Navigation :
Release Notes
User Guides
Data Onboarding Guides
Features
SSE Content
- AWS Cloud Provisioning From Previously Unseen City
- AWS Cloud Provisioning From Previously Unseen Country
- AWS Cloud Provisioning From Previously Unseen IP Address
- AWS Cloud Provisioning From Previously Unseen Region
- AWS Cross Account Activity From Previously Unseen Account
- AWS Detect Attach To Role Policy
- AWS Detect Permanent Key Creation
- AWS Detect Role Creation
- AWS Detect Sts Assume Role Abuse
- AWS Detect Sts Get Session Token Abuse
- AWS Detect Users Creating Keys With Encrypt Policy Without MFA
- AWS Detect Users With Kms Keys Performing Encryption S3
- AWS EKS Kubernetes Cluster Sensitive Object Access
- AWS Network Access Control List Created With All Open Ports
- AWS Network Access Control List Deleted
- AWS Saml Access By Provider User And Principal
- AWS Saml Update Identity Provider
- Abnormally High AWS Instances Launched By User
- Abnormally High AWS Instances Launched By User - MLTK
- Abnormally High AWS Instances Launched by User
- Abnormally High AWS Instances Terminated By User
- Abnormally High AWS Instances Terminated By User - MLTK
- Abnormally High Number Of Cloud Infrastructure API Calls
- Abnormally High Number Of Cloud Instances Destroyed
- Abnormally High Number Of Cloud Instances Launched
- Abnormally High Number Of Cloud Security Group API Calls
- Abnormally High Number of Endpoint Changes By User
- Abnormally High Number of HTTP Method Events By Src
- Access LSASS Memory For Dump Creation
- Access to In-Scope Unencrypted Resources
- Access to In-scope Resources
- Account Compromise with Suspicious Internal Activity
- Account Compromised followed by Exfiltration
- Account Deleted
- Activity from Expired User Identity
- Activity from Expired User Identity - on Category
- Aggregate Risky Events
- Amazon EKS Kubernetes Cluster Scan Detection
- Amazon EKS Kubernetes Pod Scan Detection
- Anomalous Audit Trail Activity Detected
- Anomalous New Listening Port
- Anomalous New Process
- Anomalous New Service
- Any Powershell Downloadfile
- Any Powershell Downloadstring
- Asset Ownership Unspecified
- Attempt To Add Certificate To Untrusted Store
- Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Attempt To Set Default Powershell Execution Policy To Unrestricted Or Bypass
- Attempt To Stop Security Service
- Attempted Credential Dump From Registry Via Reg Exe
- Attempted Credential Dump From Registry Via Reg.exe
- Auditing Overview of Data Processing Systems (Glass Table)
- Authentication Against a New Domain Controller
- Basic Brute Force Detection
- Basic Dynamic DNS Detection
- Basic Malware Outbreak
- Basic Scanning
- Basic TOR Traffic Detection
- Batch File Write To System32
- Bcdedit Failure Recovery Modification
- Blacklisted Application
- Blacklisted Domain
- Blacklisted IP Address
- Brute Force
- Brute Force Access Behavior Detected
- Brute Force Access Behavior Detected - Against Category
- Brute Force Access Behavior Detected Over One Day
- Brute Force Access Behavior Detected Over One Day - Against Category
- Brute Force Attack
- Building a Departmental Peer Group
- COVID-19 Indicator Check
- Certutil Exe Certificate Extraction
- Child Processes Of Spoolsv Exe
- Child Processes of Spoolsv.exe
- Cleartext Password At Rest Detected
- Clients Connecting To Multiple DNS Servers
- Cloud API Calls From Previously Unseen User Roles
- Cloud APIs Called More Often Than Usual Per User
- Cloud Compute Instance Created By Previously Unseen User
- Cloud Compute Instance Created In Previously Unused Region
- Cloud Compute Instance Created With Previously Unseen Image
- Cloud Compute Instance Created With Previously Unseen Instance Type
- Cloud Compute Instance Started In Previously Unused Region
- Cloud Instance Modified By Previously Unseen User
- Cloud Network Access Control List Deleted
- Cloud Provisioning Activity From Previously Unseen City
- Cloud Provisioning Activity From Previously Unseen Country
- Cloud Provisioning Activity From Previously Unseen IP Address
- Cloud Provisioning Activity From Previously Unseen Region
- Cloud Provisioning Activity from Unusual Country
- Cloud Provisioning Activity from Unusual IP
- Cobalt Strike Named Pipes
- Common Filename Launched from New Path
- Common Ransomware Extensions
- Common Ransomware Notes
- Completely Inactive Account
- Compromised Account
- Compromised Web Server
- Concentration of Attacker Tools by Filename
- Concentration of Attacker Tools by SHA1 Hash
- Concentration of Discovery Tools by Filename
- Concentration of Discovery Tools by SHA1 Hash
- Concurrent Login Attempts Detected
- Connection to New Domain
- Create Local Admin Accounts Using Net Exe
- Create Or Delete Windows Shares Using Net Exe
- Create Remote Thread Into LSASS
- Create local admin accounts using net.exe
- Create or delete hidden shares using net.exe
- Create or delete windows shares using net.exe
- Creation Of LSASS Dump With Taskmgr
- Creation Of Shadow Copy
- Creation Of Shadow Copy With Wmic And Powershell
- Credential Dumping Via Copy Command From Shadow Copy
- Credential Dumping Via Symlink To Shadow Copy
- Credentials In File Detected
- Critical Severity Intrusion
- DNS Query Length Outliers - MLTK
- DNS Query Length With High Standard Deviation
- DNS Query Requests Resolved By Unauthorized DNS Servers
- DNS Record Changed
- Data Exfiltration after Account Takeover, High
- Data Exfiltration after Account Takeover, Medium
- Data Exfiltration after Data Staging
- Data Exfiltration by suspicious user or device
- Data Staging
- Default Account Activity Detected
- Default Account At Rest Detected
- Deleting Shadow Copies
- Detect API Activity From Users Without MFA
- Detect AWS API Activities From Unapproved Accounts
- Detect AWS Console Login By New User
- Detect AWS Console Login By User From New City
- Detect AWS Console Login By User From New Country
- Detect AWS Console Login By User From New Region
- Detect Activity Related To Pass The Hash Attacks
- Detect Arp Poisoning
- Detect Attackers Scanning For Vulnerable Jboss Servers
- Detect Baron Samedit Cve-2021-3156
- Detect Baron Samedit Cve-2021-3156 Segfault
- Detect Baron Samedit Cve-2021-3156 Via Osquery
- Detect Computer Changed With Anonymous Account
- Detect Credential Dumping Through LSASS Access
- Detect Credit Card Numbers using Luhn Algorithm
- Detect DNS Requests To Phishing Sites Leveraging Evilginx2
- Detect Excessive Account Lockouts From Endpoint
- Detect Excessive User Account Lockouts
- Detect F5 Tmui RCE Cve-2020-5902
- Detect GCP Storage Access From A New IP
- Detect Hosts Connecting To Dynamic Domain Providers
- Detect Html Help Renamed
- Detect Html Help Spawn Child Process
- Detect Html Help Url In Command Line
- Detect Html Help Using Infotech Storage Handlers
- Detect Ipv6 Network Infrastructure Threats
- Detect Journal Clearing
- Detect Large Outbound ICMP Packets
- Detect Lateral Movement With WMI
- Detect Log Clearing With wevtutil
- Detect Long DNS TXT Record Response
- Detect Long DNS Txt Record Response
- Detect Malicious Requests To Exploit Jboss Servers
- Detect Many Unauthorized Access Attempts
- Detect Mimikatz Using Loaded Images
- Detect Mimikatz Via PowerShell And EventCode 4663
- Detect Mimikatz Via Powershell And Eventcode 4703
- Detect Mshta Exe Running Scripts In Command-Line Arguments
- Detect Mshta Inline Hta Execution
- Detect Mshta Renamed
- Detect Mshta Url In Command Line
- Detect New API Calls From User Roles
- Detect New Local Admin Account
- Detect New Login Attempts To Routers
- Detect New Open GCP Storage Buckets
- Detect New Open S3 Buckets
- Detect New Open S3 Buckets Over AWS Cli
- Detect New User AWS Console Login
- Detect New User AWS Console Login - Dm
- Detect Oulook Exe Writing A Zip File
- Detect Oulook exe writing a zip file
- Detect Outbound SMB Traffic
- Detect Path Interception By Creation Of Program Exe
- Detect Path Interception By Creation Of program.exe
- Detect Port Security Violation
- Detect Processes Used For System Network Configuration Discovery
- Detect Prohibited Applications Spawning Cmd Exe
- Detect Prohibited Applications Spawning cmd.exe
- Detect Psexec With Accepteula Flag
- Detect Rare Executables
- Detect Regasm Spawning A Process
- Detect Regasm With Network Connection
- Detect Regasm With No Command Line Arguments
- Detect Regsvcs Spawning A Process
- Detect Regsvcs With Network Connection
- Detect Regsvcs With No Command Line Arguments
- Detect Regsvr32 Application Control Bypass
- Detect Rogue DHCP Server
- Detect Rundll32 Application Control Bypass - Advpack
- Detect Rundll32 Application Control Bypass - Setupapi
- Detect Rundll32 Application Control Bypass - Syssetup
- Detect Rundll32 Inline Hta Execution
- Detect S3 Access From A New IP
- Detect Snicat Sni Exfiltration
- Detect Software Download To Network Device
- Detect Spike In AWS API Activity
- Detect Spike In AWS Security Hub Alerts For EC2 Instance
- Detect Spike In AWS Security Hub Alerts For User
- Detect Spike In Blocked Outbound Traffic From Your AWS
- Detect Spike In Network ACL Activity
- Detect Spike In S3 Bucket Deletion
- Detect Spike In Security Group Activity
- Detect Traffic Mirroring
- Detect USB Device Insertion
- Detect Unauthorized Assets By MAC Address
- Detect Use Of Cmd Exe To Launch Script Interpreters
- Detect Use of cmd.exe to Launch Script Interpreters
- Detect Web Traffic To Dynamic Domain Providers
- Detect Windows DNS Sigred Via Splunk Stream
- Detect Windows DNS Sigred Via Zeek
- Detect Zerologon Via Zeek
- Detect attackers scanning for vulnerable JBoss servers
- Detect mshta exe running scripts in command-line arguments
- Detection Of DNS Tunnels
- Detection Of Tools Built By Nirsoft
- Disabled Update Service
- Disabling Remote User Account Control
- Download from Internal Server
- Dump LSASS Via Comsvcs DLL
- Dump LSASS Via Procdump
- Dump LSASS Via Procdump Rename
- EC2 Instance Isolation
- EC2 Instance Modified With Previously Unseen User
- EC2 Instance Started In Previously Unseen Region
- EC2 Instance Started With Previously Unseen AMI
- EC2 Instance Started With Previously Unseen Instance Type
- EC2 Instance Started With Previously Unseen User
- Email Attachments With Lots Of Spaces
- Email Files Written Outside Of The Outlook Directory
- Email Servers Sending High Volume Traffic To Hosts
- Emails from Outside the Organization with Company Domains
- Emails with Lookalike Domains
- Endpoint Uncleaned Malware Detection
- Eventvwr Uac Bypass
- Excessive Box Downloads
- Excessive DNS Failures
- Excessive DNS Queries
- Excessive Data Printed
- Excessive Data Transmission
- Excessive Downloads via VPN
- Excessive Failed Logins
- Excessive HTTP Failure Responses
- Execution Of File With Multiple Extensions
- Execution Of File With Spaces Before Extension
- Exfiltration
- Exfiltration after Account Compromise
- Exfiltration after Infection
- Exfiltration after Suspicious Internal Activity
- Expected Host Not Reporting
- Expected Host Not Reporting - in Category
- Extended Period Without Successful Netbackup Backups
- External Alarm Activity
- External Website Attack
- Failed Access by Disabled Badge
- Failed Badge Accesses on Multiple Doors
- Fake Windows Processes
- Familiar Filename Launched with New Path on Host
- File With Samsam Extension
- Find Processes with Renamed Executables
- Find Unusually Long CLI Commands
- First Time Access to Jump Server for Peer Group
- First Time Accessing an Internal Git Repository
- First Time Accessing an Internal Git Repository Not Viewed by Peers
- First Time Logon to New Server
- First Time Seen Child Process Of Zoom
- First Time Seen Child Process of Zoom
- First Time Seen Command Line Argument
- First Time Seen Running Windows Service
- First Time USB Usage
- Flight Risk Emailing
- Flight Risk Printing
- Flight Risk User
- Flight Risk Web Browsing
- Fodhelper Uac Bypass
- GCP Detect Accounts With High Risk Roles By Project
- GCP Detect Gcploit Framework
- GCP Detect High Risk Permissions By Resource And Account
- GCP Detect Oauth Token Abuse
- GCP GCR Container Uploaded
- GCP Kubernetes Cluster Pod Scan Detection
- GCP Kubernetes Cluster Scan Detection
- Geographically Improbable Access Detected
- Geographically Improbable Access Detected against Category
- Geographically Improbable Access Detected for Privileged Accounts
- Healthcare Worker Opening More Patient Records Than Usual
- Hiding Files And Directories With Attrib Exe
- Hiding Files And Directories With Attrib.exe
- High Number Of Infected Hosts
- High Number Of Login Failures From A Single Source
- High Number of Hosts Not Updating Malware Signatures
- High Or Critical Priority Host With Malware Detected
- High Process Count
- High Volume Email Activity to Non-corporate Domains by User
- High Volume of Traffic from High or Critical Host Observed
- High or Critical Priority Individual Logging into Infected Machine
- Host Sending Excessive Email
- Host With A Recurring Malware Infection
- Host With High Number Of Listening ports
- Host With High Number Of Services
- Host With Multiple Infections
- Host With Old Infection Or Potential Re-Infection
- Hosts Receiving High Volume Of Network Traffic From Email Server
- Hosts Sending To More Destinations Than Normal
- Hosts Where Security Sources Go Quiet
- Hosts with Varied and Future Timestamps
- Hunting COVID Themed Attacks With IOCs
- IP Investigate and Report
- Identify New User Accounts
- Image From New Repository Detected
- In-Scope Device with Outdated Anti-Malware Found
- In-Scope System with Windows Update Disabled
- Inactive Account Activity Detected
- Increase in # of Hosts Logged into
- Increase in Pages Printed
- Increase in Source Code (Git) Downloads
- Increase in Windows Privilege Escalations
- Infected Host
- Infection followed by Exfiltration
- Insecure Or Cleartext Authentication Detected
- Instance Created by Unusual User
- Instance Modified by Unusual User
- Integrating Threat Indicators with MISP and Splunk Enterprise Security
- Investigate GDPR Breaches Using ES
- Kerberoasting Spn Request With RC4 Encryption
- Kerberoasting spn request with RC4 encryption
- Kubernetes AWS Detect Most Active Service Accounts By Pod
- Kubernetes AWS Detect Rbac Authorization By Account
- Kubernetes AWS Detect Sensitive Role Access
- Kubernetes AWS Detect Service Accounts Forbidden Failure Access
- Kubernetes AWS Detect Suspicious Kubectl Calls
- Kubernetes Azure Detect Most Active Service Accounts By Pod Namespace
- Kubernetes Azure Detect Rbac Authorization By Account
- Kubernetes Azure Detect Sensitive Object Access
- Kubernetes Azure Detect Sensitive Role Access
- Kubernetes Azure Detect Service Accounts Forbidden Failure Access
- Kubernetes Azure Detect Suspicious Kubectl Calls
- Kubernetes Azure Pod Scan Fingerprint
- Kubernetes Azure Scan Fingerprint
- Kubernetes GCP Detect Most Active Service Accounts By Pod
- Kubernetes GCP Detect Rbac Authorizations By Account
- Kubernetes GCP Detect Sensitive Object Access
- Kubernetes GCP Detect Sensitive Role Access
- Kubernetes GCP Detect Service Accounts Forbidden Failure Access
- Kubernetes GCP Detect Suspicious Kubectl Calls
- Land Speed Violation
- Large Volume Of DNS Any Queries
- Large Web Upload
- Lateral Movement
- Local Account Creation
- Machine Generated Beacon
- Macos - Re-Opened Applications
- Malicious AD Activity
- Malicious Command Line Executions
- Malicious Insider Containment
- Malicious PowerShell Process With Obfuscation Techniques
- Malicious Powershell Process - Connect To Internet With Hidden Window
- Malicious Powershell Process - Encoded Command
- Malicious Powershell Process - Execution Policy Bypass
- Malicious Powershell Process - Multiple Suspicious Command-Line Arguments
- Malicious Powershell Process With Obfuscation Techniques
- Malicious URI with Potential Malware
- Malware
- Malware Investigation
- Many USB File Copies for User
- Monitor AutoRun Registry Keys
- Monitor DNS For Brand Abuse
- Monitor Email For Brand Abuse
- Monitor Registry Keys For Print Monitors
- Monitor Successful Backups
- Monitor Successful Windows Updates
- Monitor Unsuccessful Backups
- Monitor Unsuccessful Windows Updates
- Monitor Web Traffic For Brand Abuse
- Multiple Account Deletion by an Administrator
- Multiple Account Disabled by an Administrator
- Multiple Account Passwords changed by an Administrator
- Multiple Authentication Failures
- Multiple Authentications
- Multiple Badge Accesses
- Multiple Box login errors
- Multiple Box logins
- Multiple Box operations
- Multiple External Alarms
- Multiple Failed Badge Access Attempts
- Multiple Infections on Host
- Multiple Login Errors
- Multiple Logins
- Multiple Okta Users With Invalid Credentails From The Same IP
- Multiple Okta Users With Invalid Credentials From The Same IP
- Multiple Outgoing Connections
- Multiple Primary Functions Detected
- Multiple failed badge attempts and unusual badge access time
- Network Change Detected
- Network Device Rebooted
- Network Protocol Violation
- New AD Domain Detected
- New Application Accessing Salesforce.com API
- New Cloud API Call Per Peer Group
- New Cloud Provider for User
- New Connection to In-Scope Device
- New Container Uploaded To AWS Ecr
- New Data Exfil DLP Alerts for User
- New High Risk Event Types for Salesforce.com User
- New IaaS API Call Per User
- New Interactive Logon from a Service Account
- New Local Admin Account
- New Logon Type for User
- New Parent Process for cmd.exe or regedit.exe
- New RunAs Host / Privileged Account Combination
- New Service Paths for Host
- New Suspicious Executable Launch for User
- New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
- New Tables Queried by Salesforce.com Peer Group
- New Tables Queried by Salesforce.com User
- New User Account Created On Multiple Hosts
- New User Taking Privileged Actions
- Nishang Powershelltcponeline
- Nltest Domain Trust Discovery
- No Windows Updates In A Time Frame
- Non-Privileged Users taking Privileged Actions
- Ntdsutil Export Ntds
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA Via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive Sso Logon Errors
- O365 New Federated Domain Added
- O365 Pst Export Alert
- O365 Suspicious Admin Email Forwarding
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Okta Account Lockout Events
- Okta Failed Sso Attempts
- Okta User Logins From Multiple Cities
- Old Passwords in Use
- Open Redirect In Splunk Web
- Osquery Pack - Coldroot Detection
- Outbreak Detected
- Outdated Malware Definitions
- Overwriting Accessibility Binaries
- Period with Unusual Windows Security Event Sequences
- Personally Identifiable Information Detected
- Phishing Investigation and Response
- Possible Phishing Attempt
- Potential Day Trading
- Potential Flight Risk Exfiltration
- Potential Flight Risk Staging
- Potential Gap in Data
- Potential Phishing Attack
- Potential Webshell Activity
- Privilege Escalation after Powershell Activity
- Process Creating Lnk File In Suspicious Location
- Process Execution Via WMI
- Processes Created By Netsh
- Processes Launching Netsh
- Processes Tapping Keyboard Events
- Processes launching netsh
- Processes with High Entropy Names
- Processes with Lookalike (typo) Filenames
- Prohibited Network Traffic Allowed
- Prohibited Port Activity Detected
- Prohibited Process Detected
- Prohibited Service Detected
- Prohibited Software On Endpoint
- Prompt and Block Domain
- Protocol Or Port Mismatch
- Protocols Passing Authentication In Cleartext
- Public Cloud Storage (Bucket)
- Public facing Website Attack
- Pull List of Privileged Users
- RFC1918 IP Not in CMDB
- Ransomware Extensions
- Ransomware Investigate and Contain
- Ransomware Note Files
- Ransomware Vulnerabilities
- Recurring Infection on Host
- Reg Exe Manipulating Windows Services Registry Keys
- Reg Exe Used To Hide Files Directories Via Registry Keys
- Reg.exe Manipulating Windows Services Registry Keys
- Reg.exe used to hide files/directories via registry keys
- Registry Keys For Creating Shim Databases
- Registry Keys Used For Persistence
- Registry Keys Used For Privilege Escalation
- Remote Account Takeover
- Remote Desktop Network Bruteforce
- Remote Desktop Network Traffic
- Remote Desktop Process Running On System
- Remote PowerShell Launches
- Remote Process Instantiation Via WMI
- Remote Registry Key Modifications
- Remote WMI Command Attempt
- Risky Events from Privileged Users
- Rundll Loading DLL By Ordinal
- Ryuk Test Files Detected
- Ryuk Wake On Lan Command
- SMB Traffic Allowed
- SMB Traffic Spike
- SMB Traffic Spike - MLTK
- SQL Injection with Long URLs
- Same Error On Many Servers Detected
- Samsam Test File Write
- Sc Exe Manipulating Windows Services
- Sc.exe Manipulating Windows Services
- Scanning Activity
- Scheduled Task Deleted Or Created Via Cmd
- Scheduled Task Name Used By Dragonfly Threat Actors
- Scheduled Tasks Used In Badrabbit Ransomware
- Schtasks Scheduling Job On Remote System
- Schtasks Used For Forcing A Reboot
- Script Execution Via WMI
- Sensitive Kubernetes Mount Pod Detected
- Service Account Login
- Shim Database File Creation
- Shim Database Installation With Suspicious Parameters
- Short Lived Admin Accounts
- Short Lived Windows Accounts
- Short-lived Account Detected
- Significant Increase in Interactive Logons
- Significant Increase in Interactively Logged On Users
- Single Letter Process On Endpoint
- Sources Sending Many DNS Requests
- Sources Sending a High Volume of DNS Traffic
- Spectre And Meltdown Vulnerable Systems
- Spike In File Writes
- Spike in Downloaded Documents Per User from Salesforce.com
- Spike in Exported Records from Salesforce.com
- Spike in Password Reset Emails
- Spike in SMB Traffic
- Splunk Enterprise Information Disclosure
- Sql Injection With Long Urls
- Stale Account Usage
- Substantial Increase In Events
- Substantial Increase In Port Activity
- Successful Login of Account for Former Employee
- Sunburst Correlation DLL And Network Event
- Supernova Webshell
- Suspicious Account Activity
- Suspicious Account Lockout
- Suspicious Activity After Intrusion
- Suspicious Badge Activity
- Suspicious Behavior
- Suspicious Box Usage
- Suspicious Changes To File Associations
- Suspicious Container Image Name
- Suspicious Curl Network Connection
- Suspicious Data Collection
- Suspicious Data Movement
- Suspicious Dllhost No Command Line Arguments
- Suspicious Domain Communication
- Suspicious Domain Communication followed by Malware Activity
- Suspicious Domain Name
- Suspicious Email - UBA Anomaly
- Suspicious Email Attachment Extensions
- Suspicious External Alarm Activity
- Suspicious File Write
- Suspicious Gpupdate No Command Line Arguments
- Suspicious HTTP Redirects
- Suspicious HTTP Redirects followed by Suspected Infection
- Suspicious IP Address Communication
- Suspicious Java Classes
- Suspicious Lnk File Launching A Process
- Suspicious Microsoft Workflow Compiler Rename
- Suspicious Microsoft Workflow Compiler Usage
- Suspicious Msbuild Path
- Suspicious Msbuild Rename
- Suspicious Msbuild Spawn
- Suspicious Mshta Child Process
- Suspicious Mshta Spawn
- Suspicious Network Connection
- Suspicious Network Exploration
- Suspicious New Access
- Suspicious Plistbuddy Usage
- Suspicious Plistbuddy Usage Via Osquery
- Suspicious Powershell Activity
- Suspicious Privilege Escalation
- Suspicious Reg Exe Process
- Suspicious Reg.exe Process
- Suspicious Regsvr32 Register Suspicious Path
- Suspicious Rundll32 Dllregisterserver
- Suspicious Rundll32 No Command Line Arguments
- Suspicious Rundll32 Rename
- Suspicious Rundll32 Startw
- Suspicious Scheduled Task From Public Directory
- Suspicious Searchprotocolhost No Command Line Arguments
- Suspicious Sqlite3 Lsquarantine Behavior
- Suspicious URL Communications and Redirects
- Suspicious Wevtutil Usage
- Suspicious Writes To System Volume Information
- Suspicious Writes To Windows Recycle Bin
- System Information Discovery Detection
- System Processes Run From Unexpected Locations
- Threat Activity Detected
- Threat Hunting
- Tor Traffic
- USB storage attached an unusually high number of times
- Unauthorized Connection Through Firewall
- Uncommon Processes On Endpoint
- Unified Messaging Service Spawning A Process
- Unload Sysmon Filter Driver
- Unrouteable Activity Detected
- Unsigned Image Loaded By LSASS
- Unsuccessful Netbackup Backups
- Untriaged Notable Events
- Unusual Activity Time
- Unusual Badge Reader Access
- Unusual Child Process for spoolsv.exe or connhost.exe
- Unusual Cloud Regions
- Unusual Cloud Storage Deletions
- Unusual Cloud Storage Downloads
- Unusual External Alarm
- Unusual File Extension
- Unusual Geolocation of Communication Destination
- Unusual Machine Access
- Unusual Network Activity
- Unusual Number of Modifications to Cloud ACLs
- Unusual Printer Usage
- Unusual Time of Badge Access
- Unusual USB Activity
- Unusual USB Device Plugged In
- Unusual VPN Login Geolocation
- Unusual Volume of Network Activity
- Unusual Web Browser
- Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain)
- Unusually Long Command Line
- Unusually Long Command Line - MLTK
- Unusually Long Content-Type Length
- Unusually Long VPN Session
- User Finding Project Code Names from Many Departments
- User Has Access to In-Scope Splunk Indexes They Should Not
- User Logged into In-Scope System They Should Not Have
- User Login to Unauthorized Geo
- User Login with Local Credentials
- User with Increase in Outgoing Email
- User with Many DLP Events
- Usn Journal Deletion
- Vulnerability Scanner Detected (by events)
- Vulnerability Scanner Detected (by targets)
- W3Wp Spawning Shell
- WMI Permanent Event Subscription
- WMI Permanent Event Subscription - Sysmon
- WMI Temporary Event Subscription
- Watchlisted Event Observed
- Watering Hole Infection
- Wbadmin Delete System Backups
- Web Browsing to Unauthorized Sites
- Web Fraud - Account Harvesting
- Web Fraud - Anomalous User Clickspeed
- Web Fraud - Password Sharing Across Accounts
- Web Servers Executing Suspicious Processes
- Web Site Compromised (Webshell)
- Web Uploads to Non-corporate Sites by Users
- Windows Adfind Exe
- Windows Connhost Exe Started Forcefully
- Windows Disableantispyware Registry
- Windows Event Log Cleared
- Windows Event Log Clearing Events
- Windows Hosts File Modification
- Windows Security Account Manager Stopped
Technical Detail
Developing on SSE
Installation Documentation Suspicious Container Image Name Description This search looks for image creation events in Kubernetes Audit logs and compares the image names against a known list of names that is likely to be suspicious. This technique is particularly useful for cryptomining attacks.
Content Mapping This content is not mapped to any local saved search. Add mapping
Use Case Advanced Threat Detection, Security Monitoring
Category Endpoint Compromise
Security Impact
Kubernetes and containers are becoming more and more common and we are seeing more attacks and exploits targetting this platform. Reference scenarios include these Azure Security Center detected a new crypto mining campaign that targets Kubernetes environments and Azure Security Center exposes crypto miner campaign
Alert Volume Low SPL Difficulty Medium
Journey Stage 3 MITRE ATT&CK Tactics Impact
MITRE ATT&CK Techniques Resource Hijacking
MITRE Threat Groups APT41
Blue Mockingbird
Lazarus Group
Rocke
Kill Chain Phases Exploitation
Data Sources AWS
GCP
Audit Trail
Azure
Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this search should work automatically for you without issue. While implementing, make sure you follow the best practice of specifying the index for your data.
This search should trigger very few false positives, because it's filtered to just very specific events. The keyword list uses wildcards so some of the matches might include benign words that contain bad words like "coin" or "mining". You can modify the lookup to get around this in your environment.
This alert is very clearly tied to a known threat, so when it fires your concern is that this represents an attacker inside of one of your systems. Recommended steps are to begin incident response on the host where this alert fired from, to look for signs of other suspicious activities. The first step in that process will be to look for other events that involve the same IP or user name, and see what other activities the attacker might have done. That should guide you to the underlying problem.
Suspicious Container Image Name Help
The basic idea behind this search is to take a set of container images names and cross reference them against a set of known bad keywords.
There are three phases to this search.
First we run a search to find image creation events. Then we match the image names with the list of keywords from a CSV file (also called a lookup). Lastly, we filter the events on ones where we have a match against the lookup and we rename some of the files to make it easier to read.
SPL for Suspicious Container Image Name AWS Data index=* sourcetype=aws:cloudwatchlogs* image create verb IN ("create" ) (requestObject.spec.containers{}.image=*) | rename requestObject.spec.containers{}.image AS Image | eval Image=lower (Image) | lookup suspicious_container_image_names image AS Image OUTPUT category AS "Image Category" | where isnotnull ('Image Category' ) | fields * | foreach * [| eval "<<FIELD>>" =mvdedup ('<<FIELD>>' ) ] | rename user.username AS user "sourceIPs{}" AS "src_ip" objectRef.name AS "Involved Object" objectRef.namespace AS Namespace objectRef.resource AS "Resource Type" kind AS Kind requestURI AS "url" userAgent AS "user_agent" verb AS Verb responseStatus.code AS "Status Code" "annotations.authorization.k8s.io/decision" AS "Authorization Decision" | stats count AS "Event Count" values (*) AS * by _time | table _time "src_ip" user Verb Image "Image Category" "Event Count" "Involved Object" Namespace "Resource Type" Kind "url" "user_agent" "Status Code" "Authorization Decision" First we find container creation events
GCP Data index=* sourcetype=google:gcp:pubsub:message image create "event_name" ="*.create" ("data.protoPayload.request.spec.containers{}.image" ="*" ) | rename data.protoPayload.request.spec.containers{}.image AS Image| eval src_user=coalesce ('data.protoPayload.authenticationInfo.principalEmail' , 'data.jsonPayload.actor.user' )| eval Image=lower (Image) | lookup suspicious_container_image_names image AS Image OUTPUT category AS "Image Category" | where isnotnull ('Image Category' ) | fields _time src_ip src_user event_name Image "Image Category" data.protoPayload.request.metadata.labels.name data.protoPayload.request.metadata.name data.protoPayload.request.metadata.namespace data.protoPayload.resourceName data.protoPayload.request.kind dest http_user_agent status k8s_authorization_decision data.protoPayload.status.message | foreach * [| eval "<<FIELD>>" =mvdedup ('<<FIELD>>' ) ] | rename data.protoPayload.request.metadata.labels.name AS "Involved Object Label" data.protoPayload.request.metadata.name AS "Involved Object Name" data.protoPayload.request.metadata.namespace AS Namespace data.protoPayload.resourceName AS "Resource Type" data.protoPayload.request.kind AS Kind status AS "Status Code" http_user_agent AS "user_agent" "k8s_authorization_decision" AS "Authorization Decision" | stats count AS "Event Count" values (*) AS * by _time | table _time src_ip src_user event_name Image "Image Category" "Event Count" "Involved Object Label" "Involved Object Name" Namespace "Resource Type" Kind dest "user_agent" "Status Code" "Authorization Decision" data.protoPayload.status.messageFirst we find container creation events
Azure Data index=* (sourcetype=mscs:storage:blob OR sourcetype=mscs:storage:blob:json) image create | spath input =properties.log | search verb="create" ("requestObject.spec.containers{}.image" ="*" ) | rename requestObject.spec.containers{}.image AS Image | eval Image=lower (Image) | lookup suspicious_container_image_names image AS Image OUTPUT category AS "Image Category" | where isnotnull ('Image Category' ) | fields _time sourceIPs{} user.username verb Image "Image Category" objectRef.name objectRef.namespace objectRef.resource kind requestURI userAgent responseStatus.code annotations.authorization.k8s.io/decision | foreach * [| eval "<<FIELD>>" =mvdedup ('<<FIELD>>' ) ] | rename user.username AS user "sourceIPs{}" AS "src_ip" objectRef.name AS "Involved Object" objectRef.namespace AS Namespace objectRef.resource AS "Resource Type" kind AS Kind requestURI AS "url" userAgent AS "user_agent" verb AS Verb responseStatus.code AS "Status Code" "annotations.authorization.k8s.io/decision" AS "Authorization Decision" | stats count AS "Event Count" values (*) AS * by _time | table _time "src_ip" user Verb Image "Image Category" "Event Count" "Involved Object" Namespace "Resource Type" Kind "url" "user_agent" "Status Code" "Authorization Decision" First we find container creation events
