Security Monitoring Analytic Stories

Name Data Sources Tactics Products Date
Suspicious AWS Login Activities aws icon AWS CloudTrail ConsoleLogin, AWS CloudTrail Defense Evasion Initial Access Persistence Privilege Escalation Resource Development Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Collection and Staging windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688 Collection Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
AWS IAM Privilege Escalation aws icon AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateAccessKey, AWS CloudTrail CreateLoginProfile, AWS CloudTrail CreatePolicyVersion, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DeleteGroup, AWS CloudTrail DeletePolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail SetDefaultPolicyVersion, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail UpdateLoginProfile, AWS CloudTrail Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Suspicious Cloud Authentication Activities aws icon AWS CloudTrail Credential Access Defense Evasion Resource Development Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-08
Kubernetes Security kubernetes icon Kubernetes Audit, Kubernetes Falco Credential Access Discovery Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-12-06
Windows Attack Surface Reduction windows icon Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007 Defense Evasion Execution Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-11-27
Zscaler Browser Proxy Threats Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-25
Suspicious AWS S3 Activities aws icon AWS CloudTrail CreateTask, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, AWS CloudTrail Collection Exfiltration Impact Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-24
Azure Active Directory Privilege Escalation azure icon Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Credential Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-24
Windows Post-Exploitation windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688 Collection Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-30
AWS Identity and Access Management Account Takeover aws icon AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-08-19
AWS Defense Evasion aws icon AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogGroup, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteTrail, AWS CloudTrail DeleteWebACL, AWS CloudTrail PutBucketLifecycle, AWS CloudTrail StopLogging, AWS CloudTrail UpdateTrail Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-15
Living Off The Land windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-16
Linux Post-Exploitation linux icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-03
Information Sabotage windows icon Windows Event Log Security 5145 Exfiltration Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics 2021-11-17
Dev Sec Ops aws icon AWS CloudTrail DescribeImageScanFindings, AWS CloudTrail PutImage, CircleCI, G Suite Drive, G Suite Gmail, GitHub Credential Access Discovery Execution Exfiltration Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-08-18
Cloud Federated Credential Abuse windows icon AWS CloudTrail AssumeRoleWithSAML, AWS CloudTrail UpdateSAMLProvider, CrowdStrike ProcessRollup2, O365 Add app role assignment grant to user., O365 UserLoginFailed, O365, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-01-26
Office 365 Detections N/A Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-12-16
Suspicious Cloud User Activities aws icon AWS CloudTrail Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-09-04
GCP Cross Account Activity Defense Evasion Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-09-01
Suspicious Cloud Instance Activities aws icon AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-08-25
Suspicious GCP Storage Activities Collection Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-08-05
AWS Security Hub Alerts aws icon AWS Security Hub N/A Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-08-04
Kubernetes Sensitive Role Activity N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-05-20
Kubernetes Sensitive Object Access Activity N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-05-20
Kubernetes Scanning Activity Discovery Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-04-15
Suspicious Okta Activity Okta Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-04-02
Container Implantation Monitoring and Investigation N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-20
Disabling Security Tools windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Cloud Cryptomining aws icon AWS CloudTrail Defense Evasion Initial Access Persistence Privilege Escalation Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2019-10-02
Dynamic DNS windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-09-06
Suspicious Cloud Provisioning Activities aws icon AWS CloudTrail Defense Evasion Initial Access Persistence Privilege Escalation Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-08-20
AWS Cross Account Activity Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-06-04
Command And Control windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-06-01
AWS Network ACL Activity aws icon AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail DeleteNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry Defense Evasion Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-05-21
Suspicious AWS Traffic N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-05-07
Unusual AWS EC2 Modifications Defense Evasion Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-04-09
AWS Suspicious Provisioning Activities Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-03-16
AWS User Monitoring aws icon AWS CloudTrail Defense Evasion Discovery Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-03-12
AWS Cryptomining Defense Evasion Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-03-08
Suspicious AWS EC2 Activities Defense Evasion Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-02-09
Spectre And Meltdown Vulnerabilities N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-01-08
Use of Cleartext Protocols N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-15
Data Protection windows icon Sysmon EventID 22 Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-14
Asset Tracking N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-13
Router and Infrastructure Security Collection Credential Access Defense Evasion Exfiltration Impact Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-12
Windows Log Manipulation windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688 Defense Evasion Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-12
Prohibited Traffic Allowed or Protocol Mismatch windows icon Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 22 Command And Control Exfiltration Initial Access Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-11
DNS Amplification Attacks Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2016-09-13