Splunk Use Cases (Part 4)
31- Create Remote Thread into LSASS
Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.
`sysmon` EventID=8 TargetImage=*lsass.exe | stats count...
Splunk Use Cases (Part 3)
21-Attempt To Add Certificate To Untrusted Store
Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not...
Splunk Use Cases (Part 2)
11- Basic TOR Traffic Detection
Use firewall data to find TOR traffic on your network.
index=network sourcetype=firewall_data app=tor src_ip=*
| table _time src_ip src_port dest_ip dest_port bytes app
12- Measuring Storage I/O...
Splunk Use Cases (Part 1)
1- Windows Audit Log Tampering
Check for any tampering done to Windows audit logs.
index=__your_sysmon_index__ (sourcetype=wineventlog AND (EventCode=1102 OR EventCode=1100)) OR (sourcetype=wineventlog AND EventCode=104)
| stats count by _time EventCode Message...
Intrusion Prevention System (IPS) In-depth Analysis – A Detailed Guide
Like an intrusion detection system (IDS), an intrusion prevention system (IPS) screens network traffic. An Intrusion Prevention System (IPS) is a framework that screens a network for evil...
Configuring the MariaDB Audit Logs for Database Security
There are different ways to keep your data safe. Practices such as controlling database access, securing configuration, upgrading your system, and more are part of database security. MariaDB...