Application

Name Technique Datamodel
Detect New Login Attempts to Routers None Authentication
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Splunk_Audit
Email Attachments With Lots Of Spaces None Email
Email files written outside of the Outlook directory Email Collection, Local Email Collection Endpoint
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Network_Traffic
Monitor Email For Brand Abuse None Email
Multiple Okta Users With Invalid Credentials From The Same IP Valid Accounts, Default Accounts None
No Windows Updates in a time frame None Updates
Okta Account Locked Out Brute Force None
Okta Account Lockout Events Valid Accounts, Default Accounts None
Okta Failed SSO Attempts Valid Accounts, Default Accounts None
Okta MFA Exhaustion Hunt Brute Force Authentication
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation None
Okta Multiple Failed Requests to Access Applications Web Session Cookie, Cloud Service Dashboard None
Okta New API Token Created Valid Accounts, Default Accounts None
Okta New Device Enrolled on Account Valid Accounts, Default Accounts None
Okta Phishing Detection with FastPass Origin Check Valid Accounts, Default Accounts, Modify Authentication Process None
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Risk
Okta Suspicious Activity Reported Valid Accounts, Default Accounts None
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie None
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts, Default Accounts, Credential Stuffing None
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts, Default Accounts, Password Spraying None
Okta ThreatInsight Threat Detected Valid Accounts, Default Accounts None
Okta Two or More Rejected Okta Pushes Brute Force None
Okta User Logins From Multiple Cities Valid Accounts, Default Accounts None
Path traversal SPL injection File and Directory Discovery None
Persistent XSS in RapidDiag through User Interface Views Drive-by Compromise None
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery None
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services None
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Splunk_Audit
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Splunk_Audit
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Splunk_Audit
Splunk DOS Via Dump SPL Command Application or System Exploitation None
Splunk DOS via printf search function Application or System Exploitation None
Splunk Data exfiltration from Analytics Workspace using sid query Exfiltration Over Web Service None
Splunk Digital Certificates Infrastructure Version Digital Certificates None
Splunk Digital Certificates Lack of Encryption Digital Certificates None
Splunk DoS via Malformed S2S Request Network Denial of Service None
Splunk Edit User Privilege Escalation Abuse Elevation Control Mechanism None
Splunk Endpoint Denial of Service DoS Zip Bomb Endpoint Denial of Service None
Splunk HTTP Response Splitting Via Rest SPL Command HTML Smuggling None
Splunk Improperly Formatted Parameter Crashes splunkd Endpoint Denial of Service Splunk_Audit
Splunk Low Privilege User Can View Hashed Splunk Password Exploitation for Credential Access None
Splunk Path Traversal In Splunk App For Lookup File Edit File and Directory Discovery None
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Drive-by Compromise None
Splunk Process Injection Forwarder Bundle Downloads Process Injection None
Splunk Protocol Impersonation Weak Encryption Configuration Protocol Impersonation Web
Splunk RBAC Bypass On Indexing Preview REST Endpoint Access Token Manipulation None
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Exploitation of Remote Services None
Splunk Reflected XSS in the templates lists radio Drive-by Compromise None
Splunk Stored XSS via Data Model objectName field Drive-by Compromise None
Splunk Unauthenticated Log Injection Web Service Log Exploit Public-Facing Application None
Splunk User Enumeration Attempt Valid Accounts None
Splunk XSS in Monitoring Console Drive-by Compromise None
Splunk XSS in Save table dialog header in search page Drive-by Compromise None
Splunk XSS via View Drive-by Compromise None
Splunk csrf in the ssg kvstore client endpoint Drive-by Compromise None
Splunk list all nonstandard admin accounts Drive-by Compromise None
Splunk protocol impersonation weak encryption selfsigned Digital Certificates None
Splunk protocol impersonation weak encryption simplerequest Digital Certificates None
Splunk risky Command Abuse disclosed february 2023 Abuse Elevation Control Mechanism Splunk_Audit
Splunk unnecessary file extensions allowed by lookup table uploads Drive-by Compromise None
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Email
Suspicious Java Classes None None
Web Servers Executing Suspicious Processes System Information Discovery Endpoint

Endpoint

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑

Web

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Back to Top ↑