This search aims to detect the Supernova webshell used in the SUNBURST attack.
Supernova Webshell Help
To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.
Open in Search