Threat Hunting
Searching for advanced, persistent threats and sophisticated adversaries, as well as sweeping for indicators of compromise and indicators of attack.
Article Type: Topic
- Assessing and expanding MITRE ATT&CK coverage in Splunk Enterprise SecurityThe MITRE ATT&CK framework and its application to existing SIEM deployments, particularly Splunk Enterprise Security, helps security teams understand where they have threats covered and where they do not.
- Detecting AWS security hub alertsThese searches help you uncover alerts from AWS Security Hub, which collects and consolidates findings from AWS security services enabled in your environment.
- Detecting Netsh attacksYou need to be able to detect activities and various techniques associated with the abuse of Netsh.
- Detecting Office 365 attacksThese searches help you detect attacks against Microsoft 365.
- Detecting password spraying attacks within Active Directory environmentsHow to identify instances where a user, host, or process attempts to authenticate using an unusually high number of unique users in AD environments.
- Detecting print spooler attacksHow to use Splunk to detect print spooler attacks by examining program and binary executions, connections between infected machines and other devices, and more.
- Detecting ransomware activities within AWS environmentsHow to detect when users in your AWS environment are performing activities that are commonly associated with ransomware attacks.
- Detecting REvil ransomware infectionsInvestigate ransomware by attempting to reconstruct the events that led to the system being infected and learn the full scope of the security breach.
- Detecting usage of popular Linux post-exploitation toolsHow to use Splunk searches to detect instances where malicious actors have used tools to search for opportunities to exploit Linux hosts.
- Detecting Windows file extension abuseDetect Windows file extension abuse with searches you can run in Splunk to identify signatures of the techniques used in these attacks.
- Monitoring AWS S3 for suspicious activitiesThese searches allow you to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors.
- Monitoring command line interface actionsYou can use Splunk to view command line strings, calculate their length, and determine how much time has passed since their related processes ran.
- Monitoring use of Git repositoriesYou can use Splunk software for statistical analyses like frequency, patterns of access, and time of day information.
- Getting started with MITRE ATT&CK in Enterprise Security and Security EssentialsThe MITRE ATT&CK framework and its application to existing SIEM deployments, particularly Splunk Enterprise Security, helps security teams understand where they have threats covered and where they do not.