Splunk Identifier Activity Analysis

Description

Accepts a file_hash, domain, IP address, or URL, and asks Splunk for a list of devices that have interacted with each. It then produces a normalized output and summary table.

Type: Investigation
Product: Splunk SOAR
Apps: Splunk
Last Updated: 2023-03-31
Author: Lou Stella, Splunk; Kelby Shelton, Splunk
ID: 5299b9dc-e8c4-46ba-d942-92ace0ff816d
Use-cases:
- Enrichment

Associated Detections

How To Implement

This input playbook requires the Splunk connector to be configured. It is designed to work in conjunction with the Dynamic Identifier Activity Analysis playbook or other playbooks in the same style.

D3FEND

ID	Technique	Definition	Category
D3-IAA	Identifier Activity Analysis	Taking known malicious identifiers and determining if they are present in a system.	Identifier Analysis

Splunk Identifier Activity Analysis

Description

Associated Detections

How To Implement

D3FEND

Explore Playbook

Required field

Reference

You May Also Enjoy

O365 New Forwarding Mailflow Rule Created

Okta Successful Single Factor Authentication

Windows Unsigned MS DLL Side-Loading

Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path