Monitoring command line interface actions
Your Security Operations manager has requested that you monitor command line actions of users in your organization. They haven't specified exactly what you should set alerts for, but you know that the MITRE ATT&CK framework lists more than 150 attacks associated with the command line.
- Microsoft: Sysmon
- System log data
- Endpoint data
How to use Splunk software for this use case
You can use Splunk software to evaluate string length against others in their peer groups, as well as look for new and suspicious strings.
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
To maximize their benefit, the searches above likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Enabling self-protection so that CLI commands must include the authentication password
- Requiring the use of libraries or APIs for commands
- Providing whitelists or other mechanisms for input validation
Measuring impact and benefit is critical to assessing the value of security operations. When implementing this use case, you should measure the number of true, positive, malicious CLI executions detected.
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.