• Skip to primary navigation
  • Skip to content
  • Skip to footer
Security Content Security Content
  • Detections
  • Analytic Stories
  • Playbooks
  • Blog
  • About
    • Types
      • Endpoint
      • Application
      • Cloud
      • Network
      • Web
      • Experimental
      • Deprecated
    • Tactic
      • Collection
      • Command And Control
      • Credential Access
      • Defense Evasion
      • Discovery
      • Execution
      • Exfiltration
      • Impact
      • Initial Access
      • Lateral Movement
      • Persistence
      • Privilege Escalation
      • Reconnaissance
      • Resource Development
    • Datamodel
      • Authentication
      • Change
      • Change_Analysis
      • Email
      • Endpoint
      • Endpoint_Filesystem
      • Endpoint_Processes
      • Endpoint_Registry
      • Network_Resolution
      • Network_Sessions
      • Network_Traffic
      • Risk
      • Splunk_Audit
      • UEBA
      • Updates
      • Vulnerabilities
      • Web
    • Product
      • Splunk Enterprise Security
      • Splunk Behavioral Analytics

    Change

    Detect Excessive Account Lockouts From Endpoint

    Valid Accounts, Domain Accounts

    Detect Excessive User Account Lockouts

    Valid Accounts, Local Accounts

    Cloud Compute Instance Created By Previously Unseen User

    Cloud Accounts, Valid Accounts

    Cloud Provisioning Activity From Previously Unseen City

    Valid Accounts

    Cloud Provisioning Activity From Previously Unseen Country

    Valid Accounts

    Cloud Compute Instance Created With Previously Unseen Instance Type

    Abnormally High Number Of Cloud Security Group API Calls

    Cloud Accounts, Valid Accounts

    Abnormally High Number Of Cloud Infrastructure API Calls

    Cloud Accounts, Valid Accounts

    Cloud API Calls From Previously Unseen User Roles

    Valid Accounts

    Cloud Compute Instance Created In Previously Unused Region

    Unused/Unsupported Cloud Regions

    Abnormally High Number Of Cloud Instances Launched

    Cloud Accounts, Valid Accounts

    Abnormally High Number Of Cloud Instances Destroyed

    Cloud Accounts, Valid Accounts

    Cloud Provisioning Activity From Previously Unseen IP Address

    Valid Accounts

    Cloud Provisioning Activity From Previously Unseen Region

    Valid Accounts

    Cloud Instance Modified By Previously Unseen User

    Cloud Accounts, Valid Accounts

    Short Lived Windows Accounts

    Local Account, Create Account

    Cloud Compute Instance Created With Previously Unseen Image

    • Twitter
    • GitHub
    • Feed
    © 2023 Splunk Threat Research Team (STRT). Powered by Jekyll & Minimal Mistakes.