├── .gitignore
├── README.md
├── Splunk ES Correlation Searches Best Practices v1.3.pdf
├── hunt-queries
    ├── Detecting_Beaconing.md
    ├── Detecting_Similarity.md
    ├── HAFNIUM.md
    ├── Initial_detection_surface_analysis.md
    ├── Password_Brute_Force__Guessing_Spray.md
    ├── admins_tracking_via_4688.md
    ├── local_admins_service_accounts_from_eventlogs.md
    ├── powershell_qualifiers.md
    ├── rdp_terminal_services_flow_tracking.md
    └── tracking_powershell_unsigned_scripts.md
└── spl_tips_tricks.md


/.gitignore:
--------------------------------------------------------------------------------
1 | 
2 | .DS_Store
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/README.md


--------------------------------------------------------------------------------
/Splunk ES Correlation Searches Best Practices v1.3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/Splunk ES Correlation Searches Best Practices v1.3.pdf


--------------------------------------------------------------------------------
/hunt-queries/Detecting_Beaconing.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/Detecting_Beaconing.md


--------------------------------------------------------------------------------
/hunt-queries/Detecting_Similarity.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/Detecting_Similarity.md


--------------------------------------------------------------------------------
/hunt-queries/HAFNIUM.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/HAFNIUM.md


--------------------------------------------------------------------------------
/hunt-queries/Initial_detection_surface_analysis.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/Initial_detection_surface_analysis.md


--------------------------------------------------------------------------------
/hunt-queries/Password_Brute_Force__Guessing_Spray.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/Password_Brute_Force__Guessing_Spray.md


--------------------------------------------------------------------------------
/hunt-queries/admins_tracking_via_4688.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/admins_tracking_via_4688.md


--------------------------------------------------------------------------------
/hunt-queries/local_admins_service_accounts_from_eventlogs.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/local_admins_service_accounts_from_eventlogs.md


--------------------------------------------------------------------------------
/hunt-queries/powershell_qualifiers.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/powershell_qualifiers.md


--------------------------------------------------------------------------------
/hunt-queries/rdp_terminal_services_flow_tracking.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/rdp_terminal_services_flow_tracking.md


--------------------------------------------------------------------------------
/hunt-queries/tracking_powershell_unsigned_scripts.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/hunt-queries/tracking_powershell_unsigned_scripts.md


--------------------------------------------------------------------------------
/spl_tips_tricks.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/inodee/threathunting-spl/HEAD/spl_tips_tricks.md


--------------------------------------------------------------------------------