Scribd
Upload
20 views332 pages

SPL

The document outlines various security alerts and detection rules related to suspicious activities, including threat intelligence, internal scanning, and unauthorized account changes. It emphasizes monitoring for specific patterns that indicate potential security breaches, such as abnormal DNS queries and unauthorized access attempts. The document serves as a guideline for identifying and responding to potential threats within an organization's infrastructure.

Uploaded by

geetanjali.a.joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
20 views332 pages

SPL

The document outlines various security alerts and detection rules related to suspicious activities, including threat intelligence, internal scanning, and unauthorized account changes. It emphasizes monitoring for specific patterns that indicate potential security breaches, such as abnormal DNS queries and unauthorized access attempts. The document serves as a guideline for identifying and responding to potential threats within an organization's infrastructure.

Uploaded by

geetanjali.a.joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 332

"src", "http_use

"dest", r_agent",
"src_user "url",
", "user", "file_nam
"file_hash e",
", "process",
"http_use "service")
r_agent", OR
"url", threat_m
"file_nam atch_field
e", LIKE
"process", "certificat
"service") e_%" OR
OR threat_m
threat_m atch_field
atch_field LIKE
LIKE "registry_
"certificat %",null(),t
e_%" OR hreat_ma
threat_m tch_value
atch_field )
LIKE | search
"registry_ (threat_k
%",null(),t ey=*TruS
hreat_ma TAR* OR
tch_value threat_ke
) y=*idefen
| search se* OR
threat_ke threat_ke
Alerts y=*TruST y="*acti*
when any AR* OR ") NOT
activity threay_ke (threat_m
matching y=*idefen atch_field
threat se* OR =src AND
Threat intelligen threat_ke threat_co
Activity ce is y="*acti* llection=i
Detected High 406 detected. " p_intel) -13h
resolution e
changes allow_old
by routing _summari
dynamic es=true
domains count
to values(DN
countless S.answer)
IP as answer
addresses min(_tim
to e) as
circumve firstTime
nt firewall from
blocks, datamode
block lists l=Networ
as well as k_Resolut
frustrate ion by
a network DNS.quer
defenders y DNS.src
analytic |
and `drop_dm
investigati _object_n
ve ame("DN
processes S")` |
. This `security_
search content_c
will look time(first
for DNS Time)` |
queries `dynamic
made _dns_pro
SIEM- from viders` |
CNC- within `detect_h
T1568- your osts_conn
Detect_H infrastruc ecting_to
ost_Conn ture to _dynamic
ecting_To suspicious _domain_
_Dynamic dynamic providers
_DNS High 115 domains. _filter` -24h -65m@m
s count by
BackUpH
ost
|
eventstat
s count as
CountByS
tatus by
BackUpH
ost,
host_stat
us
|search
(host_stat
us="Not
Reporting
Looks for " AND
missing count=1)
hosts that OR
should (host_stat
have us="Not
reported Reporting
in. Uses " AND
lookups count>1
to AND
exclude CountByS
hosts that tatus>1)
may still |table
be listed, HostNam
but e delay
should be lastSeen
decommi Priority
MON- ssioned Reporting
MIS-01- Expected TimeTren
Expected Reporting d
Host Not Time: 24 host_stat
Reporting High 104 hour us -60h@h
.accountN tes{}.desti
ame) as nationSer
AccountN viceName
ame ) as app
values(url values(de
) as Url scription)
values(sig as
nature) as descriptio
signature n
count by values(us
userState erStates{}
s{}.userPri .domainN
ncipalNa ame) as
me dest_nt_d
omain
| rename values(us
userState erStates{}
s{}.userPri .accountN
ncipalNa ame) as
me as user_nam
UserID e
| table values(url
_time ) as url
Sourcetyp values(sig
Notable e nature) as
will Category signature
trigger UserID count by
when the signature userState
signature Destinatio s{}.userPri
“"Imp nServiceN ncipalNa
ossible ame me
SIEM-DE- travel Descriptio | rename
T1036-03- activity"â n userState
Impossibl € is DomainN s{}.userPri
e_Travel_ detected ame ncipalNa
Activity_D in Azure AccountN me as
etected Medium 59 logs. ame Url user -15m@m -15m@m
ovider) as me) as
Vendor lastTime
values(url values(so
) as Url urcetype)
values(sta as
tus) as sourcetyp
status e
count by values(cat
hostState egory) as
s{}.fqdn category
values(de
| rename scription)
hostState as
s{}.fqdn descriptio
as Host n
| dedup values(sig
Destinatio nature) as
n signature
| table values(ho
_time stStates{}.
Sourcetyp privateIp
e Address)
Notable Category as dest_ip
will Host values(ho
trigger signature stStates{}.
when the status publicIpA
signature Destinatio ddress) as
“Sensi n dest_publ
tive Descriptio ic_ip
SIEM- credential n values(pr
Defender memory Private_A oduct) as
_Sensitive read” ddress vendor_p
_Credenti activity is Public_Ad roduct
al detected dress values(url
_Memory in Product ) as url
_Read_De Defender Vendor count by
tected Low 59 Logs Url dest -15m@m -15m@m
Product values(de
values(ve scription)
ndorInfor as
mation.pr descriptio
ovider) as n
Vendor values(sig
values(url nature) as
) as Url signature
count by values(ho
hostState stStates{}.
s{}.fqdn privateIp
Address)
| rename as dest_ip
hostState values(ho
s{}.fqdn stStates{}.
as Host publicIpA
| dedup ddress) as
Destinatio dest_publ
n ic_ip
| table values(pr
_time oduct) as
Sourcetyp vendor_p
Notable e roduct
will Category values(src
trigger Host _user) AS
when the signature user
signature Destinatio values(url
“""LSA n ) as url
SS Descriptio values(file
process n _name)
SIEM- memory Private_A AS
Defender modified" ddress file_name
_LSASS "” is Public_Ad values(file
_Process_ detected dress _path) AS
Memory_ in Product file_path
Modified_ Defender Vendor count by
Detected Low 18 Logs Url dest -15m@m -15m@m
Group_Na mber_id
me=Admi "^\w+\
nistrators W(?
NOT <Admin_
Account_ Account>
Name=*$ \w*\s\
| rex w*\s\
field=me w*|\w+_\
mber_id w+|\w*\
"^\w+\ s\w*|\
W(? w*)(\s\
<Admin_ w+\W|\s)
Account> (?
\w*\s\ <Target_
w*\s\ Account>.
w*|\w+_\ *\S)"
w+|\w*\ | stats
s\w*|\ values(de
w*)(\s\ st) as dest
w+\W|\s) count by
(? Admin_Ac
<Target_ count
Account>. Target_Ac
*\S)" count
| stats Group_Na
values(Co me
This use mputerNa | rename
case is me) as Admin_Ac
build to Computer count AS
looks for Name src_user
accounts count by Target_Ac
SIEM-DE- that have Admin_Ac count AS
T1078-01- been count user
Detect elevated Target_Ac Group_Na
New Local to local count me AS
Admin administr Group_Na user_grou
account High 13 ators. me p -1h -65m@m
rt." -
".max_po
rt
|
`drop_dm
_object_n
ame(All_T
raffic)`
| dedup
src_ip
| lookup
dnslooku
p.csv
This clientip as
indicate src_ip
an OUTPUT
Internal clienthost
Corteva as host
source is | search
scanning NOT
a Multiple (host="*p
Internal roxy*" OR
destinatio host="*dc
n IP on *")
multiple | search
destinatio NOT
n ports. [|
Internal inputlook
Port Scan up
SIEM-DIS- to identify Scanner_I
T1046-03- reconnais P_List.csv
03- sance/sca |
Internal nning rename
Scanning from an Qualys_IP
Multiple internal as src_ip
DestIPs & applicatio | fields
DestPorts Low 12 n/user. src_ip] -6h
user to Scanner_I P ] OR
manually P_List.csv [|
assign IP | fields inputlook
addresses Qualys_IP up
to all | rename Scanner_I
network Qualys_IP P_List.csv
devices. as Src_IP] | fields
In the OR [| Tenable_I
absence inputlook P ])
of a DHCP up | search
server, a Scanner_I NOT ( [|
computer P_List.csv inputlook
or other | fields up
device on Qualys_IP DHCP_ser
the | rename ver.csv
network Qualys_IP | fields
needs to as Dest_IP
be Dest_IP]) |
manually | search rename
assigned NOT ([| Dest_IP
an IP inputlook AS
address, up dest_ip])
or to DHCP_ser |stats
assign ver.csv | values(de
itself an fields st_port)
APIPA Dest_IP]) as
address, | table dest_port
the latter _time, values(src
of which Src_IP, _ip) as
will not Src_Port, src_ip
enable it Dest_IP, values(act
SIEM-DIS- to Dest_Port ion) as
T1201- communi , Action, action
Rogue_D cate Rule values(rul
HCP_Serv outside count | e) count
er_Detect its local dedup as rule by
ed Low 9 subnet. Dest_IP dest_ip -24h -65m@m
me) as NOT
Computer src_user
_Name IN
count (*$*,mccl
by oskeycjt0,
Date,src_ DISOPS10
user -T0)
| where | eval
TargetAcc lastTime=
ountCoun strftime(l
t>4 astTime,"
| rename %Y-%m-
src_user %d %H:
as %M:%S")
User_Na
me user
as
TargetAcc | search
ount NOT ([|
| table inputlook
Date, up
Domain_ serviceAc
Name, counts.cs
Computer v
_Name, | fields
User_Na account
Detect me,Target |
SIEM-CA- multiple Account rename
T1586:Mu account EventID, account
ltiple_Acc password Message, as
ount_Pas changes Action, src_user])
sword_Ch done by TargetAcc |
ange single ountCoun `mvtrunca
_In_Short user in t| sort - te(user)`
_Time_By short TargetAcc |
_Single_U period of ountCoun `mvtrunca
ser Low 8 time t te(dest)` -12h -25m@m
| rename e_Attacks
Malware_ where
Attacks.d (Malware
est as _Attacks.s
Machine_ ignature=
Name *Htool*
| search OR
NOT Malware_
[| Attacks.si
inputlook gnature=*
up Hack*)
Personal_ by
Laptop.cs Malware_
v Attacks.d
| fields est
Devicena |
me `drop_dm
| _object_n
rename ame(Mal
Devicena ware_Att
me as acks)`
Machine_ | search
Name] NOT
| table [|
_time, inputlook
Vendor_P up
roduct, Personal_
Alerts Category , Laptop.cs
when any Signature, v
hacktool File_Nam | fields
is e, Devicena
detected Machine_ me
SIEM-EXE- on the Name,Us |
T1057-01- endpoint er, Action, rename
Hack Tool by count| Devicena
Detection EDR/Antiv sort - me as
by EDR High 8 irus count dest] -24h -65m@m
inputlook
up
serviceAc
counts.cs
v| fields
account |
rename
account
as user]
OR [|
inputlook
up
serviceAc
counts.cs
v| fields
account |
rename
account
as
src_user]
)
| rename
src_user
as
Usename
user as
TargetUse
This rule r| table
triggers firstTime
new user lastTime
account Username
SIEM-DE- being
T1548- created TargetUse
Short_Liv and r Action
ed_Accou deleted Action_co
nt_Detect within unt
ed Low 8 24hours result_id -24h
All_Email. ype"
src_user All_Email.
|eval src_user
lowerBou | eval
nd=(avg- lowerBou
stdev*3), nd=(avg-
upperBou stdev*3),
nd=(avg+s upperBou
tdev*2) | nd=(avg+s
eval tdev*2)
isOutlier=i | eval
f(('count' isOutlier=i
> f(('count'
upperBou >
nd) AND upperBou
num_data nd) AND
Sending _samples num_data
password >=7, 1, 0) _samples
reset |search >=7, 1, 0)
emails is a isOutlier= | search
common 1 isOutlier=
phishing count>15 1
technique |rename count>15
. Protect All_Email. | rename
your src_user All_Email.
users by as src_user
identifyin "source as
g spikes in user" | src_user
the eval | eval
number avg=roun avg=roun
of d(avg,0) | d(avg,0)
SIEM- IA- suspicious table | table
T1566- emails Detect_Ty Detect_Ty
Spike_In_ entering pe pe
Password your "source src_user
_Reset_E environm user" count avg
mails Medium 7 ent. count avg subject -30d -30d
Product values(de
values(url scription)
) as Url as
values(ve descriptio
ndorInfor n
mation.pr values(sig
ovider) as nature) as
Vendor signature
count by values(ho
hostState stStates{}.
s{}.fqdn privateIp
Address)
| rename as dest_ip
hostState values(ho
s{}.fqdn stStates{}.
as Host publicIpA
| dedup ddress) as
Destinatio dest_publ
n ic_ip
| table values(pr
_time oduct) as
Sourcetyp vendor_p
Notable e roduct
will Category values(src
trigger Host _user) AS
when the signature user
signature Destinatio values(url
“"Poss n ) as url
ible Descriptio values(file
keyloggin n _name)
SIEM- g Private_A AS
Defender activity"â ddress file_name
_Possible € is Public_Ad values(file
_Keyloggi detected dress _path) AS
ng_ in Product file_path
Activity_D Defender Vendor count by
etected Low 6 Logs Url dest -15m@m -15m@m
as de) as
src_city, src_longit
values(loc ude,
ation.geo values(loc
Coordinat ation.geo
es.longitu Coordinat
de) as es.latitud
src_long, e) as
values(loc src_latitu
ation.geo de
Coordinat values(src
es.latitud _ip) as
e) as src_ip by
src_lat by _time
_time deviceDet
deviceDet ail.display
ail.display Name
Name
|search |search
([| ([|
inputlook inputlook
up up
StolenDev StolenDev
ices.csv| ices.csv|
fields fields
Device | Device |
rename rename
Device as Device as
This use deviceDet deviceDet
case will ail.display ail.display
trigger if Name]) Name])
SIEM_Acti any sign | rename
vity_ in logs is deviceDet | rename
Detected observed ail.display deviceDet
_Of_Stole from the Name as ail.display
n_Device stolen Workstati Name as
_Azure Medium 6 machine onName dest -12h -65m@m
ame(Mal
ware_Att
acks)`
|
transactio
n
Viruses maxpause
happen, =1h dest
but | where
multiple eventcou
viruses at nt >=3
once are AND
a greater duration>
concern, 240
as it could | search
indicate dc_file_n
an exploit ame >1
kit that | search
tries NOT([|
several inputlook
technique up
s where Personal_
some Laptop.cs
might v| fields
succeed, Devicena
or just a me|
host with rename
multiple Devicena
unrelated me as
viruses. dest])
Those |search
SIEM-EXE- hosts dest!
T1204-02- should be =usjhas04
Host With prioritized 5.phibred
Multiple and .com AND
Infections investigat file_name
_New Remove 6 ed. !=hpbsm* -24h
userState scription)
s{}.accou as
ntName descriptio
values(Cu n
stomProp values(us
erties) as erStates{}
CustomPr .domainN
operties , ame) as
values(de dest_nt_d
scription) omain
as values(us
descriptio erStates{}
n .accountN
values( ve ame) as
ndorInfor user_nam
mation.pr e
ovider) as values(url
vendorInf ) as url
ormation. values(sig
provider nature) as
values(cat signature
egory) as count by
category userState
by _time s{}.userPri
| table ncipalNa
title, dest, me
userState
s{}.accou | convert
ntName, ctime(last
CustomPr Time)
SIEM This use operties,
MS365 case isto descriptio | rename
SIEM_Azu Defender detect n, userState
re_ Successful Azure vendorInf s{}.userPri
Security_ brute Security ormation. ncipalNa
Center_ force centrealer provider, me as
Alert Medium 6 attack t category user -24h -15m@m
persistent values(Pa ame(Web
ly th) as )`
violating Path | where
acceptabl values(Act count>10
e use ion) as 0
policies Action | stats
are risky values(Ho sum(coun
in a st) as t) AS
number Hostname count
of count by values(_ti
different Web.user me) AS
ways. | convert _time
• In ctime(tim values(ap
widespre e) p) AS app
ad | eval values(so
scenarios, repeat_co urcetype)
it may unt=mvco AS
indicate a unt(time) sourcetyp
workplac | search e
e problem repeat_co values(de
that unt > 4 st) AS
needs to dest
be | rename values(src
remediat Web.user ) AS src
ed. as User values(src
Regardles | table _ip) AS
s, things Apps src_ip
are Sourcetyp values(uri
blocked in e User _path) AS
SIEM- proxy for Hostname uri_path
CNC- good destinatio values(cat
T1090- reason -- n egory) AS
Web violations Category category
Browsing of those repeat_co values(act
_To_Una rules unt ion) AS
uthorized should be Action action by
Sites High 3 tracked. Path user -24h -65m@m
Signature dest_nt_d
_Count omain
values(sig values(us
nature) as erStates{}
signature .accountN
count by ame) as
userState user_nam
s{}.userPri e
ncipalNa values(de
me st) as dest
| where
Signature values(url
_Count>3 ) as url
| rename values(sig
userState nature) as
s{}.userPri signature
ncipalNa DC(signat
me as ure) as
This use UserID signature
case will | table _count
detect if _time count by
multiple Sourcetyp userState
signature e s{}.userPri
s get Category ncipalNa
triggers UserID me
for the signature
single Signature
user in a _Count
particular Destinatio | where
SIEM_ time nServiceN signature
Multiple_ span. ame _count>3
Signature It will Descriptio | rename
s_ help us to n userState
Detected detect DomainN s{}.userPri
_on_Singl compromi ame ncipalNa
e_Accoun sed AccountN me as
t_Azure Low 3 accounts. ame Url user -12h -9h
.accountN tes{}.desti
ame) as nationSer
AccountN viceName
ame ) as app
values(url values(de
) as Url scription)
values(sig as
nature) as descriptio
signature n
count by values(us
userState erStates{}
s{}.userPri .domainN
ncipalNa ame) as
me dest_nt_d
omain
| rename values(us
userState erStates{}
s{}.userPri .accountN
ncipalNa ame) as
me as user_nam
UserID e
| table values(url
_time ) as url
Sourcetyp values(sig
e nature) as
Notable Category signature
will UserID count by
trigger signature userState
when the Destinatio s{}.userPri
signature nServiceN ncipalNa
“"Mas ame me
s- Descriptio | rename
SIEM- Delete"†n userState
MCAS_Al  is DomainN s{}.userPri
ert_Mass detected ame ncipalNa
_Delete_ in Azure AccountN me as
Detected Medium 2 logs. ame Url user -15m@m -15m@m
user=*$*)
| search | eval
NOT ([| lastTime=
inputlook strftime(l
up astTime,"
serviceAc %Y-%m-
counts.cs %d %H:
v| fields %M:%S")
account |
rename
account
as user] | search
OR [| NOT ( [|
inputlook inputlook
up up
serviceAc serviceAc
counts.cs counts.cs
v| fields v
account |
rename | fields
account account
as
src_user]) |
| search rename
NOT account
src_user as
IN(mcclos src_user])
Detect keycjt0,
multiple DISOPS10 |
SIEM- accounts -T0) `mvtrunca
T1098- being | rename te(user)`
AM:Multi deleted src_user
ple_Acco by a as
unt_Delet single use Username
ion_ By_ in short user as |
Single_Us span of TargetUse `mvtrunca -
er Low 2 time r te(dest)` -4h 245m@m
Policy Silo
violation",
Error_Cod
e=="0xC0
000193",
"Account
logon
with
expired
account")

| fillnull
value=NU
LL
| table
This _time,Do
method main_Na
uses me,
uncommo Computer
n error _Name,
codes on IP_Addres
failed s,destIP
logons to User_Na
determin me,
e Error_Cod
suspicious e,
activity Error_Cod
and e_Descrip
tamperin tion,
g with EventCod
SIEM-CA- accounts e,
T1110- that have LogonTyp
Suspiciou been e,
s disabled Message,
_Failed_L or count
ogon_ somehow | sort -
Reasons Low 1 restricted count -3h
_ID Logon_Ty
values(src pe=10
_ip) as EventCod
Source_IP e=4625
| stats
values(Ac values(so
count_Na urcetype)
me) as as
Account_ sourcetyp
Name e
values(de values(ap
st_ip) as p) as app
Destinatio values(sig
n_IP nature) as
count by signature
_time values(sig
This rule Date, nature_id
triggers user, ) as
when it Failure_R signature
detects eason, _id
the failed host | values(src
RDP sort - _ip) as
connectio Date| src_ip
n rename values(Fai
attempts count as lure_Reas
which Failed_Att on) as
could be empts reason
the result user as values(us
of bad Username er) AS
password, host as user
SIEM- LM- invalid Hostname values(de
T1021- username | where st) AS
Failed_ , or any Failed_Att dest
Remote_ number empts>5| count by
Desktop_ of other sort - src
Connectio suspicious Failed_Att | where
n Attempt medium 1 reasons empts count>5 -12h -65m@m
All_Email. |
src_user, `suspiciou
All_Email. s_email_a
file_name ttachmen
All_Email. t_extensi
message_ ons_filter`
id | | rex
`security_ field=reci
content_c pient
time(first max_mat
Time)` | ch=10
`security_ "<(?
content_c <new_rec
time(lastT ipient>[^>
ime)` | ]*)"
`drop_dm | eval
_object_n recipient=
ame("All_ if(isnull(n
Email")` ew_recipi
| search ent),recipi
This [| ent,new_
search inputlook recipient)
will look up | fields -
for emails VIP_Users new_reci
that have _list.csv pient
attachme | fields | search
nts with src_user] [|
suspicious | inputlook
file `suspiciou up
extension s_email_a VIP_Users
SIEM-EXE- s ,we will ttachmen _list.csv
T1048- be ts` | | fields
Users_Wi configurin `suspiciou src_user |
th_Suspici g this use s_email_a rename
ous_Email case for ttachmen src_user
_Attachm only VIP t_extensi AS
ent_VIP high 1 users . ons_filter` recipient] -24h -65m@m
n
| rename
orig_dom
ain as
top_level
This rule _domain_
triggers in_incomi
when it ng_email
detects word1 as
Emailing domain_n
from a ames_ana
domain lyzed
name word2 as
that is company
similar to _domains
your own _used
organizati count as
on, which num_occ
is a form urrences
of ut_levens
common htein as
phishing Levenshte
technique in_Similar
, such as ity_Score
corteva.c | search
om NOT
receiving top_level
an email _domain_
from in_incomi
cortiva.co ng_email
m. This IN
SIEM- IA- search (accentur
T1566- will e.com,"p
Emails_wi detect hibred.co
th_Lookal those m]","cort
ike_Doma similar eva.com]"
ins Medium 0 domains. ) -14h
nature_id sourcetyp
) as e
Signature values(ap
_ID p) as
values(src app,value
_ip) as Src s(signatur
values(de e) as
st_ip) as signature
destIP values(sig
values(W nature_id
orkstation ) as
_Name) signature
as _id
Computer values(src
Name _ip) as
values(Lo src_ip
gon_Type values(de
) as st_ip) as
LogonTyp dest_ip
e count values(de
by Date, st) as dest
user, host values(Lo
| search gon_Type
NOT ) as
(user=*$) LogonTyp
| rename e
This rule count as values(us
triggers Failed_Att er) AS
when it empts | user
SIEM- PE- detects where dc(user)
T1078- the failed Failed_Att AS
Failed_Au logon empts>15 user_cou
thenticati attempts 0 | sort - nt count
on_ to_ of Failed_Att by src
Non- accounts empts | | where
existing_ that do dedup user_cou
Accounts Low 0 not exist user nt>=5 -12h -65m@m
values(de sourcetyp
st_ip) as e
destIP values(ap
values(W p) as
orkstation app,value
_Name) s(signatur
as e) as
Computer signature
Name values(sig
values(Lo nature_id
gon_Type ) as
) as signature
LogonTyp _id
e count values(src
by Date, _ip) as
user, host src_ip
|lookup values(de
sox.csv st_ip) as
Host as dest_ip
Computer values(de
Name st) as dest
OUTPUT values(Lo
Type gon_Type
| search ) as
Type=* LogonTyp
| rename e
This rule count as values(us
triggers Failed_Att er) AS
SIEM- PE- when it empts | user
T1078- detects where dc(user)
Failed_Au the failed Failed_Att AS
thenticati logon empts>15 user_cou
on_ to_ attempts 0 | sort - nt count
Non- of Failed_Att by src
existing_ accounts empts | | where
Accounts that do dedup user_cou
_SOX Low 0 not exist user nt>=5 -12h -65m@m
mputerNa
me) as
Computer
_Name
count by
Date
src_user|
where
TargetAcc
ountCoun
t>10|
rename
src_user
as
User_Na
me user
as
TargetAcc
ount |
table
Date,
Domain_
Name,
Computer
_Name,
Detect User_Na
multiple me,Target
SIEM-CA- account Account
01- password EventID,
T1586:Mu changes Message,
ltiple_Acc done by Action,
ount_Pas single TargetAcc
sword_Ch Admin ountCoun
ange account t| sort -
_In_Short in short TargetAcc
_Time_By period of ountCoun
_Admin Low 0 time t -12h
action, values(Err
count by or_Code)
_time, as
user,Com Error_Cod
puterNam e,values(E
Most e ventCode
login | where ) as
failures count>1 signature
are due | search _id,
to failed user! values(Lo
password ="*$" gon_Type
s. Login | rename ) as
failure to user as LogonTyp
sensitive User_Na e,values(d
systems me, est_ip) as
where the Computer dest_ip
users Name as values(sig
simply Computer nature) as
aren't _Name signature,
authorize | table values(act
d, though, _time,Do ion) as
can main_Na action,
indicate me, count by
malicious Computer user,dest
intent. _Name, |
This use IP_Addres `get_asse
case s,destIP t(dest)`
would User_Na ```uses ES
detect me, asset
SIEM-CA- unauthori Error_Cod enrichme
T1110- zed e, nt to
Unauthori access EventCod lookup
zed_Acce attempt e, the
ss_ for the LogonTyp asset```
Attempts SOX e, | where
_Detecte devices Message, dest_cate
d_Sox Low 0 only. count gory=sox -24h -65m@m
|lookup
sox.csv
Host as
Computer
_Name
OUTPUT
Type
| search
Type=*

| fillnull
value=NU
LL
| table
_time,Do
This main_Na
method me,
uses Computer
uncommo _Name,Ty
n error pe,
codes on IP_Addres
failed s,destIP
logons to User_Na
determin me,
e Error_Cod
suspicious e,
activity Error_Cod
and e_Descrip
tamperin tion,
SIEM-CA- g with EventCod
T1110- accounts e,
Suspiciou that have LogonTyp
s been e,
_Failed_L disabled Message,
ogon_ or count
Reasons_ somehow | sort -
SOX Low 0 restricted count -3h
unt(eval(a
ction=="s
uccess"))
as
Success
by user,
_time
| where
Success>0
AND
Failure>1
0
| rename
user as
Username
|
This transactio
method n
uses a maxspan=
simple 15m user
threshold _time
for | fillnull
Windows value=NU
Security LL
Logs to | table
alert if Username
there are ,
a large Source_IP
number ,Signature
of failed ,
logins, Signature
and at _ID,
SIEM-CA- least one dest_ip,
T1110- successful Failure,
Windows login from Success
_Brutefor the same | sort -
ce_Login Low 0 source. _time -2h
AND
Failure>S
uccess

|lookup
sox.csv
Host as
Source_IP
OUTPUT
Type
| search
Type=*
| rename
user as
Username
|
This transactio
method n
uses a maxspan=
simple 15m user
threshold _time
for | fillnull
Windows value=NU
Security LL
Logs to | table
alert if Username
there are ,
a large Source_IP
number ,Signature
of failed ,
logins, Signature
SIEM-CA- and at _ID,
T1110- least one Failure,Ty
Windows successful pe,
_Brutefor login from Success
ce_Login_ the same | sort -
SOX Low 0 source. _time -2h
status
values(Ho
stname)
as
Hostname
count(eva
l(SessionS
tatus="ZP
N_STATU
S_AUTHE
NTICATED
")) as
successes
This count(eva
method l(SessionS
uses a tatus="ZP
simple N_STATU
threshold S_AUTH_
for ZPA FAILED"))
Logs to as failures
alert if by
there are PublicIP
a large Username
number | where
of failed successes
logins, >0 AND
and at failures>1
least one 00
successful | table
login from Sourcetyp
the same e
SIEM-CA- source in ClientTyp
T1110- a e PublicIP
Zscaler_B particular Username
ruteforce defined Hostname
_Login_D time successes
etected Remove 0 span. failures -24h
S_AUTHE
NTICATED
")) as
successes
count(eva
l(SessionS
tatus="ZP
N_STATU
S_AUTH_
FAILED"))
as failures
by
PublicIP
This Username
method | where
uses a successes
simple >0 AND
threshold failures>1
for ZPA 00
Logs to | lookup
alert if sox.csv
there are Host as
a large Hostname
number OutputNE
of failed W Type
logins, | search
and at Type=*
least one | table
successful Sourcetyp
login from e
SIEM-CA- the same ClientTyp
T1110- source in e PublicIP
Zscaler_B a Username
ruteforce particular Hostname
_Login_D defined Type
etected_S time successes
OX Remove 0 span. failures -24h
t>4
|lookup
sox.csv
Host as
Computer
_Name
OUTPUT
Type
| search
Type=*

| rename
src_user
as
User_Na
me user
as
TargetAcc
ount
| table
Date,
Domain_
Name,
Computer
_Name,
User_Na
Detect me,Target
SIEM-CA- multiple Account
T1586:Mu account EventID,
ltiple_Acc password Message,
ount_Pas changes Action,
sword_Ch done by TargetAcc
ange single ountCoun
_In_Short user in t| sort -
_Time_By short TargetAcc
_Single_U period of ountCoun
ser_SOX Low 0 time t -12h
W(? s\w*|\
<Admin_ w*)(\s\
Account> w+\W|\s)
\w*\s\ (?
w*\s\ <Target_
w*|\w+_\ Account>.
w+|\w*\ *\S)"
s\w*|\ | stats
w*)(\s\ values(de
w+\W|\s) st) as dest
(? count by
<Target_ Admin_Ac
Account>. count
*\S)" Target_Ac
| stats count
values(Co Group_Na
mputerNa me
me) as | rename
Computer Admin_Ac
Name count AS
count by src_user
Admin_Ac Target_Ac
count count AS
Target_Ac user
count Group_Na
Group_Na me AS
This use me user_grou
case is p
build to |lookup | lookup
looks for sox.csv sox_host_
SIEM-DE- accounts Host as lookup
T1078-01- that have Computer Host AS
Detect been Name dest
New Local elevated OUTPUT OUTPUT
Admin to local Type| Type
account_ administr search | search
SOX High 0 ators. Type=* Type=* -1h -65m@m
.accountN tes{}.desti
ame) as nationSer
AccountN viceName
ame ) as app
values(url values(de
) as Url scription)
values(sig as
nature) as descriptio
signature n
count by values(us
userState erStates{}
s{}.userPri .domainN
ncipalNa ame) as
me dest_nt_d
omain
| rename values(us
userState erStates{}
s{}.userPri .accountN
ncipalNa ame) as
me as user_nam
UserID e
| table values(url
_time ) as url
Sourcetyp values(sig
e nature) as
Notable Category signature
will UserID count by
trigger signature userState
when the Destinatio s{}.userPri
signature nServiceN ncipalNa
“"Mas ame me
s Descriptio | rename
SIEM- Share"†n userState
MCAS_Al  is DomainN s{}.userPri
ert_Mass detected ame ncipalNa
_Share_D in Azure AccountN me as
etected Medium 0 logs. ame Url user -15m@m -15m@m
values(src omain
_ip) as Src values(Ev
values(de entCode)
st_ip) as as
destIP signature
values(act _id
ion) as values(Lo
Action gon_Type
count by ) as
src_nt_ho Logon_Ty
st, pe
Computer values(sig
Name| nature) as
where signature
count>=0 values(de
| bin st) as dest
_time values(src
span=1m _ip) as
| rename src_ip
src_nt_ho values(de
st as st_ip) as
User_Na dest_ip
me| table values(act
_time, ion) as
Domain_ action
Name, values(us
This rule Computer er) AS
triggers Name, user
SIEM-PE- when it User_Na values(pr
T1078- detects me, ocess) AS
Windows insecure EventCod process
_Insecure or e, count by
_Or cleartext Message, src,
_Cleartex authentic Action, Computer
t_Authent Low/ ation on count| Name
ication_D possibly windows sort - | where
etected remove 0 machine count count>=0 -24h -65m@m
src_nt_ho pe
st, values(sig
Computer nature) as
Name| signature
where values(de
count>=0 st) as dest
| bin values(src
_time _ip) as
span=1m src_ip
| rename values(de
src_nt_ho st_ip) as
st as dest_ip
User_Na values(act
me| ion) as
lookup action
sox.csv values(us
Host as er) AS
Computer user
Name values(pr
OUTPUT ocess) AS
Type process
| table count by
_time, src,
Domain_ Computer
Name, Name
Computer | where
This rule Name, count>=0
SIEM-PE- triggers Type, | lookup
T1078- when it User_Na sox_host_
Windows detects me, lookup
_Insecure insecure EventCod Host as
_Or or e, Computer
_Cleartex cleartext Message, Name
t_Authent authentic Action, OUTPUT
ication_D Low/ ation on count| Type
etected_S possibly windows sort - | search
OX remove 0 machine count Type=* -24h -65m@m
counts.cs
v| fields
account |
rename
account
as
src_user])
| search
src_user
IN(mmk5
94,
kg5871,
fuq479,
ng0075,
usd155
xg1304,
ll8748,
lk9554,
mj7225,
yh8776,
jy2498,
qym619,
xfs236,gzl
858t0,
xfs236t0,
qel326t0,
Detect qel326,w
multiple os461,
accounts nln369,
being igx526)
SIEM- deleted | rename
T1098- by a src_user
AM:Multi single as
ple_Acco user in Username
unt_Delet short user as
ion_ By_ span of TargetUse
Admin Low 0 time. r -4h
src) as ",values(s
"Source_I ourcetype
P",values( ) as
dest) as sourcetyp
"Destinati e
on" values(res
values(us ult) as
er) as "signatur
user ,cou e",values(
nt by src) as
"src_user "src",valu
" es(dest)
| where as "dest"
count>3| values(us
eval er) as
lastTime= user,
strftime(l count by
astTime," "src_user
%Y-%m- "
%d %H: | where
%M:%S") count>3
| lookup | eval
sox.csv lastTime=
Host as strftime(l
Destinatio astTime,"
n %Y-%m-
OutputNE %d %H:
Detect W Type %M:%S")
multiple | search | lookup
SIEM- accounts Type=* sox_host_
T1098- being | rename lookup
AM:Multi deleted src_user Host as
ple_Acco by a as dest
unt_Delet single use Username OutputNE
ion_ By_ in short user as W Type
Single_Us span of TargetUse | search
er_SOX Low 0 time r Type=* -4h -65m@m
counts.cs
v| fields
account |
rename
account
as
src_user])
| search
src_user
IN(mmk5
94,
kg5871,
fuq479,
ng0075,
usd155
xg1304,
ll8748,
lk9554,
mj7225,
yh8776,
jy2498,
qym619,
xfs236,gzl
858t0,
xfs236t0,
qel326t0,
Detect qel326,w
multiple os461,
accounts nln369,
SIEM- being igx526)
T1098- disabled | rename
AM:Multi by a src_user
ple_Acco single as
unt_Disab User in Username
led_ By_ short user as
Single_Ad span of TargetUse
min Low 0 time r -4h
user=*$*
OR
user=*$*)
| search
NOT ([|
inputlook
up
serviceAc
counts.cs
v| fields
account |
rename
account
as user]
OR [|
inputlook
up
serviceAc
counts.cs
v| fields
account |
rename
account
as
src_user])
| search
Detect NOT
multiple src_user
accounts IN(mcclos
SIEM- being keycjt0)
T1098- disabled | rename
AM:Multi by a src_user
ple_Acco single as
unt_Disab User in Username
led_ By_ short user as
Single_Us span of TargetUse
er Low 0 time r -4h
"Source_I ",values(s
P",values( ourcetype
dest) as ) as
"Destinati sourcetyp
on" e
values(us values(res
er) as ult) as
user ,cou "signatur
nt by e",values(
"src_user src) as
" "src",valu
| where es(dest)
count>3| as "dest"
eval values(us
lastTime= er) as
strftime(l user ,cou
astTime," nt by
%Y-%m- "src_user
%d %H: "
%M:%S") | where
count>3
| lookup | eval
sox.csv lastTime=
Host as strftime(l
Destinatio astTime,"
n %Y-%m-
Detect OutputNE %d %H:
multiple W Type %M:%S")
accounts | search | lookup
SIEM- being Type=* sox_host_
T1098- disabled | rename lookup
AM:Multi by a src_user Host as
ple_Acco single as dest
unt_Disab User in Username OutputNE
led_ By_ short user as W Type
Single_Us span of TargetUse | search
er_SOX Low 0 time r Type=* -4h -65m@m
to detect stats
suspicious min(_tim
dropping e) as
or firstTime
creating max(_tim
an e) as
executabl lastTime
e file in count by
known EventCod
sensitive e
SMB Computer
share. Name
This Share_Na
technique me
is Relative_
commonl Target_N
y used for ame
lateral Object_Ty
movemen pe
t like how Access_M
trickbot ask user
try to src_port
infect Source_A
other ddress |
machine `security_
in the content_c
infected time(first
network. Time)` |
This `security_
SIEM- detection content_c
T1105- catch the time(lastT
LM- access ime)` |
Write_Ex event `write_ex
ecutable_ (FILE ecutable_
In WRITE) in_smb_s
_SMB_Sh access to hare_filte
are Remove 0 a share r` -24h
index=cyb
erark
file_name
IN(*Dbpa
rm.ini*,*T
SParm.ini
*)| stats
values(ho
st) as host
values(obj
ect_categ
ory) as
category
values(Saf
e_Name)
as
Safe_Nam
e
values(act
ion) as
action
This use values(file
case will _name)
SIEM- trigger if as
T1543-PE the file_name
- CyberArk values(act
Unauthori dbparm.i ) as
zed_ data ni OR action1
_modifica TSparm.in count by
tion_Cybe i file is user
rark TBD 0 modified. _time -24h
ame) as nationSer
DomainN viceName
ame ) as app
values(us values(de
erStates{} scription)
.accountN as
ame) as descriptio
AccountN n
ame values(us
values(url erStates{}
) as Url .domainN
count by ame) as
The use userState dest_nt_d
case logic s{}.userPri omain
detects ncipalNa values(us
the me erStates{}
repetitive | rename .accountN
blocking userState ame) as
activity s{}.userPri user_nam
from ncipalNa e
Power BI me as values(url
using UserID ) as url
MCAS | table values(sig
logs. In _time nature) as
the logic Sourcetyp signature
of this use e count by
case we Category userState
have used UserID s{}.userPri
detection Destinatio ncipalNa
of the nServiceN me
SIEM_ signature ame
AIP_ ="AIP - Descriptio | rename
Repetitive Power BI n userState
_ Repetitive DomainN s{}.userPri
Blocking_ Blocking ame ncipalNa
Activity_ Activity†AccountN me as
Detected Medium 0  ame Url user -1h -15m@m
Path
values(W
eb.action)
as Action
values(W
eb.catego
ry) as
category
from
datamode
l=Web
where
nodenam
e=Web.Pr
oxy by
Web.c_ho
st _time
|search
([|
inputlook
up
StolenDev
ices.csv|
This use fields
case will Device]) |
trigger if rename
any Device as
activity of Web.c_ho
stolen st| table
device _time
mention sourcetyp
SIEM_Acti in the e
vity_ lookupfile Web.c_ho
Detected "stolende st
_Of_Stole vices.csv" category
n_Device is seen in action
_Bluecoat Medium 0 proxy logs Path -12h
IN(4719,1 | stats
102) values(sig
Account_ nature)
Name! AS
="*$" signature
| rex values(us
field=Mes er) AS
sage "(? user
<message count
>.*?)\." min(_tim
| rex e) as
mode=se firstTime
d max(_tim
field=mes e) as
sage lastTime
"s/The by dest
audit log Message
was EventCod
cleared/T e
he
security |
audit log `security_
was content_c
cleared/g time(first
" Time)`
Looks for | eval
changes date=strft |
to the ime(_time `security_
Windows , "%F - content_c
Audit %T") time(lastT
Policy, or | table ime)`
the date host
SIEM-DE- clearing EventCod |
T1107-01- of the e `windows
Windows Windows Security_I _event_lo
Event Log Security D g_cleared
Cleared High 0 Log message _filter` -10m@m -15m@m
| rex ="*$"
mode=se dest_cate
d gory=sox
field=mes | stats
sage values(sig
"s/The nature)
audit log AS
was signature
cleared/T values(us
he er) AS
security user
audit log count
was min(_tim
cleared/g e) as
" firstTime
| eval max(_tim
date=strft e) as
ime(_time lastTime
, "%F - by dest
%T") Message
|lookup EventCod
sox.csv e
Host as |
host `security_
OUTPUT content_c
Looks for Type time(first
changes | search Time)`
to the Type=* |
Windows `security_
Audit | table content_c
Policy, or date host time(lastT
SIEM-DE- the Type ime)`
T1107-01- clearing EventCod |
Windows of the e `windows
Event Log Windows Security_I _event_lo
Cleared_S Security D g_cleared
OX High 0 Log message _filter` -10m@m 15m@m
| tstats
latest(_ti
me) as
lastSeen
where
host=*
index!
=main by
host
|eval
Looks for delay=rou
missing nd
hosts that ((now() -
should lastSeen)/
have 60/60,2)
reported |eval
in. Uses lastSeen=
lookups strftime(l
to astSeen,
exclude "%Y/%m/
hosts that %d %H:
may still %M:%S")
be listed, | search
but delay>36
should be 0
MON- decommi
MIS-01- ssioned |lookup
Expected Expected sox.csv
Host Not Reporting Host
Reporting Time: 24 OUTPUT
_SOX High 0 hour Type -60h@h
"@h")
| eval
num_stan
dard_devi
ations_aw
ay_from_
org_avera
ge =
This use round(abs
case will (bytes_ou
detect t-
sources avg_bytes
sending _out) /
high stdev_byt
volume of es_out,2),
DNS num_stan
Traffic dard_devi
A ations_aw
common ay_from_
method per_sourc
of data e_averag
exfiltratio e=
n is to round(abs
send out (bytes_ou
a huge t-
volume per_sourc
(in bytes) e_avg_by
of DNS or tes_out) /
ping per_sourc
requests, e_stdev_
SIEM-EXE- embeddin bytes_out
T1048- g data ,2)
Sources_S into the | fields -
ending_Hi payload. maxtime
gh_Volum This is per_sourc
e_Of_DN often not e* avg*
S_Traffic Remove 0 logged. stdev* -24h
relative_ti
me(maxti
me,
"@h") |
eval
num_stan
dard_devi
ations_aw
ay_from_
org_avera
ge =
round(abs
(count -
avg_coun
t) /
stdev_cou
nt,2),
num_stan
dard_devi
ations_aw
ay_from_
per_sourc
e_averag
e=
round(abs
(count -
per_sourc
e_avg_co
unt) /
This use per_sourc
case will e_stdev_c
SIEM-EXE- detect ount,2)|
T1048- sources fields -
Sources_S sending maxtime
ending_M many per_sourc
any_DNS_ DNS e* avg*
Requests Medium 0 requests stdev* -24h
gnature=* ature) as
Hack*) signature
by count
Malware_ from
Attacks.d datamode
est, _time l=Malwar
|lookup e.Malwar
sox.csv e_Attacks
Host as where
Malware_ (Malware
Attacks.d _Attacks.s
est ignature=
OUTPUT *Htool*
Type| OR
search Malware_
Type=* Attacks.si
| rename gnature=*
Malware_ Hack*)
Attacks.d by
est as Malware_
Machine_ Attacks.d
Name est
| table |
_time, `drop_dm
Vendor_P _object_n
roduct, ame(Mal
Category , ware_Att
Alerts Signature, acks)`
when any File_Nam | lookup
hacktool e, sox_host_
is Machine_ lookup
SIEM-EXE- detected Name,Typ Host as
T1057-01- on the e,User, dest
Hack Tool endpoint Action, OUTPUT
Detection by count| Type
by EDR/Antiv sort - | search
EDR_SOX High 0 irus count Type=* -24h -65m@m
me(now,
"%m/%d/
%Y") |
eval now
=
round(str
ptime('no
w',"%m/
%d/%y"),
0)| eval
dateadde
d_epoch
=
round(str
ptime('lat
estdate',"
%m-%d-
%y"),0)|
where
day_coun
t>1 AND
dateadde
d_epoch
Alerts = now
when a |lookup
host has sox.csv
an Host as
infection dest
that has OUTPUT
SIEM-EXE- been re- Type
T1204-01- infected | search
Host With remove Type=*
A multiple | fields -
Recurring times dateadde
Malware over d_epoch,
Infection_ multiple now,lates
SOX Low 0 days. tdate -24h
default
processes
") )

by _time
span=1m
Viruses Malware_
happen, Attacks.d
but est
multiple |
viruses at `drop_dm
once are _object_n
a greater ame(Mal
concern, ware_Att
as it could acks)`
indicate |
an exploit transactio
kit that n
tries maxpause
several =1h dest
technique | where
s where eventcou
some nt >=3
might AND
succeed, duration>
or just a 240
host with | search
multiple dc_file_n
unrelated ame >1
viruses. |lookup
Those sox.csv
SIEM-EXE- hosts Host as
T1204-02- should be dest
Host With prioritized OUTPUT
Multiple and Type
Infections investigat | search
_SOX Low 0 ed. Type=* -24h
) as
dest_port
values(ID
S_Attacks.
src) as src
from
datamode
l="Intrusi
on_Detec
tion"
where
sourcetyp
e=imperv
This use a:waf by
case will "IDS_Atta
trigger cks.dest"
when | rename
multiple "IDS_Atta
violation cks.dest"
signature as "dest"
s rules | where
gets 'signature
triggered _count'>3
for single | search
destinatio NOT
n within (dest_por
an t=80 AND
particular action=bl
SIEM_ time ocked)
Multiple span,here | table
_Signatur we can dest
es_ adjust the signature
Detected threshold signature
_On dependin _count
Single_De g on the src
stination_ flow of dest_port
WAF Medium 0 logs. action -6h
by method) values(W
distribute as eb.uri_pa
d Method th) as
applicatio values(W uri_path
ns (i.e. eb.http_c values(W
Gnutella, ontent_ty eb.catego
KaZaa, or pe) as ry) as
Skype to Content_ category
name a Type from values(W
few) that datamode eb.action)
organize l=Web as action
the where values(W
communi Web.cate eb.http_
cation gory= method)
among its "*Peer*" as
participan Web.actio http_met
ts using n=allowe hod
the peer- d by values(W
to- peer Web.user eb.http_c
(P2P) _time ontent_ty
communi | rename pe) as
cation Web.user http_cont
model in as User ent_type
contrast | table from
with the _time datamode
classic sourcetyp l=Web
client- e Apps where
server Source_ip Web.cate
model. Host gory="*P
This destinatio eer*"
search is n User Web.actio
SIEM- to detect Action n=allowe
CNC- a peer to Category d by
T1090- peer Content_ Web.user
Detected traffic Type | rename
_P2P_traf using web Method Web.user
fic _Proxy Medium 0 gateway. count as user -24h -65m@m
persistent Hostname Web.actio
ly count by n=blocke
violating Web.user d
acceptabl | convert Web.user
e use ctime(tim !
policies e) =unknow
are risky | eval n
in a repeat_co Web.user
number unt=mvco !=-
of unt(time) Web.app!
different | search =not-
ways. repeat_co applicable
• In unt > 4 ([|
widespre |lookup inputlook
ad sox.csv up
scenarios, Host as Category.
it may Hostname csv |
indicate a OUTPUT fields
workplac Type "Category
e problem | search " |
that Type=* rename
needs to "Category
be | rename " as
remediat Web.user Web.cate
ed. as User gory ]) by
Regardles | table Web.src
s, things Apps |
are Sourcetyp `drop_dm
blocked in e User _object_n
SIEM- proxy for Hostname ame(Web
CNC- good destinatio )`
T1090- reason -- n |
Web violations Category `get_asse
Browsing of those repeat_co t(src)`
_To_Una rules unt | where
uthorized should be Action src_categ
Sites_SOX High 0 tracked. Path ory=sox -24h -65m@m
values(c_ http_user
host) as _agent="
source Microsoft
values(c_i BITS/*"
p) AS NOT dest
SourceIP IN
values(act (edgedl.m
ion) as e.gvt1.co
Action BY m)
dest category
| sort - IN
count (*hacking
| search *,*suspici
NOT dest ous*,*Spa
IN m*,*Phis
(edgedl.m hing*,*M
e.gvt1.co alicious*)
m) | stats
| table count
dest values(d_i
Destinatio p) AS
nIP dest_ip
SourceIP values(url
URL count ) AS url
| rename values(cat
SourceIP egory) AS
This use AS category
case is "Source values(c_
searching IP" host) as
for the Destinatio src
applicatio nIP AS values(c_i
n name "Destinati p) AS
Microsoft on IP" src_ip
BITS and dest AS values(act
SIEM-DE- checking Domain ion) as
T1197_ the URL count AS action BY
BITS_Jobs Medium 0 category. Count dest -24h -65m@m
p, 1) |
lookup
update=tr
ue
brandMo
nitoring_l
ookup
domain as
email_do
main
OUTPUT
domain_a
buse |
search
domain_a
buse=true
| search
NOT
email_do
main
IN(*corter
a.com*) |
This table
search message_
looks for id,
emails src_user,
claiming email_do
to be sent main,
from a recipients
domain ,
similar to firstTime,
SIEM-IA- one that lastTime |
T1566- you want `monitor_
Monitor_ to have email_for
Email_For Similar to monitore _brand_a
_Brand_A lookalike d for buse_filte
buse domains 0 abuse. r` UPDATE -9h -65m@m
user!
=muellep
1|
lookup
domainA
dmins.csv
user
latest
earliest |
eval
date_add
ed=latest-
earliest |
where
date_add
ed>0 |
where
count>=3
| stats
values(src
) as Src
values(de
st) as
Dest
values(sig
nature) as
Message
values(sig
nature_id
) as
SIEM-CA- Event_Co
T1110-01- de
Detected Looks for values(co
Domain failures unt) as
Admin by Failure_C
Login domain ount by
Failure Low 0 users user -15m@m
| search
NOT
file_name
="_"| eval
now =
now() |
eval
now=strfti
me(now,
"%m/%d/
%Y") |
eval now
=
round(str
ptime('no
w',"%m/
%d/%y"),
0)| eval
dateadde
d_epoch
=
round(str
ptime('lat
Alerts estdate',"
when a %m-%d-
host has %y"),0)|
an where
infection day_coun
that has t>1 AND
been re- dateadde
SIEM-EXE- infected d_epoch
T1204-01- remove = now|
Host With multiple fields -
A times dateadde
Recurring over d_epoch,
Malware multiple now,lates
Infection Low 0 days. tdate -24h
Username urcetype)
values(src as
This rule _ip) as sourcetyp
will Source_IP e
detect values(ap
when the values(Ac p) as
system count_Na app,value
time is me) as s(signatur
changed. Account_ e) as
It is Name signature
normal values(de values(sig
for the st_ip) as nature_id
Windows Destinatio ) as
Time n_IP signature
Service, values(Da _id
which te) as values(us
runs with Date er) as
System values(dif user
privilege, f) as diff values(da
to change count by te) as
the Computer date
system Name| values(dif
time on a rename f) as diff
regular Account_ count by
basis. Name as Computer
Other Source_A Name
system ccount | rename
time diff as diff as
changes "Hours "Hours
SIEM- DE- may be Between Between
T1070- indicative New Time New Time
System_Ti of and and
me_Modi attempts Actual Actual
ficaion_ to tamper Time" Time"
In_ with the Computer Computer
Windows computer Name as Name as
_Machine Low 0 . Hostname dest -4h -65m@m
detect values(Ac values(sig
when the count_Na nature_id
system me) as ) as
time is Account_ signature
changed. Name _id
It is values(Da values(us
normal te) as er) as
for the Date user
Windows values(dif values(da
Time f) as diff te) as
Service, count by date
which Computer values(dif
runs with Name f) as diff
System |lookup count by
privilege, sox.csv Computer
to change Host as Name
the Computer | lookup
system Name sox_host_
time on a OUTPUT lookup
regular Type Host as
basis. | search Computer
Other Type=* Name
system | rename OUTPUT
time Account_ Type
changes Name as | search
may be Source_A Type=*
indicative ccount | rename
of diff as diff as
SIEM- DE- attempts "Hours "Hours
T1070- to tamper Between Between
System_Ti with the New Time New Time
me_Modi computer and and
ficaion_ , this Actual Actual
In_ includes Time" Time"
Windows only SOX Computer Computer
_Machine lookupfile Name as Name as
_SOX Low 0 devices Hostname dest -4h -65m@m
denise.ho stdev*20)
oker@cor ,
teva.com, upperBou
sherri.cho nd=(avg+s
upas@cor tdev*20)
teva.com, | eval
peggy.bla isOutlier=i
ck@corte f(('count'
va.com, > 30) AND
Both to kevin.grav ('count' >
detect ing@cort upperBou
data eva.com, nd) AND
exfiltratio eddy.eba num_data
n and nks- _samples
compromi ii@cortev >=7, 1, 0)
sed a.com, | where
account, fred.duna isOutlier=
we can way@cort 1 |table
analyze eva.com, All_Email.
users that stuart.feh src_user
are r@cortev count avg
sending a.com, |eval
out vincent.c avg=roun
dramatica hua@cort d(avg,0)
lly more eva.com, |
data than bjoern.stu `drop_dm
normal. eben@co _object_n
This rteva.com ame("All_
SIEM- search , Email")`
EXE- looks per stephanie | search
T1048- source .allgeier@ ([|
Users_Wi email corteva.c inputlook
th address om, up
_Increase for big eddy.eba VIP_Users
_In_Outg increases nks- _list.csv
oing_Ema in ii@cortev | fields
ils Medium 0 volume. a.com) src_user]) -30d -30d
e
values(Ac values(ap
count_Na p) as app
me) as values(sig
Account_ nature) as
Name signature
count by values(sig
_time nature_id
Date, ) as
user, signature
Failure_R _id
eason, values(src
host | _ip) as
sort - src_ip
Date values(Fai
|lookup lure_Reas
This rule sox.csv on) AS
triggers Host as reason
when it host count by
detects OUTPUT date,
the failed Type| user, dest
RDP search | lookup
connectio Type=* sox_host_
n | rename lookup
attempts count as Host as
which Failed_Att dest
could be empts OUTPUT
the result user as Type
SIEM- LM- of bad Username | search
T1021- password, host as Type=*
Failed_ invalid Hostname | rename
Remote_ username | where count as
Desktop_ , or any Failed_Att Failed_Att
Connectio number empts>5| empts
n of other sort - | where
Attempt_ suspicious Failed_Att Failed_Att
SOX Low 0 reasons empts empts>=3 -12h -65m@m
IN(*hacki
ng* ,*sus
picious* ,
*Spam*,*
Phishing*,
*Maliciou
s*,*poten
tial*,*un
wanted*,
*adult* ,*
Comprom
ised*)
| search
NOT
Destinatio
n
IN("*wind
owsupdat
e.com" ,"
*microsof
t.com.*","
*eclipse.o
rg" ,"*ado
be.com")
This use | search
case will NOT [|
trigger if inputlook
Executabl up
SIEM- e files are Largeweb
CNC- download upload.cs
T1090- ed from v|fields
Successful outside Web.dest
_downloa the |rename
d_of_ organizati Web.dest
executabl on (using as
es_Blueco Bluecoat Destinatio
at Low 0 logs). n] -24h
avg(eval(i
f(_time<r
elative_ti
me(maxti
me, "-
70m@m"
), count,
null))) as
avg
stdev(eval
(if(_time<
relative_ti
me(maxti
me, "-
70m@m"
), count,
null))) as
stdev by
src
| eval
upperBou
nd=(avg+s
tdev*2),
isOutlier=i
f(count >
upperBou
nd AND
num_data
_samples
>=150, 1,
0)
This alert | where
SIEM-DIS- created isOutlier=
T1135-01- to check 1
Increase the SMB | table src
in SMB traffic dc_dest
Traffic Low 0 increasing count -24h
(Windows )" OR
NT 6.0; U; Web.http
en*)" OR _user_ag
Web.http ent="Ope
_user_ag ra/8.81
ent="Moz (Windows
illa/5.0 NT 6.0; U;
(Windows en*)" OR
; U; Web.http
Windows _user_ag
NT 5.1; ent="Moz
en-US; illa/5.0
rv:1.9.2.3) (Windows
Gecko/20 ; U;
100401 Windows
Firefox/3. NT 5.1;
6.1 (.NET en-US;
CLR rv:1.9.2.3)
3.5.30729 Gecko/20
)" By 100401
Web.http Firefox/3.
_user_ag 6.1 (.NET
ent CLR
Web.url 3.5.30729
| rename )" By
Web.http Web.http
_user_ag _user_ag
This rule ent as ent
triggers User_age Web.url
when nt | rename
Web | table Web.http
SIEM-DIS- Gateway _time, _user_ag
T1217:No detects Source, ent as
n_Standar non Destinatio http_user
d_User_A standard n, url, _agent
gent_det user User_age Web.url
ection Low 0 agent. nt, Action AS url -14h -65m@m
value=NU
LL
| stats
values(de
tected_ti
mestamp)
as
detected_
time
values(de
st_nt_do
main) as
dest_nt_d
omain
values(ev
ent_descr
iption) as
event_de
scription
values(file
_name)
as
file_name
values(thr
eat_type)
To detect as
the threat_ty
Malware pe
infection values(thr
on the eat_handl
machine ed) as
SIEM-EXE- which is threat_ha
T1047-01- not ndled
Malware handled values(us
Detected by Anti- er) as
& Not Virus user by
Cleaned Remove 0 Scan. src -30m@m
\LOCAL\
TEMP*)
|
`drop_dm
_object_n
ame(Mal
ware_Att
acks)`
| search
NOT ([|
inputlook
up
Looks at Malware_
the Attacks.si
malware gnature |
data fields
model, signature]
identifyin )
g | where
malware 'system_c
signature ount'>4
s with | eval
known type=if(m
sources/d atch(signa
estination ture,"\
s. d{1,99}$")
Includes ,"num","n
command amed")
and | search
control, type!
drive by ="num"
download | fields
SIEM-EXE- s, and signature
T1203-01- DNS system_c
Malware requests ount dest
Outbreak related to sources
Observed Low 0 malware. file_name -10m@m
up
Malware_
Attacks.si
gnature |
fields
signature]
)
| where
'system_c
ount'>4
| eval
type=if(m
atch(signa
Looks at ture,"\
the d{1,99}$")
malware ,"num","n
data amed")
model, | search
identifyin type!
g ="num"
malware |lookup
signature sox.csv
s with Host as
known Malware_
sources/d Attacks.d
estination est
s. OUTPUT
Includes Type
command | search
and Type=*
control, | fields
SIEM-EXE- drive by signature
T1203-01- download system_c
Malware s, and dns ount dest
Outbreak requests sources
Observed related to file_name
_SOX Low 0 malware. Type -10m@m
|rename
devicehos
tname as
src
|fillnull
|stats
values(act
ion) as
action
values(file
type) as
filetype
values(htt
p_user_a
gent) as
http_user
_agent
values(sta
tus) as
status
values(re
questmet
hod) as
requestm
It will ethod
detect values(de
the st) as dest
malware values(ho
traffic on stname)
the host as
based on hostname
SIEM-EXE- the threat values(url
T1204-04- name ) as url
Zscaler_ field count by
Relevant_ captured src user
Malware_ in Zscaler threatna
Traffic Medium 0 logs me -12h
src Web.user
OutputNE !=-
W Type Web.app!
| search =not-
Type=* applicable
|stats ([|
values(act inputlook
ion) as up
action Category.
values(file csv |
type) as fields
filetype "Category
values(htt " |
p_user_a rename
gent) as "Category
http_user " as
_agent Web.cate
values(sta gory ]) by
tus) as Web.src
status |
values(re `drop_dm
questmet _object_n
hod) as ame(Web
requestm )`
It will ethod |
detect values(de `get_asse
the st) as dest t(src)`
malware values(ho ```uses ES
traffic on stname) asset
the host as enrichme
SIEM-EXE- based on hostname nt to
T1204-04- the threat values(url lookup
Zscaler_ name ) as url the
Relevant_ field count by asset```
Malware_ captured src user | where
Traffic_SO in Zscaler threatna src_categ
X Medium 0 logs me ory=sox -12h -65m@m
| tstats
SQL summarie
injection sonly=tru
is one of e
the dc("IDS_A
deadliest ttacks.sig
web nature")
attack as
because it "signatur
has the e_count"
potential values("ID
of S_Attacks.
retrieving signature
the whole ") as
database signature
from the from
webserve datamode
r, hence l="Intrusi
this need on_Detec
special tion"
monitorin where
g . The sourcetyp
use case e=imperv
will a:waf
SIEM-IA- trigger if IDS_Attac
T1190: signature ks.signatu
Web_ related to re=*sql*
Attack_ Sql by
SQL_ injection "IDS_Atta
Injection_ is cks.src" |
Signature detected rename
_ on "IDS_Atta
Detected imperva cks.src" as
_On_WAF Medium 0 WAf. "src" -12h
avoid host Processes
disrupting | rename .process,
user work Processes Processes
environm .* AS * .user,Proc
ents | stats esses.par
when max(_tim ent_proce
carrying e) as ss_path,
out _time Processes
administr values(pr .action,
ative ocess) as Processes
tasks. On process .dest,
Windows, values(us host
there are er) as | rename
a variety UserNam Processes
of e .* AS *
features values(pa | stats
in rent_proc max(_tim
scripting ess_path) e) as
languages as Path lastTime
in values(act values(pr
Windows, ion) as ocess) as
such as Action process
PowerShe count by values(us
ll, Jscript, dest er) as
and Visual | rename user
Basic to dest as values(pa
make hostname rent_proc
windows | table ess_path)
hidden. _time, as
One hostname parent_pr
example , ocess_pat
SIEM-PI- of this is UserNam h
T1055:Hid powershe e, values(act
den_Win ll.exe - process, ion) as
dow_Proc WindowS Action, action
ess_detec Move to tyle Path, count by
ted CS 0 Hidden. count dest -5h -65m@m
avoid as
disrupting EventCod
user work e
environm values(act
ents ion) as
when Action
carrying values(na
out me) as
administr Name
ative values(sig
tasks. On nature) as
Windows, Signature
there are count by
a variety dest |
of rename
features dest as
in hostname
scripting
languages |lookup
in sox.csv
Windows, Host as
such as hostname
PowerShe OUTPUT
ll, Jscript, Type
and Visual | table
Basic to _time,
make hostname
windows ,Type,
hidden. UserNam
One e,
example DomainN
SIEM-PI- of this is ame,
T1055:Hid powershe EventCod
den_Win ll.exe - e, Action,
dow_Proc WindowS Name,
ess_detec Move to tyle Signature,
ted_SOX CS 0 Hidden. count -12h
outbound .bytes
ICMP >2000 by
packets All_Traffic
with a .src_ip
packet All_Traffic
size larger .dest_ip
than
2,000 |
bytes. `drop_dm
Various _object_n
threat ame("All_
actors Traffic")`
have | search
been NOT
known to action IN
use ICMP (Drop,blo
as a cked,Bloc
command k,reject) |
and search
control ( dest_ip!
channel =10.0.0.0/
for their 8 AND
attack dest_ip!
infrastruc =172.16.0
ture. .0/12
Large AND
ICMP dest_ip!
packets =192.168.
from an 0.0/16) |
endpoint `security_
SIEM- to a content_c
T1095- remote time(first
CNC:Larg host may Time)`|
e_Outbou be `security_
nd_ICMP indicative content_c
_Packets_ Move to of this time(lastT
Detected CS 0 activity. ime)` -15h
d) as s*,*jndi:h
ser_agent ttp*,*jndi:
_kid nis*,*jndi:
values(_r rmi*) OR
aw) as ser_agent
raw by _kid
_time| IN(*jndi:l
where dap*,*jnd
action! i:dns*,*jn
=Prevent di:iiop*,*j
| search ndi:corbal
NOT *,*jndi:nd
[| s*,*jndi:h
inputlook ttp*,*jndi:
This use up nis*,*jndi:
case will scanner_i rmi*)
alert us p.csv | stats
when | fields values(de
successful ip st_ip) as
jndi:ldap | dest_ip
queries rename ip values(de
are as st_port)
observed source_IP as
in ] dest_port
Checkpoi | table values(res
nt logs. _time ource) as
This use source_IP url
case is Source_p values(act
develope ort ion) as
d to Destinatio action
SIEM- detect n_Ip values(ser
T1102- any attack Destinatio _agent_ki
CNC:Succ based on n_port d) as
essful_Jn “log4j action http_user
di:Ldap_Q Low/ ” Resource _agent
ueries_Ch Possibly vulnerabil ser_agent by src_ip
eckpoint remove 0 ity _kid raw -24h -65m@m
tacks.sign tacks.sign
ature) as ature) as
signature signature
values(M values(M
alware_At alware_At
tacks.file_ tacks.file_
name) as name) as
file_name file_name
from from
datamode datamode
l="Malwa l="Malwa
re" re"
by by
"Malware "Malware
_Attacks. _Attacks.
dest" dest"
sourcetyp sourcetyp
e e
|search | search
([| ([|
inputlook inputlook
up up
StolenDev StolenDev
ices.csv | ices.csv |
fields fields
Device | Device |
This use rename rename
case will Device as Device as
trigger if Malware_ Malware_
any Attacks.d Attacks.d
endpoint est]) est])
SIEM_Acti log is | |
vity_ received `drop_dm `drop_dm
Detected by Splunk _object_n _object_n
_Of_Stole for the ame(Mal ame(Mal
n_Device stolen ware_Att ware_Att
_Malware Low 0 device acks)` acks)` -12h -65m@m
l="Authen thenticati
tication" on.dest)
where as dest
"Authenti count
cation.sig from
nature_id datamode
"=4724 l="Authen
OR tication"
"Authenti where
cation.sig "Authenti
nature_id cation.sig
"=4725 by nature_id
"Authenti "=4624
cation.des OR
t" _time "Authenti
sourcetyp cation.sig
e| nature_id
rename "=4625 by
Authentic "Authenti
ation.* as cation.src
*|search "
([| sourcetyp
inputlook e |
up rename
StolenDev Authentic
ices.csv| ation.* as
fields *|search
This use Device | ([|
case will rename inputlook
trigger if Device as up
SIEM_Acti any dest]) StolenDev
vity_ activity of | table ices.csv|
Detected stolen _time fields
_Of_Stole device is sourcetyp Device |
n_Device seen in e dest rename
_Window windows user Device as
s Medium 0 logs. EventID src]) -12h -65m@m
ation that (Logon_T (Logon_T
uses the ype=9 ype=9
password Logon_Pr Logon_Pr
hash. In ocess=sec ocess=sec
this logo) | logo)
technique fillnull | | fillnull
valid stats | stats
password count count
hashes min(_tim min(_tim
for the e) as e) as
account firstTime firstTime
being max(_tim max(_tim
used are e) as e) as
captured lastTime lastTime
using a by by
Credentia EventCod EventCod
l Access e, e,
technique Logon_Ty Logon_Ty
. pe, pe,
Captured Workstati Workstati
hashes onName, on_Name
are used user, dest , user,
with PtH | dest
to `security_ | rename
authentic content_c Workstati
ate as time(first on_Name
that user. Time)`| as src
Once `security_ |
authentic content_c `security_
ated PtH time(lastT content_c
SIEM_Pas may be ime)` | time(first
s_ The used to `detect_a Time)`
_Hash_La perform ctivity_rel |
teral actions on ated_to_ `security_
Movemen local or pass_the_ content_c
t_Detecte remote hash_atta time(lastT
d Medium 0 systems. cks_filter` ime)` -24h -65m@m
threat_m 2022-07-
0 */9 * * atch_valu 15T18:53:
* 86400s e medium 06+00:00
2022-07-
0 */12 * * 07T15:30:
-5m@m * 22 * * * * 604800s 86300s src medium 07+00:00
2021-09-
1-59/30 * HostNam 14T14:43:
*** 86400s e low 48+00:00
2022-07-
*/10 * * * 1-51/10 * 14T18:18:
-5m@m * *** 86400s 86300s UserID user medium 36+00:00
2022-07-
*/10 * * * 2-52/10 * Destinatio 26T12:36:
-5m@m * *** 3600s 3500s n dest medium 02+00:00
2022-07-
*/10 * * * 3-53/10 * Destinatio 22T11:50:
-5m@m * *** 3600s 3500s n dest medium 53+00:00
2022-07-
17-45/17 Target_Ac 20T05:32:
-5m@m **** 42 * * * * 43200s count user,dest high 02+00:00
2022-07-
0 */5 * * 22T15:16:
* 86400s src_ip high 58+00:00
2022-07-
*/60 * * * 22T15:39:
-5m@m * 86400s 86300s Dest_IP dest_ip low 21+00:00
2022-07-
*/9 * * * 9-49/20 * User_Na 14T18:15:
-5m@m * *** 86400s 86300s me src_user low 46+00:00
2021-09-
0 */4 * * Machine_ 13T16:07:
-5m@m * 36 * * * * 86400s 86300s Name dest medium 47+00:00
2022-07-
TargetUse 21T18:02:
7**** 86400s r high 17+00:00
2022-07-
27 */23 * 27 23 * * source 21T17:41:
now ** * 86400s 86300s user src_user medium 49+00:00
2022-07-
*/10 * * * 4-54/10 * Destinatio 22T11:57:
-5m@m * *** 3600s 3500s n dest medium 21+00:00
2022-07-
*/18 * * * 22T16:34:
-5m@m * 54 * * * * 3600s dest low 17+00:00
2022-03-
17T19:42:
7**** 86400s dest high 11+00:00
userState
s{}.accou 2022-07-
0 */8 * * 6-56/10 * ntName,d 22T16:30:
-5m@m * *** 86400s 86300s est user medium 52+00:00
2022-07-
*/23 * * * 20T16:30:
-5m@m * 23 * * * * 86400s 86300s User user low 05+00:00
2021-11-
0 */9 * * 2 */8 * * 19T05:15:
-1h * * 86400s 86300s UserID high 07+00:00
2022-07-
*/10 * * * 5-55/10 * 22T18:59:
-5m@m * *** 86400s 86300s UserID user medium 10+00:00
2022-07-
0 */2 * * 1 */4 * * 15T15:14:
-5m@m * * 86400s 86300s Username src_user low 38+00:00
2022-07-
0 */2 * * User_Na 14T11:05:
* 86400s me low 16+00:00
2022-07-
*/16 * * * 21T17:50:
-5m@m * 16 * * * * 86400s 86300s Username src high 58+00:00
2022-07-
0 */9 * * 22T15:55:
-5m@m * 34 * * * * 86400s 86300s src_user src_user high 35+00:00
top_level
_domain_ 2022-07-
0 */4 * * in_incomi 12T14:29:
* 86400s ng_email low 21+00:00
2021-09-
0 */3 * * 13T16:03:
-5m@m * 37 * * * * 86400s 86300s user src medium 24+00:00
2022-03-
0 */3 * * 03T13:30:
-5m@m * 37 * * * * 86400s 86300s user src high 25+00:00
2022-07-
*/9 * * * User_Na 13T20:31:
* 86400s me low 06+00:00
2022-07-
0 */4 * * Computer 13T20:57:
-5m@m * 46 * * * * 86400s 86300s _Name dest high 22+00:00
2022-07-
0 */2 * * User_Na 14T18:10:
* 86400s me high 08+00:00
2022-07-
*/17 * * * 14T18:11:
* 86400s Username high 20+00:00
2022-07-
*/17 * * * 14T18:12:
* 86400s Username high 02+00:00
2022-07-
0 */6 * * 14T18:13:
* 86400s Username medium 39+00:00
2022-07-
0 */6 * * 14T18:13:
* 86400s Username high 49+00:00
2022-07-
*/9 * * * User_Na 14T18:16:
* 86400s me high 59+00:00
2022-07-
17-45/17 Target_Ac 14T18:07:
-5m@m **** 28 * * * * 43200s count user,dest high 09+00:00
2022-07-
*/10 * * * 6-56/10 * 21T13:31:
-5m@m * *** 86400s 86300s UserID user medium 01+00:00
user,Com 2021-09-
0 */8 * * puterNam 13T16:09:
-5m@m * 35 * * * * 43200s e user,dest medium 00+00:00
user,Com 2022-03-
0 */8 * * puterNam 03T10:06:
-5m@m * 35 * * * * 43200s e user,dest high 35+00:00
2022-07-
0 */2 * * 15T15:11:
* 86400s Username low 35+00:00
2022-07-
0 */2 * * 15T15:14:
-5m@m * 14 * * * * 86400s 86300s Username src_user high 19+00:00
2022-07-
0 */2 * * 15T15:20:
* 86400s Username low 50+00:00
2022-07-
0 */2 * * 15T15:19:
* 86400s Username low 27+00:00
2022-07-
0 */2 * * 15T15:18:
-5m@m * 43 * * * * 86400s 86300s Username src_user high 52+00:00
2022-07-
0 */4 * * 15T15:28:
* 43200s user low 21+00:00
2022-07-
0 */6 * * 15T15:43:
* 43200s user low 58+00:00
2021-09-
2-59/15 * 6-56/10 * 14T14:43:
-5m@m *** *** 43200s 86300s UserID user low 47+00:00
2022-07-
*/18 * * * 15T14:58:
* low 30+00:00
2022-07-
2-59/5 * * 9-59/10 * 15T15:33:
-5m@m ** *** high 44+00:00
2022-07-
2-59/5 * * 15T15:34:
-5m@m ** 9-59/10 * * * * high 05+00:00
2022-03-
1-59/30 * 03T08:31:
*** 86400s host high 25+00:00
2022-07-
*/5 * * * 18T16:58:
* 86400s src_ip medium 55+00:00
2022-07-
*/5 * * * 18T16:57:
* 86400s src_ip medium 11+00:00
2022-03-
0 */4 * * Machine_ 03T12:49:
-5m@m * 36 * * * * 86400s 86300s Name dest medium 30+00:00
2022-07-
13T06:15:
7**** 86400s dest high 35+00:00
2022-03-
03T13:07:
7**** 86400s dest high 09+00:00
2021-10-
0 */8 * * 28T15:15:
* 86400s dest medium 08+00:00
2022-07-
*/5 * * * 21T14:58:
-5m@m * 23 * * * * 86400s 86300s src user low 32+00:00
2022-07-
*/23 * * * 20T16:30:
-5m@m * 23 * * * * 86400s User src high 13+00:00
2022-07-
*/5 * * * 20T16:42:
-5m@m * 27 * * * * 86400s 86300s Domain dest low 34+00:00
2022-07-
7 */9 * * email_do 20T16:45:
-5m@m * 26 * * * * 32400s 86300s main medium 57+00:00
2022-07-
*/14 * * * 20T16:52:
* 7200s user high 41+00:00
2021-09-
02T18:37:
7**** 86400s dest high 34+00:00
2022-07-
*/20 * * * 20T17:05:
-5m@m * 46 * * * * 43200s 43200s Hostname dest high 51+00:00
2022-07-
*/20 * * * 20T17:06:
-5m@m * 46 * * * * 43200s 43200s Hostname dest high 02+00:00
2022-07-
All_Email. 22T15:09:
now 27 2 * * * 27 2 * * * 86400s 86400s src_user src_user medium 35+00:00
2022-07-
*/16 * * * 21T17:51:
-5m@m * 16 * * * * 86400s 86300s Username user high 03+00:00
2022-07-
0 */4 * * Destinatio 21T17:58:
* 86400s n low 49+00:00
2022-07-
0 */6 * * 22T15:32:
* 43200s src low 50+00:00
2022-07-
0 */13 * * User_age http_user 15T06:18:
-5m@m * 36 * * * * 86400s 86300s nt _agent high 07+00:00
2021-09-
5,35 * * * 02T18:36:
* high 53+00:00
2022-07-
4-59/5 * * 22T16:10:
** 7200s signature medium 58+00:00
2022-03-
4-59/5 * * 03T13:07:
** 7200s signature high 03+00:00
2022-07-
*/27 */9 07T15:25:
*** 86400s src medium 40+00:00
2022-03-
*/27 */9 03T13:15:
-5m@m *** 27 * * * * 86400s 86300s src src high 10+00:00
2021-10-
*/33 */4 IDS_Attac 26T10:24:
*** 86400s ks.src medium 46+00:00
2022-07-
0 */4 * * 22T16:13:
-5m@m * 44 * * * * 86400s 86300s hostname dest medium 58+00:00
2022-07-
1-59/5 * * 22T16:15:
** 86400s hostname high 37+00:00
2022-07-
0 */12 * * 15T06:13:
* 86400s src_ip medium 45+00:00
2022-07-
0 */1 * * 22T16:19:
-5m@m * 49 * * * * 86300s src_ip high 39+00:00
2022-07-
*/18 * * * 22T16:26:
-5m@m * 53 * * * * -65m@m -5m@m dest low 59+00:00
2022-07-
*/18 * * * 22T16:29:
-5m@m * 53 * * * * 86300s src low 33+00:00
2022-07-
0 */8 * * Workstati 15T05:55:
-5m@m * 49 * * * * 86400s 86300s onName src medium 56+00:00
Updates
Implemen
ted; No
Further
Action
Yes Required
- This
won't
match
Windows
DNS due
to the
way
Windows
represent
s the
"query"
field.
Example:
(10)brgyn
1dc01(7)p
hibred(3)c
om(0)
-
Overlappi
ng
durations

- Follow-
up - need Updates
to review Implemen
whether ted; No
Windows Further
DNS is Action
critical? Yes No No Yes No No Yes Required
Pending
Review
Updates
Implemen
ted; No
Further
Action
Maybe No No No No No No Required
Updates
Implemen
ted; No
Further
Action
Maybe No No No No No No Required
Updates
Implemen
ted; No
Further
Action
Maybe No No No No No No Required
Updates
Implemen
ted; No
Further
Action
Yes No No No No No No Required
Pending
Yes No Yes Yes Yes Review
- Remove
src_port
from the
output
- Remove
dedup,
adjust
search Updates
query to implemen
eliminate ted; No
"dedup" Further
requirem Action
ent Yes No No No Required
Need to
check
bucket
time(buck
eting not
working),
search
time
frame
need to
be
changed

Updates
Implemen
ted; No
Further
Action
Required
-
Significan
tly
overlappi
ng
schedule
- Fields
should be
normalize
d to CIM
- Validate
signature
s are
aligned to
signature Updates
s for AV Implemen
product ted; No
and Further
mapped Action
to CIM 1 Yes No Required
Pending
Yes Yes Review
Updates
Implemen
ted; No
Further
Action
Yes Yes Required
Updates
Implemen
ted; No
- Should Further
remove Action
"dedup" Maybe No No No No No No Required
Updates
Implemen
ted; No
Further
Action
Required
Disabled;
No
Further
Action
Yes Yes Required
Use Case
name and
descriptio
n should
be
updated
to align
with the Updates
actual Implemen
alert (only ted; No
successful Further
brute Action
force) Yes No Required
- Every 23
minutes
over 24
hour
period;
significant
overlap
- Logic is
for a user
to have
attempte
d to
violate
"150
blocked
sites in 10
minutes"
over 4 10
minute Updates
windows. Implemen
This ted; No
threshold Further
seems Action
high 1 Yes No Yes No Required
Updates
Implemen
ted; No
Further
Action
Required
Updates
Implemen
ted; No
Further
Action
Maybe No No No No No No Required
Updates
Implemen
ted; No
Further
Action
Required
Pending
Review -
Awaiting
Initial
Review
-
rewritten
to focus Updates
on the Implemen
"src" as ted; No
the Further
primary Action
concern Yes No Yes No Required
- Logic is
looking
for VIP
users
SENDING
suspicious Updates
attachme Implemen
nts, as ted; No
opposed Further
to Action
receiving Yes No No Yes Yes Required
Create a
Lookup
File:cim_c
orporate_
email_do
main_loo
kup( CR
will be
created Initial
and same Review
will be Complete
implemen ; Awaiting
ted after Final
approval) Review
Revisit
time
settings
Right
threshold
is
needed ,
search
time
frame
need to
be
changed,
use of
bucket
and eval
date,
should
take
broader
view on Updates
entire Implemen
brute ted; No
force for Further
consolidat Action
ion Required
Updates
Implemen
ted; No
Further
Action
Required
Check
updated
list for
admin,Rig
ht
threshold
is
needed ,
search
time Pending
frame Review -
need to Initial
be Review in
changed. Progress
- This is
looking
for >1 Updates
failures in Implemen
a second. ted; No
That's a Further
high rate Action
of failure Yes No Yes No Required
Pending
Review -
Awaiting
Initial
Review
Pending
Review -
Awaiting
Initial
Review
Pending
Review -
Awaiting
Initial
Review
- If zscaler
is an
agent,
how is
this
authentic
ated? Do
users
enter
credential
s, or is Disabled;
this No
machine Further
authentic Action
ation? Yes No Yes No Yes Required
- If zscaler
is an
agent,
how is
this
authentic
ated? Do
users
enter
credential
s, or is Disabled;
this No
machine Further
authentic Action
ation? Yes No Yes No Yes Yes Required
Initial
Review
Complete
; Awaiting
Final
Review
- index=*
- field
names
- Doesn't
work
because Updates
the SOX Implemen
lookup ted; No
table is Further
case Action
sensitive Yes No No No No Yes No Required
Updates
Implemen
ted; No
Further
Action
Maybe No No No No No No Required
-
src_nt_ho
st
renamed
as
User_Na
me?
- Field is
"Logon_T Updates
ype" not Implemen
"LogonTy ted; No
pe". This Further
will never Action
fire Yes No No No Yes Required
-
src_nt_ho
st
renamed
as
User_Na
me?
- Field is
"Logon_T Updates
ype" not Implemen
"LogonTy ted; No
pe". This Further
will never Action
fire Yes No No No Yes Required
Pending
Review
Updates
Implemen
ted; No
Further
Re-review Action
later Required
Pending
Review
Updates
Implemen
ted; No
Further
Action
Required
Initial
Review
Complete
; Awaiting
Re-review Final
later Review
- No data
- this may Disabled;
not be No
configure Further
d for Action
auditing Yes No No Yes Required
Initial
Review
Complete
; Awaiting
Final
Yes No Review
Updates
Implemen
ted; No
Further
Action
Required
- every 18
minutes
for the
last 12
hours
-
Web.c_ho
st is not a
standard
CIM field.
Validate
whether
data
model
has been
edited
- The
subsearch
outputs
"Device",
so search
will
return no Updates
results Implemen
- Does not ted; No
work for Further
Zscaler Action
logs Yes No No No No Yes Required
Updates
Implemen
ted; No
Further
Action
Maybe No No No Required
Updates
Implemen
ted; No
Further
Action
Maybe No No No Yes Required
Pending
Yes Review
what
we're
using as
the
condition
and some
of the
filters.
The
bucketizin
g on
"_time"
likely
filters
unintenti
onally
- Cisco
not
implemen
ted
anymore?
- Bytes
not
available
in
CheckPoi
nt logs.
Since
transition
from
Cisco to
CheckPoi
nt, this Disabled;
use case No
is no Further
longer Action
feasible. 1 Yes No Yes Yes Required
additional
fields,
which
then
causes
the
"where"
field to
have
nothing
(e.g.,
num_data
_samples
is always
null, so
num_data
_samples
is never
>=4)
- Fixing
the above
issue, the
"num_dat
a_sample
s" will
never be
greater
than 2
because
_time is
binned on
span=1d,
and only Pending
2 days Review -
can show Initial
up in the Review in
data Yes No Yes Yes Progress
-
Significan
tly
overlappi
ng
schedule
- Fields
should be
normalize
d to CIM
- Validate
signature
s are
aligned to
signature
s for AV
product
and
mapped
to CIM
- Issues
with
lookup is
case
sensitive,
doesn't
take into Updates
account Implemen
that dest ted; No
may be Further
DNS or Action
hostname Yes No No Yes Required
Initial
Review
Complete
; Awaiting
Final
Review
Disabled;
No
Further
Action
Required
- the
query
runs once
per 8
hours, but
only
searches
6 hours.
This
means Disabled;
some No
data is Further
never Action
searched 1 Required
-
Significan
tly
overlappi
ng
schedule -
this
should be
reduced
- should
use CIM
fields
- should
use
"span" in
the tstats
if using
the _time
field
- validate
category
is correct
for proxy
vendor's
categoriza
tion
- only
"allowed" Updates
P2P - this Implemen
should ted; No
never Further
detect Action
based on 1 Yes No No No Yes Required
Updates
Implemen
ted; No
Further
Action
Required
Updates
Implemen
- dvc ted; No
should be Further
http_user Action
_agent Yes No No No No Yes No Required
- Should
likely be
scheduled
more
frequentl
y for
shorter
windows
- should Updates
offset 5 Implemen
minutes ted; No
to allow Further
for Action
latency Yes No No Required
Pending
Review
Initial
Review
Complete
; Awaiting
Final
Review
Updates
Implemen
ted; No
Further
Action
Required
Updates
Implemen
ted; No
Further
Action
Required
Updates
Implemen
ted; No
Further
Action
Required
Updates
Implemen
ted; No
Further
Action
Required
Iniital
Review
Complete
; Awaiting
Final
Review
Initial
Review
Complete
; Awaiting
Final
Yes No Yes Review
Updates
Implemen
ted; No
Further
Action
Yes No No No No No Yes Required
Disabled;
No
Further
Action
Required
Updates
Implemen
ted; No
Further
Action
Required
Pending
Review
- Most of
the
threatna
mes are
comment
ed out.
Not sure
reasoning
- Cron
schedule
is unusual
- This only
alerts
when
Zscaler
doesn't
block a
threat.
Should
Zscaler
ever
allow a
threat?

- Revisit -
likely
want to
restructur
e to look
for
repeated
malware
traffic for
a Pending
user/host Yes No No No Yes Review
- Most of
the
threatna
mes are
comment
ed out.
Not sure
reasoning
- Cron
schedule
is unusual
- This only
alerts
when
Zscaler
doesn't
block a
threat. Updates
Should Implemen
Zscaler ted; No
ever Further
allow a Action
threat? Yes No No No Yes Yes Required
Disabled;
No
Further
Action
Required
- is this
intention
ally Updates
filtered Implemen
on ted; No
domain Further
controller Action
s only? Yes No No No Yes Required
Disabled;
No
Further
Action
Yes No No No Yes Required
- This use
case is no
longer
feasible
given that
CheckPoi
nt logs do
not Disabled;
provide No
bytes Further
transferre Action
d. Yes No No Yes Required
Updates
Implemen
ted; No
Further
Action
Required
Updates
Implemen
- ted; No
Schedule Further
should be Action
reviewed Yes No No No Yes Required
Updates
Implemen
- ted; No
Schedule Further
should be Action
reviewed Yes No No No Required
Updates
Implemen
ted; No
Further
Action
Required
Need to
build
dashboar
d
Updates
implemen
ted; No
Further
Action
Required
Updates
implemen
ted; No
Further
Action
Required
1.
Finetunin
g was
done on
ports by
John.
2. John
requested
to
decrease
threshold
s (vertical
and
horizontal
scanning)
Geetanjali
and
Anthony
check
threshold
recomme
ndations.
*Pending
from
IR/Tim for
finetuning
. -SPL
reviewed
during
Splunk
Audit call;
awaiting
review
from IR
team.
*IR
Emailed
on
9/26/202
2
TIM -
Follow-up
with IR
team on
9/29/202
2 to
check
status
*
Geetanjal
i to
follow-up
email
with John
on
9/27/202
2.
awaiting
further
feedback
from John
* Mail
sent to
John/nee
d
suggestio
n on spl
*
9/28/202
2 Tim to
sync with
John to
confirm if
SPL
should be
disabled.
*
Geetanjal
i to email
John on
9/27/202
2 to ask
to
validate if
this
notable
should be
disabled.
Once
base use
case is
ready,
this use
case will
be ready.
*
9/27/202
2:
Awaiting
John's
approval.
Geetnjali
emailed
on
9/26/202
2.
* SPL
Drafted/I
n
progress
Needs to
be
updated
to use
`get_asse
t`
*
9/28/202
2 Tim to
sync with
John to
confirm if
SPL
should be
disabled.

*
Geetanjal
i needs to
create CR
to disable
notable;
then, Tim
will
review/a
pprove
* Need to
be
disabled
CR need
to be
created
and get
approved
form tim
*
9/28/202
2 Tim to
sync with
John to
confirm if
SPL
should be
disabled.

*
9/27/202
2:
Geetanjal
i needs to
create CR
to disable
notable;
then, Tim
will
review/a
pprove
*
9/27/202
2:
Awaiting
update
from
John,
email
sent on
9/26/202
2
*Email
has been
sent
waiting
for the
update
*9/27/20
22: This
use
case/nota
ble
should be
disabled
once a
dashboar
d is
created
for it.
*By EOD
9/27/202
2,
Sushma
will send
email to
John
requestin
g review
*
9/27/202
2-
Sushma
created
CR to
disable.

Pending
review/sh
ould be
disabled
as the
origina
one is
disabled
Reason:
we are
not
recieving
imperva
waf logs
anymore,
onboardi
ng is in
pipeline.
Currently
only
covers
Blue Coat.
Should
look at
using
data
model to
incoprora
te Zscaler
and
BlueCoat
in one
search
Should
this focus
on src?
SPl has
been
discussed
with John,
need to
come up
with
threshold
recomme
ndation
Reason:
we are
not
recieving
imperva
waf logs
anymore,
onboardi
ng is in
pipeline
Process
tree
related
detection
s are
carried
out by
crowdstri
ke ,hence
can be
disabled
at splunk
level

You might also like