Skip to main content
Splunk Lantern

Monitoring command line interface actions

 

Your Security Operations manager has requested that you monitor command line actions of users in your organization. They haven't specified exactly what you should set alerts for, but you know that the MITRE ATT&CK framework lists more than 150 attacks associated with the command line

How to use Splunk software for this use case

You can use Splunk software to evaluate string length against others in their peer groups, as well as look for new and suspicious strings.

This use case is best deployed using Splunk Security Essentials (SSE), a free application with a security content library. The searches use macros that come packaged with the Splunk Security Essentials application.

Next steps

To maximize their benefit, the searches above likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Enabling self-protection so that CLI commands must include the authentication password
  • Requiring the use of libraries or APIs for commands
  • Providing whitelists or other mechanisms for input validation

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • CLI execution attacks detected: The number of true positive malicious CLI executions detected using Splunk software

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.