP360
Splunk Add-on for Nessus
Tenable Network Security PVS App for Splunk
Hurricane Labs App for Vulnerability Management
Splunk for Asset Discovery
Rapid7 App for Splunk Enterprise
Mitre CVE Data Feed

Splunk Add-on for Microsoft Windows


Splunk Add-on for Unix and Linux
Splunk App for Windows Infrastructure
SCCM App for Splunk
Splunk Add-on for Microsoft System Center
Operations Manager
Splunk Add-on for CyberArk
Splunk App for Okta
Splunk Add-on for Microsoft Windows
Splunk Add-on for Unix and Linux
Splunk App for Windows Infrastructure
SCCM App for Splunk
Splunk Add-on for Microsoft System Center
Operations Manager
Splunk Add-on for CyberArk
Splunk App for Okta
Splunk Add-on for Okta
RADIUS Authentication

All Splunk Apps, TAs and data sources


All Splunk Apps, TAs and data sources

App for Web Proxies


Splunk for Blue Coat ProxySG
Palo Alto Networks App for Splunk
Splunk Add-on for Bro IDS
Splunk App for Stream
Splunk for BigFix
Splunk App for Tripwire Enterprise
Splunk for Symantec
Splunk Add-on for McAfee
Splunk App for VMware
Splunk App for Windows Infrastructure
Splunk Enterprise Security
Zscaler App for Splunk
Splunk Add-on for Cisco ESA
TA-dig
Splunk App for Microsoft Exchange
Palo Alto Networks App for Splunk
Splunk Add-on for Bro IDS
Splunk App for Stream
Splunk for BigFix
Splunk App for Tripwire Enterprise
Splunk for Symantec
Splunk Add-on for McAfee
Splunk App for VMware
Splunk App for Windows Infrastructure
Splunk Enterprise Security
Zscaler App for Splunk
Splunk Add-on for Cisco ESA
TA-dig
Splunk App for Microsoft Exchange

Splunk for Symantec


Splunk Add-on for McAfee
Splunk App for Windows Infrastructure
Splunk App for Tanium
Splunk Tech Add On for CylanceV
Ziften for Splunk
Splunk App for Stream
Splunk App for Bro
Splunk for DNS
Threat Intelligence
Splunk Add-on for McAfee
Splunk App for Windows Infrastructure
Splunk App for Tanium
Splunk Tech Add On for CylanceV
Ziften for Splunk
Splunk App for Stream
Splunk App for Bro
Splunk for DNS
Threat Intelligence

Splunk App for Qualys


Splunk App for Tripwire IP360
Splunk Add-on for Nessus
Tenable Network Security PVS App for Splunk
Hurricane Labs App for Vulnerability Management
Splunk for Asset Discovery
Rapid7 App for Splunk Enterprise
App for Web Proxies
Splunk for Blue Coat ProxySG
Palo Alto Networks App for Splunk
Splunk Add-on for Bro IDS
Splunk App for Stream

Splunk App for Palo Alto


Palo Alto Networks App for Splunk
Fortinet FortiGate App for Splunk
Splunk app for Check Point
Splunk Add-on for Cisco ASA
Splunk App for Shodan
Splunk Add-on for Bro IDS
Splunk App for Stream

Splunk App for Palo Alto


Palo Alto Networks App for Splunk
Fortinet FortiGate App for Splunk
Splunk app for Check Point
Splunk Add-on for Cisco ASA
Splunk App for Shodan

Splunk Add-on for Microsoft Windows


TA-Microsoft-Sysmon
Splunk Add-on for Unix and Linux
Splunk App for AWS
Splunk App for Bro
Splunk App for Stream
Splunk App for Puppet
Splunk App for ServiceNow
Splunk App for AWS
Splunk Add-On for Google Cloud Platform

Splunk App for Palo Alto


Palo Alto Networks App for Splunk
Fortinet FortiGate App for Splunk
Splunk app for Check Point
Splunk Add-on for Cisco ASA
Splunk App for Shodan
App for Web Proxies
Splunk for Blue Coat ProxySG
Palo Alto Networks App for Splunk
Splunk Add-on for Bro IDS
Splunk App for Stream
Splunk App for Palo Alto
Palo Alto Networks App for Splunk
Fortinet FortiGate App for Splunk
Splunk app for Check Point
Splunk Add-on for Cisco ASA
Splunk App for Shodan
App for Web Proxies
Splunk for Blue Coat ProxySG
Palo Alto Networks App for Splunk
Splunk Add-on for Bro IDS
Splunk App for Stream
Splunk Add-on for Microsoft System Center
Operations Manager

Splunk Add-on for Microsoft System Center


Operations Manager
Splunk App for Windows Infrastructure
Splunk Add-on for Microsoft System Center
Operations Manager
Splunk App for Windows Infrastructure
Splunk Add-on for Bro IDS
Splunk App for Stream

Splunk App for Windows Infrastructure


Splunk Add-on for CyberArk
Splunk App for Windows Infrastructure
Splunk Add-on for CyberArk

TA-airtight
Splunk App for Asset Discovery
TA-airtight
Splunk App for Asset Discovery

Splunk Add-on for Microsoft Windows


Splunk Add-on for Unix and Linux
Splunk App for Windows Infrastructure
SCCM App for Splunk
Splunk Add-on for Microsoft System Center
Operations Manager
Tripwire WebApp260
Splunk App for McAfee
Use Case
Security Operations

IT Operations
Incident Response

System Monitoring
System Monitoring

Malware Analysis

Server Monitoring
Web Activity Analysis

Insider Threat Monitoring

Network Analysis

Endpoint Monitoring
Intrusion Monitoring

Email Analysis

Application Monitoring

Patch Management
Patch Management

Change Analysis

DNS Monitoring

DHCP Monitoring

Vulnerability Management

Windows Alerts
Example Questions
How many critical vulnerabilities were found today by host and signature?

Show me all users that received an email with subject containing 'quarterly' or 'report'

Show me hosts with malware that was not blocked by signature

Show me users who received emails with a subject containing 'Internal Only', 'Confidential', or 'Private' by sender

Show me users who received emails with infected attachments this week by recipient and subject

What are the systems with the most changes by action and user in the past 24 hours?

What files have been modified on critical systems today by user?

What servers are listening on ports NOT 80, 443, or 8080?

What systems have been recently infected?

What systems have generated anomalous DNS requests this week?

What systems launched new processes today vs yesterday?

What vulnerable systems had an IDS event last week that match at least one CVE?

What web traffic was seen from infected hosts by site?

What were the top IDS alerts by vendor this week?

Which hosts have generated DNS queries longer than 30 characters?

Which hosts have unique user agents for the past 48 hours?

Which systems have generated the most DHCP requests today?

Which users are generating network traffic during non-business hours by application?

Which users are generating web traffic during non-business hours by category?

Which users logged in to systems with an IDS event by category?

Which users successfully logged in to infected systems recently?

How many critical vulnerabilities were found today by host and signature?
Show me all network traffic today
Show me the all Windows alerts on my network in the past week
What IPs have the longest DHCP lease duration today?
What are the most common processes and services run on systems in the DMZ?
What are the systems with the most changes by action and user in the past 24 hours?
What is the top traffic from external IP addresses today?
What servers are listening on ports NOT 80, 443, or 8080?
What systems had failed updates this week?
What systems launched new processes today vs yesterday?
What systems reached 100% CPU utilization today?
What was the uptime for all critical systems this month?
What were all patch updates found this week by vendor product?
Which applications are generating the most traffic across my network today?
Which systems have generated the most DHCP requests today?
Which systems needed to be rebooted after updates were applied?
Which web sites are users generating the most traffic to this week?
Which web sites are users visiting the most this week?

Show me all users that received an email with subject containing 'quarterly' or 'report'

Show me hosts with malware that was not blocked by signature

Show me users who received emails with infected attachments this week by recipient and subject

What files have been modified on critical systems today by user?

What systems have been recently infected?

What web traffic was seen from infected hosts by site?

Which hosts have unique user agents for the past 48 hours?

Which users logged in to systems with an IDS event by category?

Which users successfully logged in to infected systems recently?

How many critical vulnerabilities were found today by host and signature?
What systems had failed updates this week?

What systems reached 100% CPU utilization today?

What vulnerable systems had an IDS event last week that match at least one CVE?

What was the uptime for all critical systems this month?

What were all patch updates found this week by vendor product?

Which systems needed to be rebooted after updates were applied?

Show me hosts with malware that was not blocked by signature

What systems have been recently infected?

What systems have generated anomalous DNS requests this week?

What web traffic was seen from infected hosts by site?

Which hosts have generated DNS queries longer than 30 characters?

Which users successfully logged in to infected systems recently?

What are the most common processes and services run on systems in the DMZ?

What servers are listening on ports NOT 80, 443, or 8080?

What systems launched new processes today vs yesterday?

Which users logged in to systems with an IDS event by category?

Which web sites are users generating the most traffic to this week?

Which web sites are users visiting the most this week?
What web traffic was seen from infected hosts by site?

Which hosts have unique user agents for the past 48 hours?

Which users are generating web traffic during non-business hours by category?

Which web sites are users generating the most traffic to this week?

Which web sites are users visiting the most this week?

Show me all users that received an email with subject containing 'quarterly' or 'report'

Show me users who received emails with a subject containing 'Internal Only', 'Confidential', or 'Private' by sender

What are the systems with the most changes by action and user in the past 24 hours?

Which users are generating network traffic during non-business hours by application?

Which users are generating web traffic during non-business hours by category?

Show me all network traffic today

What is the top traffic from external IP addresses today?

Which applications are generating the most traffic across my network today?

Which users are generating network traffic during non-business hours by application?

What web traffic was seen from infected hosts by site?

Which hosts have unique user agents for the past 48 hours?
Which users logged in to systems with an IDS event by category?

What vulnerable systems had an IDS event last week that match at least one CVE?

What were the top IDS alerts by vendor this week?

Which users logged in to systems with an IDS event by category?

Show me all users that received an email with subject containing 'quarterly' or 'report'

Show me users who received emails with a subject containing 'Internal Only', 'Confidential', or 'Private' by sender

Show me users who received emails with infected attachments this week by recipient and subject

What are the most common processes and services run on systems in the DMZ?

What systems launched new processes today vs yesterday?

Which applications are generating the most traffic across my network today?

What systems had failed updates this week?

What were all patch updates found this week by vendor product?
Which systems needed to be rebooted after updates were applied?

What are the systems with the most changes by action and user in the past 24 hours?

What files have been modified on critical systems today by user?

What systems have generated anomalous DNS requests this week?

Which hosts have generated DNS queries longer than 30 characters?

What IPs have the longest DHCP lease duration today?

Which systems have generated the most DHCP requests today?

How many critical vulnerabilities were found today by host and signature?

What vulnerable systems had an IDS event last week that match at least one CVE?

Show me the all Windows alerts on my network in the past week


Data Sources Used
Sourcetypes: bluecoat:proxysg:access:syslog ms:o365:management stream:http bro_dhcp WinEventLog:Application
netflow bro_http snort symantec:cloud:email bro_conn bro_smtp stream:dns bro_dns stream:smtp nessus:scan sop
remote_access_sample dhcpd juniper:idp bluecoat:proxysg:access:file fortinet WinEventLog:Application:sophos linu
stream:ip sophos:tamperprotection stream:tcp fs_notification cisco:sourcefire websense:cg:kv eStreamer WinEventL
tippingpoint mcafee:ids WinRegistry sfdc:logfile fe_xml Script:ListeningPorts ps WMI:Service XmlWinEventLog:Secur
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational tenable:sc:vuln sophos:firewall symantec:ep:risk:file
symantec:ep:security:file symantec:ep:proactive:file snow:change_task snow:change_request symantec:ep:agent:fil
symantec:ep:traffic:file sfdc:loginhistory nmap netscreen:firewall FireEye_CEF DhcpSrvLog oracle:audit:xml stream:s
juniper:junos:idp symantec:ep:behavior:file oracle:audit:text oracle:listener:text mcafee:epo MonitorWare:Security
juniper:junos:firewall WMI:LocalProcesses Perfmon:LocalProcesses cisco:sourcefire:defencecenter:syslog OSX:Servic
Unix:ListeningPorts Linux:Service Solaris:Service ossec oracle:audit:unified cisco:sourcefire:appliance:syslog symante
oracle:listener:xml airdefense juniper:sslvpn symantec:atp:network rsa:securid:admin:syslog stream:log rsa:securid:
stream:udp

Datamodels: Vulnerabilities, Email, Malware, Change Analysis, Application State, Network Resolution (DNS), Intrusio
Detection, Web, Network Sessions, Network Traffic, Authentication

Relevant
Fields: Vulnerabilities.severity Vulnderabilities.signature Vulnerabilities.dest All_Email.subject All_Email.action All_E
Email.src_user Malware_Attacks.category Malware_Attacks.signature Malware_Attacks.action Malware_Attacks.des
Email.recipent All_Email.file_name
All_Email.src_user Malware_Attacks.file_name All_Changes.dest All_Changes.user All_Changes.Endpoint_Changes.F
s.file_path All_Changes.action All_Changes.status All_Changes.Account_Management.src_user All_Changes.Endpoin
em_Changes.file_hash All_Changes.Endpoint_Changes.Filesystem_Changes.file_name All_Application_State.dest All
e.Ports.dest_port Malware_Attacks.vendor_product DNS.answer DNS.dest DNS.message_type DNS.query DNS.src ID
nerabilities.cve Web.site Web.src IDS_Attacks.action IDS_Attacks.severity IDS_Attacks.signature
IDS_Attacks.vendor_products Web.dest Web.http_user_agent All_Sessions.user All_Sessions.dest_nt_host All_Traffic
er All_Traffic.bytes Web.category Web.user Web.bytes Authentication.dest Authentication.user IDS_Attacks.category
pp

Sourcetypes: bluecoat:proxysg:access:syslog ms:o365:management bro_dhcp netflow bro_conn stream:http dhcpd


bro_http stream:ip stream:tcp stream:smtp nessus:scan juniper:idp bluecoat:proxysg:access:file bro_notice mscs:vm
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sophos:firewall top sophos:tamperprotection websense:c
fs_notification cisco:sourcefire Script:ListeningPorts ps WMI:Service eStreamer cpu df Perfmon:FreeDiskSpace Perfm
fortinet iostat oracle:sysPerf WindowsUpdateLog stream:stats symantec:ep:traffic:file sfdc:logfile netscreen:firewall
WinRegistry nmap WinHostMon vmstat tenable:sc:vuln Perfmon:Memory XmlWinEventLog:Security juniper:junos:fi
snow:change_task snow:change_request symantec:ep:agent:file WinEventLog:System WinEventLog:Security WMI:U
oracle:tablespaceMetrics WMI:LocalProcesses Perfmon:LocalProcesses Unix:ListeningPorts Linux:Update OSX:Servic
Solaris:Service Linux:Service Perfmon:LocalNetwork Unix:Uptime Perfmon:CPU juniper:sslvpn oracle:audit:xml oracl
linux_secure symantec:atp:network stream:log rsa:securid:admin:syslog stream:udp

Datamodels: Vulnerabilities, Network Traffic, Alerts, Network Sessions, Application State, Change
Analysis, Updates, Performance, Web

Relevant
Fields: Vulnerabilities.severity Vulnderabilities.signature Vulnerabilities.dest All_Traffic.dest All_Traffic.src All_Traffic.
oracle:tablespaceMetrics WMI:LocalProcesses Perfmon:LocalProcesses Unix:ListeningPorts Linux:Update OSX:Servic
Solaris:Service Linux:Service Perfmon:LocalNetwork Unix:Uptime Perfmon:CPU juniper:sslvpn oracle:audit:xml oracl
linux_secure symantec:atp:network stream:log rsa:securid:admin:syslog stream:udp

Datamodels: Vulnerabilities, Network Traffic, Alerts, Network Sessions, Application State, Change
Analysis, Updates, Performance, Web

Relevant
Fields: Vulnerabilities.severity Vulnderabilities.signature Vulnerabilities.dest All_Traffic.dest All_Traffic.src All_Traffic.
tion Alerts.dest Alerts.app Alerts
severity Alerts.type All_Sessions.user All_Sessions.dest_nt_host All_Sessions.dest_ip All_Application_State.dest All_
process All_Application_State.Services.service All_Application_State.Services.status All_Changes.dest All_Changes.u
ndpoint_Changes.Filesystem_Changes.file_path All_Changes.action All_Changes.status All_Application_State.Ports.d
dest Updates.signature Updates.status Updates.severity All_Performance.dest All.Performance.dest Updates.vendor
c.app Web.site Web.bytes Web.user

Sourcetypes: bluecoat:proxysg:access:syslog ms:o365:management WinEventLog:Application:trendmicro stream:htt


symantec:cloud:email bro_http sophos:threats remote_access_sample bro_smtp stream:smtp WinEventLog:Applica
linux_secure bluecoat:proxysg:access:file cisco:sourcefire fortinet sophos:tamperprotection websense:cg:kv fs_notifi
WinEventLog:Security symantec:ep:risk:file symantec:ep:proactive:file sfdc:logfile WinRegistry XmlWinEventLog:Sec
sfdc:loginhistory tippingpoint mcafee:ids fe_xml snow:change_task snow:change_request symantec:ep:agent:file
symantec:ep:security:file oracle:audit:xml oracle:listener:text MonitorWare:Security mcafee:epo oracle:audit:text Fi
cisco:sourcefire:defencecenter:syslog juniper:junos:idp symantec:ep:behavior:file oracle:audit:unified
cisco:sourcefire:appliance:syslog oracle:listener:xml netscreen:firewall symantec:ep:traffic:file ossec symantec:atp:e
symantec:atp:network juniper:sslvpn XmlWinEventLog:Microsoft-Windows-Sysmon/Operational rsa:securid:admin:s
rsa:securid:runtime:syslog

Datamodels: Email, Malware, Change Analysis, Web, Intrusion Detection, Authentication

Relevant
Fields: All_Email.subject All_Email.action All_Email.recipient All_Email.src_user Malware_Attacks.category Malware
Malware_Attacks.action Malware_Attacks.dest All_Email.file_name
All_Email.src_user Malware_Attacks.file_name All_Changes.dest All_Changes.Account_Management.src_user All_Ch
Changes.Filesystem_Changes.file_hash All_Changes.Endpoint_Changes.Filesystem_Changes.file_name All_Changes.
.Filesystem_Changes.file_path All_Changes.action Malware_Attacks.vendor_product Web.site Web.src Web.dest We
t Authentication.dest Authentication.user IDS_Attacks.dest IDS_Attacks.category Authentication.app

Sourcetypes: nessus:scan snort mscs:vm:metrics cpu juniper:idp df Perfmon:FreeDiskSpace Perfmon:CPUTime fortin


tenable:sc:vuln oracle:sysPerf WindowsUpdateLog WinHostMon eStreamer vmstat tippingpoint mcafee:ids Perfmon
WinEventLog:System symantec:ep:security:file WMI:Uptime oracle:tablespaceMetrics Linux:Update OSX:Update cisc
FireEye_CEF Perfmon:LocalNetwork Unix:Uptime Perfmon:CPU juniper:junos:idp symantec:ep:behavior:file symante
linux_secure symantec:atp:endpoint netscreen:firewall airdefense symantec:atp:network mcafee:epo

Datamodels: Vulnerabilities, Updates, Performance, Intrusion Detection


Sourcetypes: nessus:scan snort mscs:vm:metrics cpu juniper:idp df Perfmon:FreeDiskSpace Perfmon:CPUTime fortin
tenable:sc:vuln oracle:sysPerf WindowsUpdateLog WinHostMon eStreamer vmstat tippingpoint mcafee:ids Perfmon
WinEventLog:System symantec:ep:security:file WMI:Uptime oracle:tablespaceMetrics Linux:Update OSX:Update cisc
FireEye_CEF Perfmon:LocalNetwork Unix:Uptime Perfmon:CPU juniper:junos:idp symantec:ep:behavior:file symante
linux_secure symantec:atp:endpoint netscreen:firewall airdefense symantec:atp:network mcafee:epo

Datamodels: Vulnerabilities, Updates, Performance, Intrusion Detection

Relevant
Fields: Vulnerabilities.severity Vulnderabilities.signature Vulnerabilities.dest Updates.dest Updates.signature Update
everity All_Performance.dest IDS_Attacks.dest Vulnerabilities.cve All.Performance.dest Updates.vendor_product

Sourcetypes: bluecoat:proxysg:access:syslog ms:o365:management WinEventLog:Application:trendmicro bro_dns st


remote_access_sample stream:dns symantec:cloud:email sophos:threats bro_http linux_secure WinEventLog:Applic
bluecoat:proxysg:access:file cisco:sourcefire WinEventLog:Security websense:cg:kv symantec:ep:risk:file symantec:e
sfdc:loginhistory sfdc:logfile XmlWinEventLog:Security oracle:listener:text MonitorWare:Security oracle:audit:xml for
oracle:audit:text mcafee:epo oracle:audit:unified oracle:listener:xml cisco:sourcefire:defencecenter:syslog
cisco:sourcefire:appliance:syslog netscreen:firewall ossec juniper:sslvpn rsa:securid:runtime:syslog

Datamodels: Malware, Network Resolution (DNS), Web, Authentication

Relevant
Fields: Malware_Attacks.category Malware_Attacks.signature Malware_Attacks.action Malware_Attacks.dest Malwa
_product DNS.answer DNS.dest DNS.message_type DNS.query DNS.src Web.site Web.src Authentication.dest Authe
hentication.app

Sourcetypes: bluecoat:proxysg:access:syslog stream:http bro_http WinEventLog:Application:trendmicro snort


bluecoat:proxysg:access:file top symantec:cloud:email websense:cg:kv Script:ListeningPorts ps sophos:threats WMI:
fortinet WinEventLog:Application:sophos nmap sfdc:logfile cisco:sourcefire eStreamer mcafee:ids tippingpoint fe_xm
symantec:ep:security:file WMI:LocalProcesses Perfmon:LocalProcesses OSX:Service Unix:ListeningPorts Linux:Servic
symantec:ep:risk:file symantec:ep:proactive:file FireEye_CEF juniper:junos:idp symantec:ep:behavior:file symantec:e
mcafee:epo XmlWinEventLog:Microsoft-Windows-Sysmon/Operational symantec:atp:endpoint netscreen:firewall air
cisco:sourcefire:defencecenter:syslog cisco:sourcefire:appliance:syslog symantec:atp:network

Datamodels: Application State, Intrusion Detection, Malware, Web

Relevant
Fields: All_Application_State.dest All_Application_State.process All_Application_State.Services.service All_Applicatio
tatus All_Application_State.Ports.dest_port Authentication.dest Authentication.user IDS_Attacks.dest IDS_Attacks.ca
eb.bytes Web.user
Sourcetypes: bluecoat:proxysg:access:syslog stream:http bro_http bluecoat:proxysg:access:file websense:cg:kv
WinEventLog:Application:trendmicro symantec:cloud:email sophos:threats sfdc:logfile WinEventLog:Application:sop
cisco:sourcefire symantec:ep:risk:file symantec:ep:proactive:file mcafee:epo cisco:sourcefire:defencecenter:syslog
cisco:sourcefire:appliance:syslog

Datamodels: Malware, Web

Relevant
Fields: Malware_Attacks.action Malware_Attacks.dest Web.site Web.src Web.dest Web.http_user_agent Web.catego
bytes

Sourcetypes: bluecoat:proxysg:access:syslog ms:o365:management stream:http bro_conn netflow bro_smtp stream


snort stream:dns stream:ip symantec:cloud:email stream:tcp sophos:tamperprotection fs_notification bluecoat:prox
juniper:idp XmlWinEventLog:Microsoft-Windows-Sysmon/Operational websense:cg:kv sophos:firewall fortinet WinR
cisco:sourcefire sfdc:logfile eStreamer XmlWinEventLog:Security snow:change_task snow:change_request stream:st
symantec:ep:agent:file symantec:ep:traffic:file netscreen:firewall WinEventLog:Security juniper:junos:firewall oracle
oracle:audit:text ossec symantec:atp:network linux_secure rsa:securid:admin:syslog stream:log stream:udp

Datamodels: Email, Change Analysis, Network Traffic, Web

Relevant
Fields: All_Email.subject All_Email.action All_Email.recipient All_Email.src_user All_Email.src All_Email.recipent All_
Changes.user All_Changes.Endpoint_Changes.Filesystem_Changes.file_path All_Changes.action All_Changes.status A
Traffic.user All_Traffic.bytes Web.category Web.user Web.bytes

Sourcetypes: bro_conn netflow stream:http snort stream:dns stream:ip stream:tcp stream:smtp juniper:idp
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sophos:firewall cisco:sourcefire eStreamer stream:stats
symantec:ep:traffic:file netscreen:firewall juniper:junos:firewall fortinet symantec:atp:network stream:log stream:ud

Datamodels: Network Traffic

Relevant Fields: All_Traffic.dest All_Traffic.src All_Traffic.bytes All_Traffic.action All_Traffic.app All_Traffic.user

Sourcetypes: bluecoat:proxysg:access:syslog stream:http bro_http WinEventLog:Application:trendmicro snort syman


bluecoat:proxysg:access:file sophos:threats websense:cg:kv WinEventLog:Application:sophos juniper:idp fortinet cis
sfdc:logfile eStreamer mcafee:ids tippingpoint fe_xml symantec:ep:risk:file symantec:ep:security:file symantec:ep:pr
FireEye_CEF juniper:junos:idp symantec:ep:behavior:file symantec:ep:traffic:file mcafee:epo cisco:sourcefire:defenc
cisco:sourcefire:appliance:syslog symantec:atp:endpoint netscreen:firewall airdefense symantec:atp:network

Datamodels: Malware, Web, Intrusion Detection

Relevant
Fields: Malware_Attacks.action Malware_Attacks.dest Web.site Web.src Web.dest Web.http_user_agent Authentica
cation.user IDS_Attacks.dest IDS_Attacks.category
Datamodels: Malware, Web, Intrusion Detection

Relevant
Fields: Malware_Attacks.action Malware_Attacks.dest Web.site Web.src Web.dest Web.http_user_agent Authentica
cation.user IDS_Attacks.dest IDS_Attacks.category

Sourcetypes: snort nessus:scan WinEventLog:Application:trendmicro juniper:idp fortinet symantec:cloud:email soph


eStreamer tippingpoint mcafee:ids fe_xml WinEventLog:Application:sophos symantec:ep:security:file cisco:sourcefir
FireEye_CEF juniper:junos:idp symantec:ep:behavior:file symantec:ep:traffic:file symantec:ep:risk:file symantec:ep:p
symantec:atp:endpoint netscreen:firewal lairdefense mcafee:epo symantec:atp:network cisco:sourcefire:defencecen
cisco:sourcefire:appliance:syslog

Datamodels: Intrusion Detection, Vulnerabilities, Malware

Relevant Fields: IDS_Attacks.dest Vulnerabilities.cve Vulnerabilities.dest IDS_Attacks.action IDS_Attacks.severity IDS_


IDS_Attacks.vendor_products Authentication.dest Authentication.user IDS_Attacks.category

Sourcetypes: bro_smtp stream:smtp symantec:cloud:email WinEventLog:Application:trendmicro sophos:threats


WinEventLog:Application:sophos cisco:sourcefire symantec:ep:risk:file symantec:ep:proactive:file mcafee:epo
cisco:sourcefire:defencecenter:syslog cisco:sourcefire:appliance:syslog

Datamodels: Email, Malware

Relevant
Fields: All_Email.subject All_Email.action All_Email.recipient All_Email.src_user All_Email.src All_Email.recipent All_
All_Email.src_user Malware_Attacks.signature Malware_Attacks.file_name

Sourcetypes: bro_conn netflow stream:http snort stream:dns stream:ip stream:tcp stream:smtp juniper:idp top Scri
ps WMI:Service XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sophos:firewall cisco:sourcefire eStreame
stream:stats symantec:ep:traffic:file netscreen:firewall juniper:junos:firewall fortinet WMI:LocalProcesses Perfmon:L
Unix:ListeningPorts OSX:Service Solaris:Service Linux:Service symantec:atp:network stream:log stream:udp

Datamodels: Application State, Network Traffic

Relevant
Fields: All_Application_State.dest All_Application_State.process All_Application_State.Services.service All_Applicatio
tatus All_Traffic.bytes All_Traffic.app

Sourcetypes: WindowsUpdateLog Linux:Update OSX:Update

Datamodels: Updates

Relevant Fields: Updates.dest Updates.signature Updates.status Updates.severity Updates.vendor_product


Sourcetypes: WindowsUpdateLog Linux:Update OSX:Update

Datamodels: Updates

Relevant Fields: Updates.dest Updates.signature Updates.status Updates.severity Updates.vendor_product

Sourcetypes: ms:o365:management sophos:tamperprotection fs_notification fortinet WinRegistryXml WinEventLog


snow:change_task snow:change_request symantec:ep:agent:file WinEventLog:Security sfdc:logfile oracle:audit:xml o
ossec netscreen:firewall linux_secure XmlWinEventLog:Microsoft-Windows-Sysmon/Operational rsa:securid:admin:s

Datamodels: Change Analysis

Relevant
Fields: All_Changes.dest All_Changes.user All_Changes.Endpoint_Changes.Filesystem_Changes.file_path All_Change
es.status All_Changes.Account_Management.src_user All_Changes.Endpoint_Changes.Filesystem_Changes.file_hash
point_Changes.Filesystem_Changes.file_name

Sourcetypes: bro_dns stream:dns

Datamodels: Network Resolution (DNS)

Relevant Fields: DNS.answer DNS.dest DNS.message_type DNS.query DNS.src

Sourcetypes: bro_dhcp netflow dhcpd DhcpSrvLog juniper:sslvpn

Datamodels: Network Sessions

Relevant Fields: All_Sessions.user All_Sessions.dest_nt_host All_Sessions.dest_ip

Sourcetypes: nessus:scan snort juniper:idp fortinet tenable:sc:vuln eStreamer tippingpoint mcafee:ids fe_xml
symantec:ep:security:file cisco:sourcefire FireEye_CEF juniper:junos:idp symantec:ep:behavior:file symantec:ep:traffi
symantec:atp:endpoint netscreen:firewall airdefense symantec:atp:networkmcafee:epo

Datamodels: Vulnerabilities, Intrusion Detection

Relevant Fields: Vulnerabilities.severity Vulnderabilities.signature Vulnerabilities.dest IDS_Attacks.dest Vulnerabilitie

Sourcetypes: bro_notice ossec netscreen:firewall

Datamodels: Alerts

Relevant Fields: Alerts.dest Alerts.app Alerts severity Alerts.type