Application

Name Technique Datamodel
Detect New Login Attempts to Routers None Authentication
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Splunk_Audit
Email Attachments With Lots Of Spaces None Email
Email files written outside of the Outlook directory Email Collection, Local Email Collection Endpoint
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Network_Traffic
Monitor Email For Brand Abuse None Email
Multiple Okta Users With Invalid Credentials From The Same IP Valid Accounts, Default Accounts None
No Windows Updates in a time frame None Updates
Okta Account Locked Out Brute Force None
Okta Account Lockout Events Valid Accounts, Default Accounts None
Okta Failed SSO Attempts Valid Accounts, Default Accounts None
Okta MFA Exhaustion Hunt Brute Force None
Okta New API Token Created Valid Accounts, Default Accounts None
Okta New Device Enrolled on Account Valid Accounts, Default Accounts None
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Risk
Okta Suspicious Activity Reported Valid Accounts, Default Accounts None
Okta ThreatInsight Threat Detected Valid Accounts, Default Accounts None
Okta Two or More Rejected Okta Pushes Brute Force None
Okta User Logins From Multiple Cities Valid Accounts, Default Accounts None
Path traversal SPL injection File and Directory Discovery None
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery None
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services None
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Splunk_Audit
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Splunk_Audit
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Splunk_Audit
Splunk Data exfiltration from Analytics Workspace using sid query Exfiltration Over Web Service None
Splunk Digital Certificates Infrastructure Version Digital Certificates None
Splunk Digital Certificates Lack of Encryption Digital Certificates None
Splunk DoS via Malformed S2S Request Network Denial of Service None
Splunk Endpoint Denial of Service DoS Zip Bomb Endpoint Denial of Service None
Splunk Process Injection Forwarder Bundle Downloads Process Injection None
Splunk Protocol Impersonation Weak Encryption Configuration Protocol Impersonation None
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Exploitation of Remote Services None
Splunk Reflected XSS in the templates lists radio Drive-by Compromise None
Splunk Stored XSS via Data Model objectName field Drive-by Compromise None
Splunk User Enumeration Attempt Valid Accounts None
Splunk XSS in Monitoring Console Drive-by Compromise None
Splunk XSS in Save table dialog header in search page Drive-by Compromise None
Splunk protocol impersonation weak encryption selfsigned Digital Certificates None
Splunk protocol impersonation weak encryption simplerequest Digital Certificates None
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Email
Suspicious Java Classes None None
Web Servers Executing Suspicious Processes System Information Discovery Endpoint

Endpoint

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑

Web

Back to Top ↑