├── Dashboard ├── README.md ├── Threat_Hunting.xml └── dashboard.PNG ├── Fortigate ├── README.md ├── data_exfiltration ├── smtp-requests └── vpn_connections ├── README.md ├── Suricata ├── README.md └── teredo_tunneling ├── Sysmon ├── README.md ├── network_connections └── suspicious_domain_query ├── WinEventLog ├── README.md ├── event_code_5156 ├── kerberos_authentication_failure ├── other_user_password_reset ├── suspicious_successful_logon └── user_creation └── Zeek ├── README.md ├── dns_data_exfiltration ├── dns_mining_pool ├── dns_queries_sparkline ├── high_dns_requests_rate ├── inbound_uri ├── possible_rce ├── service_ports └── teredo_tunneling /Dashboard/README.md: -------------------------------------------------------------------------------- 1 | Dashboard XML file is placed here. 2 | -------------------------------------------------------------------------------- /Dashboard/Threat_Hunting.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Dashboard/Threat_Hunting.xml -------------------------------------------------------------------------------- /Dashboard/dashboard.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Dashboard/dashboard.PNG -------------------------------------------------------------------------------- /Fortigate/README.md: -------------------------------------------------------------------------------- 1 | Fortigate Threat Hunting. 2 | -------------------------------------------------------------------------------- /Fortigate/data_exfiltration: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Fortigate/data_exfiltration -------------------------------------------------------------------------------- /Fortigate/smtp-requests: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Fortigate/smtp-requests -------------------------------------------------------------------------------- /Fortigate/vpn_connections: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Fortigate/vpn_connections -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/README.md -------------------------------------------------------------------------------- /Suricata/README.md: -------------------------------------------------------------------------------- 1 | Suricata Threat Hunting. 2 | -------------------------------------------------------------------------------- /Suricata/teredo_tunneling: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Suricata/teredo_tunneling -------------------------------------------------------------------------------- /Sysmon/README.md: -------------------------------------------------------------------------------- 1 | Sysmon threat hunting. 2 | -------------------------------------------------------------------------------- /Sysmon/network_connections: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Sysmon/network_connections -------------------------------------------------------------------------------- /Sysmon/suspicious_domain_query: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Sysmon/suspicious_domain_query -------------------------------------------------------------------------------- /WinEventLog/README.md: -------------------------------------------------------------------------------- 1 | Windows Event Log Threat Hunting. 2 | -------------------------------------------------------------------------------- /WinEventLog/event_code_5156: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/WinEventLog/event_code_5156 -------------------------------------------------------------------------------- /WinEventLog/kerberos_authentication_failure: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/WinEventLog/kerberos_authentication_failure -------------------------------------------------------------------------------- /WinEventLog/other_user_password_reset: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/WinEventLog/other_user_password_reset -------------------------------------------------------------------------------- /WinEventLog/suspicious_successful_logon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/WinEventLog/suspicious_successful_logon -------------------------------------------------------------------------------- /WinEventLog/user_creation: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/WinEventLog/user_creation -------------------------------------------------------------------------------- /Zeek/README.md: -------------------------------------------------------------------------------- 1 | Zeek Threat Hunting. 2 | -------------------------------------------------------------------------------- /Zeek/dns_data_exfiltration: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/dns_data_exfiltration -------------------------------------------------------------------------------- /Zeek/dns_mining_pool: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/dns_mining_pool -------------------------------------------------------------------------------- /Zeek/dns_queries_sparkline: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/dns_queries_sparkline -------------------------------------------------------------------------------- /Zeek/high_dns_requests_rate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/high_dns_requests_rate -------------------------------------------------------------------------------- /Zeek/inbound_uri: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/inbound_uri -------------------------------------------------------------------------------- /Zeek/possible_rce: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/possible_rce -------------------------------------------------------------------------------- /Zeek/service_ports: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/service_ports -------------------------------------------------------------------------------- /Zeek/teredo_tunneling: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/signorrayan/Splunk-Threat-Hunting/HEAD/Zeek/teredo_tunneling --------------------------------------------------------------------------------