Your Security Operations manager has requested that you monitor command line actions of users in your organization. They haven't specified exactly what you should set alerts for, but you know that the MITRE ATT&CK framework lists more than 150 attacks associated with the command line. You can use Splunk software to view command line strings, calculate their length to evaluate them against others in their peer groups, and determine how much time has passed since their related processes ran.
How to use Splunk software for this use case
You can run many searches with Splunk software to detect this activity. Depending on what information you have available, you might find it useful to search for some or all of the following:
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Enabling self-protection so that CLI commands must include the authentication password
- Requiring the use of libraries or APIs for commands
- Providing whitelists or other mechanisms for input validation
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- CLI execution attacks detected: The number of true positive malicious CLI executions detected using Splunk software
The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these resources might help you understand and implement this guidance:
- Use case procedure: Time elapsed between two related events
Need technical help? Explore our customer success resources to find education and training, engage experts through OnDemand services, view support options, and more.