Вы находитесь на странице: 1из 416

Splunk Use Case Repository

Sept 29th 2016

Copyright 2016

The information transmitted in this document is intended only for the addressee and may contain
confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use
of or taking of any action upon this information by persons or entities other than the intended recipient is
prohibited by law and may subject them to criminal or civil liability.
Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial,
contractual and special marketing information, ideas, technical data and concepts originated by the disclosing
party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public,
not previously available without restriction to the receiving party or others, nor normally furnished to others
without compensation, and which the disclosing party desires to protect against unrestricted disclosure or
competitive use, and which is furnished pursuant to this document and appropriately identified as being
proprietary when furnished.
Copyright 2016 Splunk, Inc. All rights reserved. The Splunk logo is a registered trademark of Splunk. All
other products and company names mentioned herein are trademarks or registered trademarks of their
respective owners.

Version Control
SECURITY PROGRAM REVIEW
Client Name

None

Client Contact
Document Issue No

2.1

Author(s)

Ryan Faircloth

Delivery Date

July 20th 2016

Data Classification

Proprietary

Splunk, Inc.
250 Brannan Street, 2nd Floor
San Francisco, CA 94107

+1.415.568.4200(M ain)
+1.415.869.3906 (Fax)
www.splunk.com

Professional Services/Security Use Case Workshop


The use case development workshop is designed to assist the customer in the process of cataloging business drivers and requirements used to
guide the customer delivery team assisted by Splunk Consultants in delivery of a solution that will meet the customers needs and budget. Using
information gained from the workshop the project team will deliver a prioritized list of data sources for on data boarding and use case adoption for
the cyber security operations team.

Preparation
Identify essential and beneficial staff per session based on the agenda that follows
Secure meeting space
Minimize meeting location changes as this is disruptive to progress and contributes to no shows
Adequate seating for attendes
One, preferable 2 projectors/screens
Guest Wifi
White boards
Splunk will provide a Webex session and use digital whiteboards, and utilize recording unless the customer has objections, this
is utilized to review enrich notes as needed to prepare deliverables and is not required if the customer is uncomfortable
Collect supporting documentation electronically
All applicable internal policies and supporting standards such as
Information Resource Classification
Information Retention and Destruction
Infrastructure logging and configuration
Database Logging and Configuration
Application Logging and Configuration
Inventory of Standards with requirments for logging and monitoring applicable to your business
Internal Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA inclusive current draft reports
External Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA
Identifiy the following project roles and schedule for attendance
Project Manager
Senior Business Analyst
Senior Technical Analyst/Architect
Senior Security Analyst
Test Lead
Executive Sponsor
Executive Stakeholders or immediate deputies
Compliance Analysts
Internal Assors

Typical Agenda 3 days


The following agenda can be modified collaboratively if needed, our experience has been that we must allow some blocks of time between
sessions and start/end of day to avoid walk aways due to urgent business need arising during the day.
Opening Session 9:30-11:00 (all participants)
Openings and personal introductions, roles and responsibilities (all)
Presentation of methodology for the workshop (splunk)
Executive Round Table discus formal and informal project drivers other goals and success criteria.
Review audit findings, addressable items, mandated remediations
Review prior year penetration test findings
Review burdensome existing compliance and reporting activities
Working Sessions each session will present a set of use cases to the team for joint evaluation and prioritization based on the criteria
developed in the opening session. Each session requires a representative with relevant experience in the domain and empowerment to
set priority within the bounds given. A deputy for each executive stakeholder should attend working sessions additional participants are
welcome.
Working Session #1 D1 11:00 13:00 (with 1 hour lunch)
Review out of box use cases for Enterprise Security
Identify and catalog required data, enrichment and applicable use cases
Working Session #2 D1 13:00 - 16:00
Review Professional Services/Customer developed Security Use cases
Identify and catalog required data, enrichment and applicable use cases
Working Session #3 D2 9:30 - 12:00
Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise endpoint estate
Working Session #4 D2 13:00 - 15:00
Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise network estate
Working Session #5 D3 9:30 - 12:00

Review tabled items from prior sessions, interview stake holders identified in prior sessions but not planed
Review Session 14:00 - 16:00
Review items captured
Resort priority based on latter learning

1. Value Narrative and Use Case Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


1.1 Adoption Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1 Motivating Problem Type View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.1 PRT01-Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.1.1 PRT01Compliance-PCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.1.2 PRT02Compliance-NercCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.1.3 PRT03Compliance-NIST Cyber Security Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.1.4 PRT04-FFIEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2 PRT02-SecurityVisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.1 PRT02-IdentifyPatientZero . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.2 PRT02-SecurityVisibilityEndpointMalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.3 PRT02-SecurityVisibilityExfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.4 PRT02-SecurityVisibilityLateralMovement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.5 PRT02-SecurityVisibilityPhishingAttack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.6 PRT02-SecurityVisibilityPriviledgeUserMonitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.7 PRT02-SecurityVisibilityUserActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.8 PRT02-SecurityVisibilityZeroDayAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.2.9 PRT02-SecurityVisiblityWebbait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.3 PRT03-PeerAdoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.3.1 PRT03-PeerAdoption-Phase1-Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.3.2 PRT03-PeerAdoption-Phase2-Maturing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.3.3 PRT03-PeerAdoption-Phase3-Mature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.3.4 PRT03-PeerAdoption-Phase4-Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.4 PRT04-ProcessEffectivness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.4.1 PRT04-ProcessEffectivness-HuntPaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.5 PRT05-Tactical Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.5.1 PRT05-TacticalThreat-InsiderThreat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.5.2 PRT05-TacticalThreat-Ransomeware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.5.3 PRT05-TacticalThreat-SpearphishingCampaign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.6 PRT06-SecureConfigurationMgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.6.1 PRT06-SecureConfigurationMgmtUpdateManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.6.2 PRT06-SecureConfigurationMgmtVulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.7 PRT07-SpecialRequests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.7.1 PRT07-SpecialRequests-Creative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.8 PRT08-ProductAdoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1.8.1 PRT08-ProductAdoption-ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2 Motivating Risk View Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2.1 RV1-AbuseofAccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2.2 RV2-Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2.3 RV3-MaliciousCode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2.4 RV4-ScanProbe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2.5 RV5-DenialofService . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2.6 RV6-Misconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3 Supporting Data View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.1 DS001MAIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.2 DS002DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.3 DS003Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.4 DS004EndPointAntiMalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.5 DS005WebProxyRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.6 DS006UserActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.7 DS007AuditTrail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.8 DS008HRMasterData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.9 DS009EndPointIntel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.10 DS010NetworkCommunication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.11 DS011MalwareDetonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.12 DS012NetworkIntrusionDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.13 DS013TicketManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.14 DS014WebServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.15 DS015ConfigurationManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.16 DS016DataLossPrevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.17 DS017PhysicalSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.18 DS018VulnerabilityDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.19 DS019PatchManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.20 DS020HostIntrustionDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.21 DS021Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.22 DS022Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.23 DS023CrashReporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3.24 DS024ApplicationServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4 Supporting Event Type View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.1 DS001Mail-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.2 DS001Mail-ET02Receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.3 DS001Mail-ET03Send . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5
11
12
14
17
23
27
34
35
36
37
39
40
41
42
43
45
46
47
48
50
57
59
61
62
63
64
66
69
70
71
72
73
74
75
76
89
90
93
95
98
100
101
103
105
107
110
120
124
127
130
132
134
137
142
147
149
151
153
155
156
157
158
159
161
162
163
164
165
166
167
168

1.1.4.4 DS002DNS-ET01Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.4.1 DS002DNS-ET01QueryRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.4.2 DS002DNS-ET01QueryResponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.5 DS003Authentication-ET01Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6 DS003Authentication-ET02Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6.1 DS003Authentication-ET02FailureBadFactor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6.2 DS003Authentication-ET02FailureError . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6.3 DS003Authentication-ET02FailureUnknownAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.7 DS004EndPointAntiMalware-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.8 DS004EndPointAntiMalware-ET02UpdatedSig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.9 DS004EndPointAntiMalware-ET03UpdatedEng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.10 DS005WebProxyRequest-ET01Requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.10.1 DS005WebProxyRequest-ET01RequestedWebAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.11 DS005WebProxyRequest-ET02Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.12 DS006UserActivity-ET01List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.13 DS006UserActivity-ET02Read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.14 DS006UserActivity-ET03Create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.15 DS006UserActivity-ET04Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.16 DS006UserActivity-ET05Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.17 DS006UserActivity-ET06Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.18 DS006UserActivity-ET07ExecuteAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.19 DS007AuditTrail-ET01Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.20 DS007AuditTrail-ET02Alter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.21 DS007AuditTrail-ET03TimeSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.22 DS008HRMasterData-ET01Joined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.23 DS008HRMasterData-ET02SeperationNotice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.24 DS008HRMasterData-ET03SeperationImmediate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.25 DS009EndPointIntel-ET01ObjectChange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.26 DS009EndPointIntel-ET01ProcessLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.27 DS010NetworkCommunication-ET01Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.27.1 DS010NetworkCommunication-ET01TrafficAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.28 DS010NetworkCommunication-ET02State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.29 DS011MalwareDetonation-ET01Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.30 DS012NetworkIntrusionDetection-ET01SigDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.31 DS013TicketManagement-ET01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.32 DS014WebServer-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.33 DS015ConfigurationManagement-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.34 DS016DataLossPrevention-ET01Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.35 DS017PhysicalSecurity-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.36 DS018VulnerabilityDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.37 DS019PatchManagement-Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.38 DS019PatchManagement-Eligable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.39 DS019PatchManagement-Failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.40 DS020HostIntrustionDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.41 DS021Telephony-ET01CDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.42 DS022Performance-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.43 DS023CrashReporting-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.44 DS024ApplicationServer-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5 Technology Provider View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.1 PT001-Microsoft-Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2 PT002-Splunk-Stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2.1 PT002-Splunk-Stream-DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2.2 PT002-Splunk-Stream-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2.3 PT002-Splunk-Stream-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.3 PT003-ExtraHop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.3.1 PT003-ExtraHop-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.3.2 PT003-ExtraHop-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.4 PT004-McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.5 PT005-Microsoft-Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.6 PT006-PaloAlto Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.7 PT008-Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.8 PT009-SourceFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.9 PT010-Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.10 PT011-Bluecoat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.11 PT012-Splunk-InternalLogging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.12 PT013-ISCBIND-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.13 PT014-PhysicalAccessControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.14 PT015-Linux-Deb/RH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.15 PT016-Cisco-ASA/PIX/FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.16 PT017-Trend-TippingPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.6 Enrichment Data View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.6.1 DE001AssetInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169
171
172
173
176
177
178
179
180
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
205
207
208
212
214
216
218
219
220
221
222
223
224
225
227
228
229
230
231
232
234
235
236
237
238
239
240
241
242
244
245
246
247
248
249
250
251
252
253
255
256
257

1.1.6.2 DE002IdentityInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259


1.2 Adoption Narratives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
1.2.1 Adoptable Compliance and Security Narratives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
1.2.1.1 UC0001 Detection of new/prohibited web application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
1.2.1.2 UC0002 Detection of prohibited protocol (application) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
1.2.1.3 UC0003 Server generating email outside of approved usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
1.2.1.4 UC0004 Excessive number of emails sent from internal user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
1.2.1.5 UC0005 System modification to insecure state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
1.2.1.6 UC0006 Windows security event log purged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
1.2.1.7 UC0007 Account logon successful method outside of policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
1.2.1.8 UC0008 Activity on previously inactive account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
1.2.1.9 UC0009 Authenticated communication from a risky source network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
1.2.1.10 UC0010 Detect unauthorized use of remote access technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
1.2.1.11 UC0011 Improbable distance between logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
1.2.1.12 UC0012 Increase risk score of employees once adverse seperation is identified or anticipated . . . . . . . . . 276
1.2.1.13 UC0013 Monitor change for high value groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
1.2.1.14 UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted . . 278
1.2.1.15 UC0015 Privileged user accessing more than expected number of machines in period . . . . . . . . . . . . . . . 279
1.2.1.16 UC0016 Successfully authenticated computer accounts accessing network resources . . . . . . . . . . . . . . . . 280
1.2.1.17 UC0017 Unauthorized access or risky use of NHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
1.2.1.18 UC0018 Unauthorized access SSO brute force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
1.2.1.19 UC0019 User authenticated to routine business systems while on extended absense . . . . . . . . . . . . . . . . 283
1.2.1.20 UC0020 Attempted communication through external firewall not explicitly granted . . . . . . . . . . . . . . . . . . . 284
1.2.1.21 UC0021 Communication outbound to regions without business relationship . . . . . . . . . . . . . . . . . . . . . . . . 285
1.2.1.22 UC0022 Endpoint communicating with an excessive number of unique hosts . . . . . . . . . . . . . . . . . . . . . . . 286
1.2.1.23 UC0023 Endpoint communicating with an excessive number of unique ports . . . . . . . . . . . . . . . . . . . . . . . 287
1.2.1.24 UC0024 Endpoint communicating with external service identified on a threat list. . . . . . . . . . . . . . . . . . . . . 288
1.2.1.25 UC0025 Endpoint Multiple devices in 48 hours in the same site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.2.1.26 UC0026 Endpoint Multiple devices in 48 hours in the same subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
1.2.1.27 UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit . . . . . . . . 291
1.2.1.28 UC0028 Endpoint Multiple infections over short time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
1.2.1.29 UC0029 Endpoint new malware detected by signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.2.1.30 UC0030 Endpoint uncleaned malware detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
1.2.1.31 UC0031 Non human account starting processes not associated with the purpose of the account . . . . . . . 297
1.2.1.32 UC0032 Brute force authentication attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
1.2.1.33 UC0033 Brute force authentication attempt distributed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
1.2.1.34 UC0034 Brute force successful authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
1.2.1.35 UC0035 Compromised account access testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
1.2.1.36 UC0036 Compromised account access testing (Critical/Sensitive Resource) . . . . . . . . . . . . . . . . . . . . . . . 302
1.2.1.37 UC0037 Network Intrusion External - New Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
1.2.1.38 UC0038 Excessive use of Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
1.2.1.39 UC0039 Use of Shared Secret for access to critical or sensitive system . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
1.2.1.40 UC0040 Use of Shared Secret for or by automated process with risky attributes . . . . . . . . . . . . . . . . . . . . 306
1.2.1.41 UC0041 SSH v1 detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
1.2.1.42 UC0042 SSH Authentication using unknown key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
1.2.1.43 UC0043 Direct Authentication to NHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
1.2.1.44 UC0044 Network authentication using password auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
1.2.1.45 UC0045 Local authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
1.2.1.46 UC0046 Endpoint failure to sync time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
1.2.1.47 UC0047 Communication with newly seen domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
1.2.1.48 UC0049 Detection of DNS Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
1.2.1.49 UC0051 Excessive physical access failures to CIP assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
1.2.1.50 UC0052 Non-CIP user attempts to access CIP asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
1.2.1.51 UC0065 Malware detected compliance asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
1.2.1.52 UC0071 Improbably short time between Remote Authentications with IP change . . . . . . . . . . . . . . . . . . . . 322
1.2.1.53 UC0072 Detection of unauthorized using DNS resolution for WPAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
1.2.1.54 UC0073 Endpoint detected malware infection from url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
1.2.1.55 UC0074 Network Intrusion Internal Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
1.2.1.56 UC0075 Network Malware Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
1.2.1.57 UC0076 Excessive DNS Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
1.2.1.58 UC0077 Detection Risky Referral Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
1.2.1.59 UC0079 Use of accountable privileged identity to access new or rare sensitive resource . . . . . . . . . . . . . . 331
1.2.1.60 UC0080 Trusted Individual exceeds authorization in observation of other users . . . . . . . . . . . . . . . . . . . . . 333
1.2.1.61 UC0081 Communication with unestablished domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
1.2.1.62 UC0082 Communication with enclave by default rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
1.2.1.63 UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
1.2.1.64 UC0084 Monitor Execution of Triage Activtity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
1.2.1.65 UC0085 Alert per host where web application logs indicate a source IP not classified as WAF . . . . . . . . . 338
1.2.1.66 UC0086 Detect Multiple Primary Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
1.2.1.67 UC0087 Malware signature not updated by SLA for compliance asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
1.2.1.68 UC0088 User account sharing detection by source device ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

1.2.1.69 UC0089 Detection of Communication with Algorithmically Generated Domain . . . . . . . . . . . . . . . . . . . . . .


1.2.1.70 UC0090 User account cross enclave access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1.71 UC0091 Validate Execution of Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1.72 UC0092 Exception to Approved Flow for Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1.73 UC0093 Previously active account has not accessed enclave/lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1.74 UC0094 Insecure authentication method detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2 Adoptable IT Operations Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.1 Enterprise Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.1.1 ITOAUC-0001 Enterprise Service Availability Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.1.2 ITOAUC-0002 Enterprise Service Availability Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3 Product Enterprise Security Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.1 UCESS002 Abnormally High Number of Endpoint Changes By User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.2 UCESS003 Abnormally High Number of HTTP Method Events By Src . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.3 UCESS004 Account Deleted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.4 UCESS005 Activity from Expired User Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.5 UCESS006 Anomalous Audit Trail Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.6 UCESS007 Anomalous New Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.7 UCESS008 Anomalous New Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.8 UCESS009 Asset Ownership Unspecified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.9 UCESS010 Anomalous New Listening Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.10 UCESS011 Brute Force Access Behavior Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.11 UCESS012 Brute Force Access Behavior Detected Over One Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.12 UCESS013 Cleartext Password At Rest Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.13 UCESS014 Completely Inactive Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.14 UCESS015 Concurrent Login Attempts Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.15 UCESS016 Default Account Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.16 UCESS017 Default Account At Rest Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.17 UCESS018 Excessive DNS Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.18 UCESS019 Excessive DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.19 UCESS020 Excessive Failed Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.20 UCESS021 Excessive HTTP Failure Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.21 UCESS022 Expected Host Not Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.22 UCESS023 Alerts on access attempts that are improbably based on time and geography. . . . . . . . . . . . .
1.2.3.23 UCESS024 High Number of Hosts Not Updating Malware Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.24 UCESS025 High Number Of Infected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.25 UCESS026 High Or Critical Priority Host With Malware Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.26 UCESS027 High or Critical Priority Individual Logging into Infected Machine . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.27 UCESS028 High Process Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.28 UCESS030 High Volume of Traffic from High or Critical Host Observed . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.29 UCESS031 Host Sending Excessive Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.30 UCESS032 Host With A Recurring Malware Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.31 UCESS033 Host With High Number Of Listening ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.32 UCESS034 Host With High Number Of Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.33 UCESS035 Host With Multiple Infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.34 UCESS036 Host With Old Infection Or Potential Re-Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.35 UCESS037 Inactive Account Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.36 UCESS038 Insecure Or Cleartext Authentication Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.37 UCESS039 Multiple Primary Functions Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.38 UCESS040 Network Change Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.39 UCESS041 Network Device Rebooted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.40 UCESS042 New User Account Created On Multiple Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.41 UCESS043 Outbreak Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.42 UCESS044 Personally Identifiable Information Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.43 UCESS045 Potential Gap in Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.44 UCESS046 Prohibited Process Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.45 UCESS047 Prohibited Service Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.46 UCESS048 Same Error On Many Servers Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.47 UCESS049 Short-lived Account Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.48 UCESS050 Should Timesync Host Not Syncing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.49 UCESS051 Substantial Increase In Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.50 UCESS052 Substantial Increase In Port Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.51 UCESS053 Threat Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.52 UCESS056 Unapproved Port Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.53 UCESS057 Unroutable Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.54 UCESS058 Untriaged Notable Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.55 UCESS059 Unusual Volume of Network Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.56 UCESS060 Vulnerability Scanner Detected (by events) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.57 UCESS061 Vulnerability Scanner Detected (by targets) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.58 UCESS062 Watchlisted Event Observed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.59 UCESS063 Web Uploads to Non-corporate Sites by Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4 Product Splunk PCI App Security Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412

Value Narrative and Use Case Repository


Purpose
A narrative defining a business impacting problem and a logical solution are the essential elements of each use case in the repository. Each
narrative is cataloged using a number of fields allowing search ability within the repository. The fields themselves allow the consuming user to
define a rubric for the problem type being addressed to arrive at a number of valid narratives which can be proposed to address the problem at
hand.

Introduction

Target Audience
The repository has a number of well define audience targets each as the repository evolves each group should be better served.
Account Team - Utilizing key terms from customer dialog identify value proposition based on customer experiences
Sales Engineering - Cross reference Core, Premium, Third party, and services solutions to support customer objectives
Professional Services Managers - Better estimate project scope utilizing objective based planning with the ability to plan schedule based
on prior experiences
Professional Services Consultant - Better understand what was agreed to and implementation requirements

Scope
Presently the scope of the repository if focused on addressing motivating problems experienced by leaders in the Information Security and
Compliance markets.

How to Navigate
Reactive
Use of the repository allows the user to work along side the customer, typically analysts, managers, and architects, to demonstrate value which is
currently being realized or can be realized based on data sources. Careful consideration should be made in how the narratives are presented.
The amount of information can be overwhelming.
Using the left hand navigation menu or a short cut below begin with one of the following "views"
Supporting Data View - Supporting data represents types of data utilized to support a solution eventually achieving a business objective.
These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize
that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully
implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve
success.
Technology Provider View - Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting
technology implementations the user can utilize this view to determine what use cases may be possible in a customer environment.

Proactive
Use of the repository allows the user to work along side the customer, typically executive leaders and senior leaders to identify the opportunities
within the organization where the greatest value gains can be realized for the smallest opportunity costs. When used in this way the Account team
can being documenting the motivating problems, ideal solution narratives (use cases), and perceived value early in the relationship. These
artifacts can easily be used by the account team, customer success, and professional services to assist the customer in staying on track to value
delivery and recognition of product value. This approach is summarized as objective lead solutions development.
Using the left hand navigation menu or a short cut below begin with one of the following "views"
Motivating Problem Type View - Motivating problems are those broad business needs requiring generally these are targeted at the
expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the
problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural

Copyright 2016, Splunk Inc.

missions or objectives with charter and support from all involved.


Motivating Risk View Perspective - Risk mitigation is tangential to the traditional view of business value, to address this motivation and
realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the
decision makers to show the broader business leadership that risks are being addressed proactively through the development of
detection and monitoring processes.

How to read the use case narrative


The use case narrative is designed using the Rosetta Stone metaphor, it is intended that users may approach from a number of perspective and
engage in dialog with users of another perspective.

Motivation and Data


The Motivation, Data source and Enrichment requirements connect the narrative to the customer motivation and supporting data requirements for
success.

Motivating Problem Type View


Motivating problems are those broad business needs requiring generally these are targeted at the
expected level conversation with executive leaders and senior leaders in a given organization. Our goal
is to assist in defining the problem to be addressed in such a way as to be clearly understood by all
parties involved. These defined problems can become natural missions or objectives with charter and
support from all involved.
Motivating Risk View Perspective
Risk mitigation is tangential to the traditional view of business value, to address this motivation and
realize value the customer will place an artificial cost on the occurrence of an event narratives and
solutions will provide support for the decision makers to show the broader business leadership that risks
are being addressed proactively through the development of detection and monitoring processes.
Supporting Data View
Supporting data represents types of data utilized to support a solution eventually achieving a business
objective. These data types can be consumed equally by use case narratives regardless of the underling
technology. In some cases we recognize that all technology sources are not equal and further define
specific "events" and critical fields that must be provided to successfully implement a narrative. This
approach allows the user to head off failure on implementation when a give combination can not achieve
success.
Data Definition - Tracker
Data Definitions for tracking are dynamic lists created by search processes used to enrich latter searches
as search time lookups.
Data Definition - Enrichment
Dynamic external or static content utilized at search time to provide critical contextual information for
events.

Adoption
The first section of each use case contains a brief descriptive narrative element, followed by adoption phase descriptors. Three types of adoption
phase descriptors are used:

Copyright 2016, Splunk Inc.

Adoption Phase SME


Adoption Phase SME represents the current status of the narrative in the development life cycle. This
attribute will assist the user and customer in determining the timing of use case implementation.
APS-Accepted The third stage of development "Accepted" indicates the RFC period has completed and the

narrative is awaiting implementation or pilot.


APS-Obsolete Used when a narrative concept is replaced by one or more new narratives delivering higher
value or when for external reasons the narrative is no longer relevant to a meaningful number of customers.
APS-Pilot The fifth state of development indicates one or more customers is testing the narrative concept.
Additional knowledge gained in the pilot may prompt a return to RFC or permit advancement to the next
stage.
APS-POC The forth stage "Proof of Concept" allows for testing a narrative using demonstration data or
partial implementation in a live environment before adoption as a pilot
APS-Productized The third stage of development "Productized" indicates the RFC period has completed and
the narrative is awaiting implementation or pilot.
APS-Proposed Proposed narrative not yet tested in the field
APS-ProposedField A proposed narrative based on solutions developed in the field. Reserved for "live"
narratives.
APS-Rejected At any point in the development live cycle a narrative may be rejected. Future developments
in data sources, enrichment, technology, or the concept may permit a rejected narrative to return to the
accepted phase.
APS-Release The final stage adoption is release, in this phase the narrative is considered complete.
Revisions may occur in the narrative or implementation within the boundaries of the original stated objective.
APS-RFC The second phase in narrative development Request for Comments, allows interested parties to
provide feedback to enhance the clarity of the narrative, including goals, data sources, enrichment and
addressed problems.

Adoption Phase Customer


The adoption phase of the customer describes the appropriate timing for this narrative in the continuum
of the customer journey.
APC-Edge An edge use case is adopted by a customer for reasons which may be described in the

narrative. These reasons typically motivate customers in specific circumstances to adopt a use case narrative
though we may not expect adoption by other customers in similar verticals or maturity stages.
APC-Essential An essential use case narrative when filtered by a Motivating problem describes a solution
implemented almost by default. These use cases have qualities such as easy implementation, immediate
high value return, or compliance satisfaction as justification for early adoption.
APC-Mature A Mature use case narrative when filtered by a Motivating problem describes a solution used to
expand value from existing data sources or to justify the addition of data sources.
APC-Maturing A Maturing use case narrative when filtered by a Motivating problem describes a solution
which will present a high value to the customer; however, customer maturity, implementation requirements,
data sources, or complexity would likely cause delays.
APC-Superceded A Superceded use case narrative has been replaced with one or more improved
narratives. The excerpt of the Superceded narrative should be updated to include a direct link to the targets.
APC-Undetermined Adoption phase has yet to be assigned

Copyright 2016, Splunk Inc.

Adoption Phase Industry


The adoption phase based on the industry perspective allows the user to estimate how widely known or
how well the narrative could be expected with an audience reasonable well versed in industry trends.
This attribute does not speak to deployment of solutions similar to the narrative and is not scientific.
API-Accepted Narratives described as accepted generally have recognized merit and value within the

industry. These narratives have not yet been widely adopted and represent an opportunity to provide value
not presently obtained from current solutions within the organization.
API-Dated Narratives described as dated will have little emotional appeal and potentially no longer provide
value when implemented. For customers with legacy needs it may be appropriate to recommend some use
cases from this category.
API-Distinctive Narratives described as distinctive represent utilization of unique capabilities of the Splunk
platform. While it may be possible to implement these narratives outside of the usage of Splunk factors such
as specialized skill or complexity make implementation impractical.
API-Expected Narratives described as expected could also be described as must and should do. Adequate
adoption in the industry allows the narrative to self justify implementation with little convincing of stakeholders
required.
API-Known Narratives described as known would have recognition in the industry. These narratives may still
be controversial but have been presented adequately as to not be considered foreign concepts.
API-Socializing Narratives described as socializing in the industry are currently being presented at
conferences, spoken about in blogs or other venues and have not yet made an impression of value with the
industry community.

Qualification
The second section of each use case contains attributes intended to assist the user and customer in evaluating the use case in consideration of
the customer environment, skill sets available and work load generated.

Severity
Severity of any notable event generated (automatically or manually) as a result of discoveries made
utilizing this use case.
SV1 - Low Low severity issues will frequently be trumped by higher priority issues and external work load. In

most organizations low priority issues frequently aged out without review.
SV2 - Medium Medium severity items must be addressed within the organizations service level agreement,
however such events may not be an organizational priority. For example, "it will get dealt with, but I may go to
lunch or an unrelated meeting before I actually address it."
SV3 - High High severity notable events will interrupt work for immediate attention. Evaluation of a high
event may result in a formal incident and or escalation. For example, "I will skip meetings and lunch and other
interruptions during the workday to deal with this; however, while I will stay late, I will not come in during the
night or skip my child's recital because of it."
SV4 - Critical Critical severity items require immediate and constant attention until resolved. For example: "I
will work nights and weekends and Christmas morning if necessary to resolve this."

Rate of Detection
Rate of Detection is a non scientific estimate of the number of occurrences for a specified event.
RATED0-Rare Rare events will occur less than once per day on average.
RATED1-Common Common events may occur a few times per day in a typical environment. It is generally

expected that common events will not overwhelm the operations team.
RATED2-Frequent Frequent Events are expected to occur often in a typical event, this type of event may
overwhelm a operations team without careful tuning and mitigations.
RATED9-Undetermined Adequate information has not yet been presented to determine this value

Copyright 2016, Splunk Inc.

FIDELITY
The fidelity of a narrative describes the ratio of signal (valid/positive) to noise (invalid/false positive)
anticipated based on field experience.
FIDELITY-High This indicates a relatively high signal to noise ratio, and therefore a lower likelihood of false

positives, and it should not require additional searches to validate it.


FIDELITY-Low This indicates a relatively low signal to noise ratio, and therefore a higher likelihood of false
positives. Confidence in the output can be increased through other means (i.e. cross-correlation and/or
subsequent searches).
FIDELITY-Moderate This indicates an unpredictable signal to noise ratio with a bias towards signal, and
therefore a higher likelihood of false positives than high. Confidence in the output can be increased through
other means (i.e. cross-correlation and/or subsequent searches).
FIDELITY-Undetermined Adequate information has not yet been presented to determine this value

System Load
System load estimates the noticeable impact of the narrative on system performance.
LOAD-Excessive Excessive impact to the system performance. Careful consideration should be made before

adoption of this use case such as limiting the scope to essential systems or users.
LOAD-High High impact to the system performance. Narratives are expected to require a noticeable amount
of time to execute.
LOAD-Low Low estimated impact to the system performance.
LOAD-Moderate Moderate estimated impact to the system performance, unlikely to create a perceptible
impact for interactive users, may contribute to the latency of scheduled searches.
LOAD-Undetermined Adequate information has not yet been presented to determine this value

Analyst Load
Relative level of load or work effort involved in resolution of the notable event
AnalystLoad-Automation Requires no outside information for triage and can be automated to resolution in

many environments. When automation is not available these narratives are considered low.
AnalystLoad-High Requires a large amount of time/effort to triage the notable event.
AnalystLoad-Low Requires a small amount of time/effort to triage the notable event.
AnalystLoad-Moderate Requires a Moderate amount of time/effort to triage the notable event, triage is
seldom expected to extend beyond the current shift
AnalystLoad-Undetermined Adequate information has not yet been presented to determine this value

Implementation Skill
Relative level of skill necessary to implement the use case.
SKILLI-Customer
SKILLI-PS-General
SKILLI-PS-SecurtityEnabled
SKILLI-PS-SecurtitySpecialist
SKILLI-Undetermined Adequate information has not yet been presented to determine this value

Copyright 2016, Splunk Inc.

Use Case Domains


Use case domains reflect the data domain used to support a specific use case. Subject matter expertise
will align closely with each individual domain or a sub domain.
The repository will be segmented into domains aligning with those defined within Splunk Enterprise Security.
Use Case Domain - Access Use cases related to the use of access, authorized or unauthorized activity which

may identify a threat to the organization.


Use Case Domain - Endpoint Use cases related to the use or modification of an endpoint device in such a way
that may be a threat to the organization.
Use Case Domain - Identity Use cases using information about an asset or identity to assign the priority, risk
level, impact, and categorization for the object to better inform analysts with context when reviewing notable
events.
Use Case Domain - Network Use cases utilizing data from network communications to identify a threat to the
organization.

Measurement
Each narrative describes appropriate key performance indicators and recommends an appropriate review cadence. Each implementing customer
should utilize the metrics to monitor the effectiveness of each narrative in light of the organizations operational objectives.

Artifacts
Each narrative describes the components of an implemented solution or provides details on the content packages for implementation.

Copyright 2016, Splunk Inc.

Adoption Motivations
Adoption motivations are an attempt to group together the impetus which drives a potential customer to seek out and/or be open to considering
our solution. Here are a few example motivations:
New functionality required by mandate (compliance requirement, executive directive, etc.)
New functionality requested due to one or more pain points have been identified that need to be alleviated
Existing functionality parity required due to a forced replacement (i.e. the existing system is EOL and its functionality must be replaced)

Copyright 2016, Splunk Inc.

Motivating Problem Type View


Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive
leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly
understood by all parties involved. These defined problems can become natural missions or objectives with charter and support from all
involved.

Found 10 search result(s) for title:PRT*.

PRT03-PeerAdoption-Phase2-Maturing (Narrative and Use Case Center)


Use case narratives adopted during the second deployment phase of a security operations, monitoring, and
response program. Supporting Use Cases
Sep 23, 2016

PRT03-PeerAdoption-Phase1-Essentials (Narrative and Use Case Center)


Use case narratives adopted during the initial deployment phase of , monitoring, and response program.
Supporting Use Cases
Sep 23, 2016

PRT04-ProcessEffectivness-HuntPaths (Narrative and Use Case Center)


Utilizing searches and automated prompts the analyst will investigate selected events that are considered low
fidelity to identify using analytic process potential security weakness or previously unknown threats
Jul 20, 2016

PRT08-ProductAdoption (Narrative and Use Case Center)


Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and
grouped by Supporting Data Source to assist the customer and consultant in the selection of use cases for
implementation based on the likely readiness of the customer
Aug 14, 2016

PRT08-ProductAdoption-ES (Narrative and Use Case Center)


Aug 14, 2016

PRT08-ProductAdoption-ES-Maturing (Narrative and Use Case Center)


DS010NetworkCommunication Network communication data is often the last chance available to identify the
movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the
DMZ, Public internet, segmenting private network from the public internet and segmenting the private network
...
Aug 14, 2016

PRT08-ProductAdoption-ES-Mature (Narrative and Use Case Center)


DS010NetworkCommunication Network communication data is often the last chance available to identify the
movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the
DMZ, Public internet, segmenting private network from the public internet and segmenting the private network
...
Aug 14, 2016

PRT08-ProductAdoption-ES-Essentials (Narrative and Use Case Center)


DS010NetworkCommunication Network communication data is often the last chance available to identify the
movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the
DMZ, Public internet, segmenting private network from the public internet and segmenting the private network
...
Aug 14, 2016

PRT04-ProcessEffectivness (Narrative and Use Case Center)


High level security visibility problems speak to a need to a unified system for the collection and analysis of
event data from many types of systems in the enterprise and in the cloud. Supporting Use Cases Essentials
Maturing
Apr 07, 2016

PRT03-PeerAdoption (Narrative and Use Case Center)


Pressure to emulate similar peers based on the objective of security via minimum accepted industry norms.

Copyright 2016, Splunk Inc.

This view will assist the user in determine which use cases should be considered in during the adoption phase
Apr 07, 2016
A-C

D-M

N-T

U-Z

access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative

data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer

nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng

ucd-access

Copyright 2016, Splunk Inc.

PRT01-Compliance
High level compliance problems regardless of specific regulation or standard applied tend may be addressed with very similar use case
narratives. Within the compliance problem type, individual common regulations will be addressed.

Supporting Use Cases


Essentials
Click here to expand...
Found 8 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT01-Compliance".

UCESS045 Potential Gap in Data (Narrative and Use Case Center)


Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be
gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that
were successful where the app context ...
Aug 16, 2016

UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an
attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center)


Direct authentication via SSH or console session to a non human account indicates a violation of security policy
by recording the password of a non human account for later use or by association of a SSH key to a non
human account. Problem Types Addressed Risk ...
Apr 11, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
... Contributing Events Search datamodel Malware MalwareAttacks search search
MalwareAttacks.dest="$dest$" Compliance YES Container App DAESSSecKitEndpointProtection Related
articles Related articles appear here ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case
Center)

Any attempted communication through the firewall not previously granted by ingress/egress policies could
indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions
(bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
... IDSAttacks.category,IDSAttacks.signature `dropdmobjectname("IDSAttacks")` Note alternative
implementation with XS should be considered Compliance YES Container
App SecKitDAESSNetworkProtection
https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to 5m@m
...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

UC0075 Network Malware Detection (Narrative and Use Case Center)


... src dvcip dest product signature severity impact extref `getasset(src)` Compliance YES Container
App SecKitDAESSNetworkProtection
https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to now Cron
...
Apr 25, 2016

Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT01-Compliance".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For
the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the
max time by destination and compare ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center)


Alerts when there are assets that define a specific priority and category but do not have an assigned owner.
Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the
category is not null and the length of the value in category is greater than ...
Aug 14, 2016

UCESS058 Untriaged Notable Events (Narrative and Use Case Center)


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner,
status, rule ...
Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016

Copyright 2016, Splunk Inc.

UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016

Copyright 2016, Splunk Inc.

PRT01Compliance-PCI
Guidance for implementation of logging and monitoring for business as usual compliance with PCI 3.2

Requirement 1: Install and maintain a firewall configuration to protect cardholder data


Requirement

Guidance

1.1.1

In support of testing procedure 1.1.1b maintain online and searchable logs for all change activity.
In support of testing procedure 1.1.1b maintain online and searchable records for all change activity

1.1.4

In support of testing procedure 1.1.4.c maintain online and searchable logs for all DS010NetworkCommunication-ET01Traff
ic from any dvc designated as cardholder, border, or internet.

1.1.6

In support of 1.1.6.a build upon the work effort invested in 1.1.4 Implement the following monitoring controls:
UC0083 Communication from or to an enclave network permitted by previously unknown or modified firewall rule
In support of 1.1.6.c build upon work effort invested in 1.1.4 Implement the following monitoring controls:
UC0082 Communication with enclave by default rule

1.2.1

In support of 1.2.1.c implement the following monitoring controls to ensure continual compliance
UC0084 Monitor Execution of Triage Activtity

1.2.3

In support of 1.2.3b build upon the work effort of 1.1.6 ensure consideration in existing process to consider the wifi network
as an enclave

1.3.1

In support of 1.3.1 build upon the work effort of 1.1.5


UC0085 Alert per host where web application logs indicate a source IP not classified as WAF

1.4

In support of 1.4.b Ensure data collection for DS010NetworkCommunication-ET02State from all devices in scope

2.1

In support of 2.1.a Ensure data collection for DS003Authentication-ET01Success from all in scope systems. Ensure all PIM
systems are correctly identified in DE001AssetInformation and ensure all default accounts have been correctly listed in DE0
02IdentityInformation prior to implementation of
UC0007 Account logon successful method outside of policy

2.2.1

In support of 2.2.1.a Ensure data collection for dynamic primary function identification is in place to support the complete
definition of DE001AssetInformation
UC0086 Detect Multiple Primary Functions

2.2.5

In support of 2.2.4.c Ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place prior to


implementation of
RP001 New web application or network protocol detected

2.4

Implement a reliable dynamic asset identification solution DE001AssetInformation with the following attributes
Appropriate Values for pci_domain by cidr
All hosts within the CDE are identified with static IP address
All firewalls and interfaces containing the CDE are identified
Collect data from the following sources
DS010NetworkCommunication-ET01Traffic
DS003Authentication-ET01Success (Machine account)
DS015ConfigurationManagement-ET01General

3.1

Implement clear logging and collection for each application component responsible for deletion of online CHD. Generate a
customer specific use case for the absence of successful reports in the job execution window

3.2

Implement data collection for customer specific data identification system


Implement custom use case for new location for PCI information
Respond by verification that authentication data is not recorded

Copyright 2016, Splunk Inc.

3.4.1

If disk/share encryption is used implement data collection for the specific provider supporting the following data types
DS003Authentication-ET01Success
DS006UserActivity-ET02Read
DS006UserActivity-ET06Search

3.5.1

Implement customer specific use case alerting when a key is read, imported or assigned to a specific encrypted resource
review for review by the key administrator

3.5.2

Implement customer specific use case alerting when a key is accessed by a human manually review the access with the
key administrator

4.1

In support of 4.1.c ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place for all CDE
network segments and implement
RP001 New web application or network protocol detected

4.2

In support of 4.2.a ensure data collection for DS016DataLossPrevention-ET01Violation is in place and implement customer
specific use case for alerting on actual or attempted transmission of CHD via email chat FTP or removable media

5.1

In support of 5.1 ensure data collection for DS004EndPointAntiMalware-ET02UpdatedSig is in place and ensure
requires_antivirus is set for all applicable records in DE001AssetInformation implement the following use cases.

5.2

In support of 5.2.b 5.2.c and 5.2.d implement the following use cases
UCESS024 High Number of Hosts Not Updating Malware Signatures
UC0087 Malware signature not updated by SLA for compliance asset

6.4.1

In support of 6.4.1.b define an enclave for each CDE/lifecycle such that production and non production systems can be
identified
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule

6.4.2

In support of 6.4.2 define an enclave for each CDE/lifecycle such that production and non production systems can be
identified
UC0090 User account cross enclave access

6.4.3

In support of 6.4.3 identify ranges or fixed sets of PAN ranges that may be utilized in the non production life cycle and
create a set of periodic scripts to asses that no data exists outside of the fixed range. Log the results for compliance
reporting.

6.4.4

While not conclusive for all environments the implementation of control 6.4.3 may assist in ongoing evidence of compliance.

6.4.5.x

Not applicable to the logging and monitoring processes

6.4.6

Not applicable to the logging and monitoring processes

6.5.x

6.6

Capture and retain logs from automated software installation and testing processes to provide evidence of for
compliance to the execution of testing against common weaknesses.
Capture and retain applicable logs from defect tracking systems to evidence that issues were reported and reviewed
without modification prior to release of software to production
Using an external vulnerability scanner not granted unfiltered access scan the public facing networks
UCESS010 Anomalous New Listening Port
UC0091 Validate Execution of Vulnerability Scan
Periodically validate the implementation of the load balancer and web application firewall.
UC0092 Exception to Approved Flow for Web Applications

6.7

Not applicable to the logging and monitoring processes

7.x

Not applicable to the logging and monitoring processes

8.1

In support of this section all authentication success and failure events must be captured for all components of the
application infrastructure.

8.1.1

In support of continued monitoring of compliance with 8.1.1 implement the following use cases:
UC0039 Use of Shared Secret for access to critical or sensitive system
UC0088 User account sharing detection by source device ownership

8.1.2

Not applicable to the logging and monitoring processes

Copyright 2016, Splunk Inc.

8.1.3

Support continued compliance and verification through implementation of the following use case
UCESS005 Activity from Expired User Identity

8.1.4

Support continued compliance and verification through implementation of the following use case
UC0008 Activity on previously inactive account
UC0093 Previously active account has not accessed enclave/lifecycle

8.1.5

Not applicable to the logging and monitoring processes

8.1.6

Not applicable to the logging and monitoring processes

8.1.7

Not applicable to the logging and monitoring processes

8.1.8

Not applicable to the logging and monitoring processes

8.2

Implement an appropriate site specific compliance report to identify that all successful logins to a production enclave use
one of the approved authentication factors for that enclave/component.

8.2.1

Support continued compliance and verification through implementation of the following use case
UC0094 Insecure authentication method detected

8.2.2

Not applicable to the logging and monitoring processes

8.2.3

Not applicable to the logging and monitoring processes

8.2.4

Not applicable to the logging and monitoring processes

8.2.5

Not applicable to the logging and monitoring processes

8.2.6

Not applicable to the logging and monitoring processes

8.3.x

Support continued compliance and verification through implementation of the following use case
UC0007 Account logon successful method outside of policy

8.4

Support continued compliance and verification through implementation of the following use case

8.5

Support continued compliance and verification through implementation of the following use case
UC0039 Use of Shared Secret for access to critical or sensitive system
UC0040 Use of Shared Secret for or by automated process with risky attributes

8.6

Not applicable to the logging and monitoring processes

8.7

Not applicable to the logging and monitoring processes

8.8

Not applicable to the logging and monitoring processes

9.1

Support continued compliance and verification through implementation of the following use case
UC0045 Local authentication server
Review resulting events in consideration of approved physical access activity, change, incident, problem and virtual remote
console logs such as virtual infrastructure and KVM.

9.1.1

See 9.1

9.1.2

Not applicable to the logging and monitoring processes

9.1.3

Not applicable to the logging and monitoring processes

9.2

Not applicable to the logging and monitoring processes

9.3

Not applicable to the logging and monitoring processes

9.4

Not applicable to the logging and monitoring processes

9.5

Not applicable to the logging and monitoring processes

9.6

Not applicable to the logging and monitoring processes

9.7

Not applicable to the logging and monitoring processes

9.8

Not applicable to the logging and monitoring processes

Copyright 2016, Splunk Inc.

9.9

Not applicable to the logging and monitoring processes

10.1

Implement collection and retention of the following log sources


DS003Authentication
DS003Authentication-ET01Success
DS003Authentication-ET02Failure

10.2

See below

10.2.1

Implement collection and retention of the following log sources


DS006UserActivity-ET02Read

10.2.2

Implement collection and retention of the following log sources


DS006UserActivity-ET04Update
DS007AuditTrail
DS009EndPointIntel
DS009EndPointIntel-ET01ProcessLaunch
DS009EndPointIntel-ET01ObjectChange
DS020HostIntrustionDetection-ET01SigDetected

10.2.3

Implement collection and retention of the following log sources


DS007AuditTrail-ET01Clear

10.2.4

Implement collection and retention of the following log sources


DS003Authentication-ET02Failure

10.2.5

Implement collection and retention of the following log sources as applied to authentication mechanisms such as directory
servers, two factor authentication systems, single sign on systems, and local authentication controls
DS006UserActivity-ET03Create
DS006UserActivity-ET04Update
DS006UserActivity-ET05Delete

10.2.6

Implement collection and retention of the following log sources as applied to the service and configuration utilized in
auditing
DS006UserActivity-ET04Update
Note include service start, stop, and alter for configuration controlling the audit process such as syslog, group
policy, windows registry, and database triggers
DS007AuditTrail-ET01Clear
DS007AuditTrail-ET02Alter

10.2.7

Implement collection and retention of the following log sources as applied to the service and configuration utilized in
auditing

10.3

Verify compliance of data sources identified with minimum requirements of the objective

10.4

Implement collection and retention of the following log sources


DS007AuditTrail-ET03TimeSync
Implement the following use case
UC0046 Endpoint failure to sync time

10.5
10.5.1

Implement streaming collection of all log sources. Avoid batch collection activities and build adequate defensive and
detective controls to ensure audit processes are not tampered with when batch collection is in use.
Implement access controls as is appropriate to limit access to audit trail data in Splunk
Implement routine trim of original audit trails such that no audit data is retained on source systems beyond a
reasonable amount allowing recovery in the event of streaming collection failure

10.5.2

Implement index integrity features in Splunk

10.5.3

Implement Splunk Archiver function with a write only external service such as Amazon S3 to ensure data is archived to a
system under separate control.

Copyright 2016, Splunk Inc.

10.5.4

Implementation of log collection for all web application server infrastructure logs especially the following:
DS002DNS-ET01QueryResponse
DS003Authentication-ET01Success
DS003Authentication-ET02Failure
DS004EndPointAntiMalware-ET01SigDetected
DS004EndPointAntiMalware-ET03UpdatedEng
DS005WebProxyRequest-ET01Requested
DS006UserActivity
DS007AuditTrail
DS009EndPointIntel-ET01ProcessLaunch
DS010NetworkCommunication-ET01Traffic
DS014WebServer-ET01Access
DS015ConfigurationManagement-ET01General
DS018VulnerabilityDetection
DS019PatchManagement
DS020HostIntrustionDetection-ET01SigDetected

10.5.5

Implementation of log collection for all web application server infrastructure logs especially the following:
DS020HostIntrustionDetection-ET01SigDetected

10.6.1

Implementation of a robust set of correlation search to monitor each security technology in the enterprise
Management should daily review the PCI dashboards to ensure that notable events have been triaged and are being
resolve in accordance with the company policy

10.6.2

Expansion of monitoring beyond the immediate PCI scope to ensure attackers are kept more than one degree away from all
PCI systems.
Management should daily review critical dashboards such as and act on trends highlighted
Enterprise Security Security Posture
Incident Review

10.6.3

Notable events determined to indicate suspicious activities should be identified as formal incident and handled in according
to industry accepted practices.

10.7

Ensure all in scope event data is retained online and searchable for at minimum of 3 months.
Ensure adequate search hardware is available or can be provisions (cloud) to recall and search data up to 1 full year OR
ensure at least 1 full year for all data sources is available.
Ensure that log infrastructure can not be subject to denial of service attach by external actors by identification of points
where external actors can generate sufficient log traffic to cause early purge or failure of logging infrastructure. Identify
methods of mitigating this risk.

10.8

Identify methods of detecting and alerting failure of critical control systems to produce events

10.9

Not applicable to the logging and monitoring processes

11.1

Not applicable to the logging and monitoring processes

11.2

Collect and retain vulnerability scan data


DS018VulnerabilityDetection-ET01SigDetected

11.3

Not applicable to the logging and monitoring processes

11.4

Implement the following use cases


UC0074 Network Intrusion Internal Network

11.5

Implement collection of the following data sources, identify appropriate technology specific use cases for the environment.
DS009EndPointIntel
DS020HostIntrustionDetection-ET01SigDetected

11.6

Not applicable to the logging and monitoring processes

12

Not applicable to the logging and monitoring processes except as noted

12.5

Adopt a formal methodology align with enterprise risk assessment to identify risk and detective controls to be implemented
and monitored by appropriate sensor/detection technology with correlation in a single security event and information
management system

Copyright 2016, Splunk Inc.

Supporting Documentation
PCI Data Security Standard (PCI-DSS)

Version 3.2 Apr 2016 - PCI_DSS_v3-2.pdf

Copyright 2016, Splunk Inc.

PRT02Compliance-NercCIP
Currently, there are 16 critical infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the
United States that their incapacitation or destruction would have significant implications nationwide, with potential impacts to national economic
security, public heath or safety, etc.

NERC CIP Requirements


Standard

Requirement

Details

Guidance

CIP-002-3

R2

Critical Asset Identification:

Enrichment:

The responsible entity shall develop a list of its identified critical assets
determined through an annual application of the risk-based assessment
methodology as required by this standard. List shall be reviewed and
updated annually, at minimum. Assets to be considered should include
the following:

DDE001 Asset Information

Cyber Security:
Critical Cyber
Asset
Identification

Control centers and backup control centers performing critical


functions as described within CIP standards
Transmission substations that support the reliable operation of the
BES (Bulk Electris System)
Generation resources that support the reliable operation of the BES
Systems and facilities critical to system restoration, including
blackstart generators and substations in the electrical path of
transmission lines used for initial system restoration
Systems and facilities critical to automatic load shedding under a
common control system capable of shedding 300MW or more
Special protection systems that support reliable operation of the
BES
Any additional assets that support reliable operation of the BES
CIP-003-3

R5.1

Cyber Security:
Security
Management
Controls

Note: pci_domain field not applicable to


CIP assets
Use Cases:
UC0010 Asset Ownership Unspecified

Access Control:

Enrichment:

The responsible entity shall maintain a list of designated personnel who


are responsible for authorizing logical or physical access to protected
information.

DDE002 Identity Information

Personnel shall be identified by name, title, and the information for


which the are responsible for authorizing access
The list of personnel responsible for authorizing access to protected
information shall be verified at least annually

In addition to CIP authorized individuals,


CIP authorizing personnel should be
identified in identity list. Information they
are responsible for can be specified in bunit
field
Use Cases:
UC0052 Non-CIP user attempted to access
CIP asset
UC0013 Monitor change for high value
groups

CIP005-3a

R2

Cyber Security:
Electronic
Security
Perimeter

Electronic Access Controls:

Enrichment:

The Responsible Entity shall implement and document the organizational


processes and technical and procedural mechanisms for control of
electronic access at all electronic access points to the Electronic Security
Perimeter(s).

DDE002 Asset Information


All assets that define the Electronic
Security Perimeter (ESP) to be defined in
asset list
Use Cases:
Prohibited Service Detected
Unapproved Port Activity Detected
UC0007 Anomalous New Process
UC0008 Anomalous New Listening Port

Copyright 2016, Splunk Inc.

CIP005-3a

R3

Cyber Security:
Electronic
Security
Perimeter

Monitoring Electronic Access:

Use Cases:

The Responsible Entity shall implement and document an electronic or


manual process(es) for monitoring and logging access at access points
to the Electronic Security Perimeter(s) twenty-four hours a day, seven
days a week.

Default Account Activity Detected


UC0010 Detect unauthorized use of remote
access technologies
UC0032 Brute force authentication attempt
UC0033 Brute force authentication attempt
distributed
UC0034 Brute force successful
authentication

CIP006-3c

R.1.3

Physical Security
of Critical Cyber
Assets

Physical Security Perimeter:

Enrichment:

Process, tools, procedures to monitor access to physical security


perimeter.

Physical Security access logs (lenel, etc)


Use Cases:
See ESP access control use cases above

CIP007-3a

R2

Cyber Security:
System Security
Management

Ports and Services:

Enrichment:

The Responsible Entity shall establish, document and implement a


process to ensure that only those ports and services required for normal
and emergency operations are enabled.

Interesting Ports Lookup


Interesting Services Lookup
Interesting Processes Lookup
Use Cases:
UC0007 Anomalous New Listening Port
UC0008 Anomalous New Process
UCXXXX Unapproved Port Activity
Detected
UCXXXX Anomalous New Service

CIP007-3a

R3

Cyber Security:
System Security
Management

Copyright 2016, Splunk Inc.

Security Patch Management:

Enrichment:

The Responsible Entity, either separately or as a component of the


documented configuration management process specified in CIP-003-3
Requirement R6, shall establish, document and implement a security
patch management program for tracking, evaluating, testing, and
installing applicable cyber security software patches for all Cyber Assets
within the Electronic Security Perimeter(s).

DDE001 Asset Information


Use Cases:
ES Vulnerability Center
UCXXXX CIP asset with unpatched RCE
(remote code execution) or critical
vulnerability

CIP007-3a

R4

Cyber Security:
System Security
Management

Malicious Software Prevention:

Enrichment:

The Responsible Entity shall use anti-virus software and other malicious
software (malware) prevention tools, where technically feasible, to
detect, prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).

DDE001 Asset Information


Use Cases:
ES Malware Center
UCESS024 High Number of Hosts Not
Updating Malware Signatures
UCESS053 Threat Activity Detected
UCESS025 High Number Of Infected
Hosts
UCESS026 High Or Critical Priority Host
With Malware Detected
UCESS027 High or Critical Priority
Individual Logging into Infected Machine
UCESS032 Host With A Recurring
Malware Infection
UCESS035 Host With Multiple Infections
UCESS036 Host With Old Infection Or
Potential Re-Infection
UCESS043 Outbreak Detected

CIP007-3a

R5

Cyber Security:
System Security
Management

Account Management:

Enrichment:

The Responsible Entity shall establish, implement, and document


technical and procedural controls that enforce access authentication of,
and accountability for, all user activity, and that minimize the risk of
unauthorized system access.

DDE001 Asset Information


DDE002 Identity Information
Use Cases:
ES Access Center

UC0053 Successful access to CIP asset outside of baseline activity


UC0054 Successful authentication to CIP
asset by non-CIP user
UC0034 Brute force successful
authentication

Copyright 2016, Splunk Inc.

Supporting Documents CIP

Copyright 2016, Splunk Inc.

PRT03Compliance-NIST Cyber Security Framework


Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the
President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work
with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices - for reducing cyber risks to critical
infrastructure.

Risk Management Strategy (ID.RM)


Data Security (PR.DS)
Access Control (PR.AC)
Protective Technology (PR.PT)
Security Continuous Monitoring (DE.CM)
Anomalies and Events (DE.AE)

Copyright 2016, Splunk Inc.

Access Control (PR.AC)


NIST Cybersecurity Framework
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized
activities and transactions.
PR.AC-1: Identities and credentials are managed for authorized devices and users
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
Supporting security use cases
1. UC0051 Excessive physical access failures to CIP assets
2. UC0052 Non-CIP user attempts to access CIP asset
3. Abnormal successful access to CIP asset (time of day, volume of activity, remote, etc)
4. User with non-CIP job function successfully accessed CIP asset (transferred, access not properly removed)

Required data sources - some or all of the following:


Firewall allows and blocks
Intrusion events
Malware detections
Change logs
Authentication events

Copyright 2016, Splunk Inc.

Anomalies and Events (DE.AE)

Copyright 2016, Splunk Inc.

Data Security (PR.DS)


NIST Cybersecurity Framework
Data Security (PR.DS): Information and records (data) are managed consistent with the organizations risk strategy to protect the confidentiality,
integrity, and availability of information.
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.DS-7: The development and testing environment(s) are separate from the production environment
Supporting security use cases
1.
2.
3.
4.

UCXXXX Abnormal volume of access to CIP data (unstructured and structured data stores)
UCXXXX ARP poisoning detected
UCXXXX Abnormal volume of email from internal user (by bytes)
UCXXXX Abnormal amount of email from internal user (by volume)

Required data sources - some or all of the following:

Copyright 2016, Splunk Inc.

Protective Technology (PR.PT)

Copyright 2016, Splunk Inc.

Risk Management Strategy (ID.RM)


NIST Cybersecurity Framework - Risk Management Strategy
Risk Management Strategy (ID.RM): The organizations priorities, constraints, risk tolerances, and assumptions are established and used to
support operational risk decisions.
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organizations determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
Supporting security use cases
1. UCXXXX Asset exceeds risk threshold CIP asset exceeds risk threshold (based on vulnerabilities, scanning attempts, etc) - risk factors
determined by system owner

Required data sources - some or all of the following:


Firewall allows and blocks
Intrusion events
Malware detections
Change logs
Authentication events

Copyright 2016, Splunk Inc.

Security Continuous Monitoring (DE.CM)

Copyright 2016, Splunk Inc.

PRT04-FFIEC
Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of
information technology (IT)- related risks to the organization, business and trading partners, technology service providers, and customers.
Organizations meet this goal by striving to accomplish the following objectives.Underlying Models for IT Security, NIST, SP800-33, p. 2.
Availability-The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have
prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to
information or systems.
Scope of monitoring must include all infrastructure involved in banking services in the modern environment
Network Infrastructure operational and change for routers switches firewalls and active protection devices
Network Communication
Network Intrusion Detection
Network Load Balancers and Global Load Balancers
Application Firewalls
Operating System Authentication and Change Audit for server and client operating systems.
Network Authentication (local and virtual)
Database Server
Middleware Application Server
Central Authentication and Authorization
Use of Distributed Authentication (web SSO, SAML, Kerberos)
Two Factor Authentication
DNS Request Logs
Honeypots
Null Routes and Sink Holes
email communication logs
Integrity of Data or Systems-System and data integrity relate to the processes, policies, and controls used to ensure information has not
been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy,
completeness, and reliability.
Host Intrusion Detection
Antimalware
Vulnerability Detection (Active and Passive)
IOC detection (scan and result)
Entitlement and Access Management
Infrastructure Management activity and change
Confidentiality of Data or Systems-Confidentiality covers the processes, policies, and controls employed to protect information of
customers and the institution against unauthorized access or use.
Entitlement and Access Management
Data Loss Prevention
Accountability-Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability
directly supports nonrepudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.
Logs must be centralized in a secure and reliable manor including such features as log integrity checking, real time collection,
and long term storage
Assurance-Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security
measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and
accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
Operating System Hardening System Compliance Scan and Result
Application System Hardening System Compliance Scan and Result
Automated Application Penetration Testing Scan and Result
Vulnerability Scan and Rsult

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibility
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
PRT02-IdentifyPatientZero
PRT02-SecurityVisibilityEndpointMalware
PRT02-SecurityVisibilityExfiltration
PRT02-SecurityVisibilityLateralMovement
PRT02-SecurityVisibilityPhishingAttack
PRT02-SecurityVisibilityPriviledgeUserMonitoring
PRT02-SecurityVisibilityUserActivity
PRT02-SecurityVisibilityZeroDayAttacks
PRT02-SecurityVisiblityWebbait

Supporting Use Cases


Essentials
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibility".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT02-IdentifyPatientZero
In response to incursions identification of patient zero is a critical step. Information gathered in this identification activity can inform the
organization as to the methods of the attackers and assist in the preparation of improved defenses.

Supporting Data Types


DS002DNS
DS003Authentication
DS004EndPointAntiMalware
DS005WebProxyRequest
DS006UserActivity
DS008HRMasterData
DS009EndPointIntel
DS010NetworkCommunication
DS011MalwareDetonation-ET01Detection
DS017PhysicalSecurity-ET01Access

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityPriviledge".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityPriviledge".

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibilityEndpointMalware
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.

Supporting Data Sources


DS002DNS
DS004EndPointAntiMalware
DS005WebProxyRequest
DS009EndPointIntel
DS010NetworkCommunication

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityEndpoint".

Maturing

Click here to expand...


Found 8 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityEndpoint".

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For
the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the
max time by destination and compare ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that
successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage
macro and look across the time range of less than 90 days ago and greater ...
Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count
grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and
the command that initiated the change. Problem Types ...
Aug 14, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes
that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields
to the output: origeventid (macro creates hash of indexer, time and raw event ...
Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited
is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output:
origeventid (macro creates hash of indexer, time and raw ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibilityExfiltration
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.

Supporting Data Sources


DS001MAIL
DS003Authentication
DS004EndPointAntiMalware
DS005WebProxyRequest
DS006UserActivity
DS007AuditTrail
DS008HRMasterData
DS009EndPointIntel
DS010NetworkCommunication
DS014WebServer-ET01Access

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityExfiltration".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityExfiltration".

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibilityLateralMovement
Indication of movement within an organizations network following the compromise of an initial endpoint.

Supporting Data Types


DS003Authentication
DS006UserActivity
DS009EndPointIntel
DS010NetworkCommunication
DS012NetworkIntrusionDetection-ET01SigDetection

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityLateralMovement".

Maturing

Click here to expand...


Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityLateralMovement".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibilityPhishingAttack
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.

Supporting Data Sources


DS001MAIL
DS004EndPointAntiMalware
DS005WebProxyRequest
DS009EndPointIntel
DS010NetworkCommunication

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityExfiltration".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityExfiltration".

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibilityPriviledgeUserMonitoring
Users with privileged access to systems or information critical to the business should be monitored with greater scrutiny than users not similarly
entrusted.

Supporting Data Types


DS003Authentication
DS006UserActivity
DS008HRMasterData
DS009EndPointIntel
DS017PhysicalSecurity-ET01Access

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityPriviledge".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityPriviledge".

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibilityUserActivity
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.

Supporting Use Cases


Essentials

Click here to expand...


Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityUserActivity".

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate
and browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center)


Direct authentication via SSH or console session to a non human account indicates a violation of security policy
by recording the password of a non human account for later use or by association of a SSH key to a non
human account. Problem Types Addressed Risk ...
Apr 11, 2016

Maturing

Click here to expand...


Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityUserActivity".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the

Copyright 2016, Splunk Inc.

owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets
identified as loaner ...
May 16, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB
devices ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more
than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account
and is attempting ...
Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center)


Following provisioning, nix servers seldom require local administration. Investigate any use of local
authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case
Center)

Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior
of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016

Copyright 2016, Splunk Inc.

PRT02-SecurityVisibilityZeroDayAttacks
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.

Supporting Data Sources


DS001MAIL
DS002DNS
DS003Authentication
DS004EndPointAntiMalware
DS005WebProxyRequest
DS009EndPointIntel
DS010NetworkCommunication
DS011MalwareDetonation-ET01Detection
DS012NetworkIntrusionDetection-ET01SigDetection
DS014WebServer-ET01Access

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityZeroDayAttacks".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityZeroDayAttacks".

Copyright 2016, Splunk Inc.

PRT02-SecurityVisiblityWebbait
Similar to Phishing attacks using baited web content such as compromised advertising systems and watering hole web sites

Supporting Data Sources


DS004EndPointAntiMalware
DS005WebProxyRequest
DS009EndPointIntel
DS010NetworkCommunication
DS016DataLossPrevention-ET01Violation

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityExfiltration".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityExfiltration".

Copyright 2016, Splunk Inc.

PRT03-PeerAdoption
Pressure to emulate similar peers based on the objective of security via minimum accepted industry norms. This view will assist the user in
determine which use cases should be considered in during the adoption phase
PRT03-PeerAdoption-Phase1-Essentials
PRT03-PeerAdoption-Phase2-Maturing
PRT03-PeerAdoption-Phase3-Mature
PRT03-PeerAdoption-Phase4-Edge

Copyright 2016, Splunk Inc.

PRT03-PeerAdoption-Phase1-Essentials

Use case narratives adopted during the initial deployment phase of , monitoring, and response program.

Supporting Use Cases


Found 12 search result(s) for title:UC0* contentBody:"APC-Essentials".

UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt
to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016

UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center)
External IDS devices reporting an attack using a signature not previously encountered are more likely be
successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ...
Apr 08, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used to
identify which server may generate email and what recipients are permitted. Identify servers receiving email from
the internet without approval Identify ...
Apr 19, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center)


Direct authentication via SSH or console session to a non human account indicates a violation of security policy by
recording the password of a non human account for later use or by association of a SSH key to a non human
account. Problem Types Addressed Risk ...
Apr 11, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or
quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0075 Network Malware Detection (Narrative and Use Case Center)


Internal malware detection system such as fire eye devices reporting an attack. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware
RV3MaliciousCode DS011MalwareDetonationET01Detection DE001AssetInformation Adoption Phase Customer
Adoption Phase SME Adoption ...
Apr 25, 2016

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability
of other controls are deficient. Review the sequence of events leading to the infection to determine if additional
preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

PRT03-PeerAdoption-Phase2-Maturing
Use case narratives adopted during the second deployment phase of a security operations, monitoring, and response program.

Supporting Use Cases


Found 57 search result(s) for title:UC0* contentBody:"APC-Maturing".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs without
the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be remediated
Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use
Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of
adverse separation, include but are not limited to the following: User has entered a remediation program with
human resources User has been identified as included in a reduction ...
Apr 08, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and
Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation
of new child processes other than the process name defined in the service or batch definition may indicate
compromise. Problem Types Addressed ...
Apr 08, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the

Copyright 2016, Splunk Inc.

owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified
as loaner ...
May 16, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption
Phase ...
Apr 27, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2
IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is
attempting ...
Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center)


Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication
as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk
Addressed Event Data Sources ...
Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode

Copyright 2016, Splunk Inc.

RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of
other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be
investigated to determine the owner of the key and validate authorization to access the resource. Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016

UC0044 Network authentication using password auth (Narrative and Use Case Center)
Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases
the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of
network authentication utilizing password. Problem Types Addressed ...
Apr 11, 2016

UC0032 Brute force authentication attempt (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ...
Apr 08, 2016

UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of
the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer
is a workstation or terminal server Problem Types Addressed Risk ...
Apr 08, 2016

UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity
RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity
category reductioninforce ...
Apr 08, 2016

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data
Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ
e and Use Case Center)

human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted,
we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk
Addressed Event ...
Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)

user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could
indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success ...
Apr 08, 2016

UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center)
Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ...
Apr 11, 2016

UC0008 Activity on previously inactive account (Narrative and Use Case Center)
Excluding computer accounts in active directory, an account with new activity that has not been active in the
previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success
DE002IdentityInformation Adoption ...
Apr 08, 2016

Copyright 2016, Splunk Inc.

UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)
Use of a secret/shared secret account for access to such a system rather than accountable credentials could
indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access
DS006UserActivityET07ExecuteAs ...
Apr 11, 2016

UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center)
Single IP address attempting authentication of more than two valid users within ten minutes where one or more
unique accounts is successful, and one or more accounts is not successful against an approved SSO System.
Problem Types Addressed ...
Apr 08, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search
for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a
company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center)
Internet facing authentication system has allowed authenticated access from a risky source network. Always
Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications
consider the following sources risky Dial ...
Apr 08, 2016

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by
comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a
network or batch ...
Jun 24, 2016
Labels: creative

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0005 System modification to insecure state (Narrative and Use Case Center)
Authorized or unauthorized users may attempt to modify the system such that hardened configuration policies are
removed or security monitoring tools are disabled. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess
RV6Misconfiguration DS TBD ...
Apr 08, 2016

Copyright 2016, Splunk Inc.

UC0021 Communication outbound to regions without business relationship (Narrative and Use Case Center)
Outbound communication with servers hosted in regions where the organization does not expect to have
employees, customers, or suppliers. Exclude authorized DNS servers communicating on a standard DNS port
Exclude destination DNS servers on the ICANN root list Exclude authorized ...
Apr 08, 2016

UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case
Center)

Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger
a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ...
Apr 08, 2016

UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case
Center)

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than
Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ...
Apr 08, 2016

UC0034 Brute force successful authentication (Narrative and Use Case Center)
source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use
case successfully logins after failing once from the same source address. Problem Types Addressed Risk
Addressed Event Data ...
Apr 27, 2016

UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center)
employers that allow remote external connectivity the detection of two or more distinct values of external source IP
address for successful authentications to a remote access solution in a short period of time indicates a likely
compromise of credentials. The short period of time value ...
Apr 25, 2016

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam
sending, abusing company resources, or attempting to solve a business problem using a technique not approved
by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016

UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case
Center)

Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A
small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts
or shares (such as sysvol or netlogon), such access ...
Apr 08, 2016

UC0011 Improbable distance between logins (Narrative and Use Case Center)
Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for
mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful
connections. Detect where: Total distance is greater than ...
Apr 08, 2016

UC0035 Compromised account access testing (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use

Copyright 2016, Splunk Inc.

the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center)


endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security
controls can be detected by either a large volume or high number of unique DNS queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center)


Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of
security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

PRT03-PeerAdoption-Phase3-Mature
Use case narratives adopted during the third deployment phase of a security operations, monitoring, and response program.

Supporting Use Cases


Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Mature".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For
the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the
max time by destination and compare ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center)


Alerts when there are assets that define a specific priority and category but do not have an assigned owner.
Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the
category is not null and the length of the value in category is greater than ...
Aug 14, 2016

UCESS058 Untriaged Notable Events (Narrative and Use Case Center)


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner,
status, rule ...
Aug 14, 2016

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5
minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and
the domain is not in the corporate web domain lookup ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT03-PeerAdoption-Phase4-Edge
Use case narratives adopted based on specific circumstances in the organization. Specific capabilities and complexities will dictate the
appropriate time for adoption of these narratives.

Supporting Use Cases


Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Edge".

UC0065 Malware detected compliance asset (Narrative and Use Case Center)
Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even
when automatic clean has occurred Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DDE001 ...
Aug 29, 2016

UCESS013 Cleartext Password At Rest Detected (Narrative and Use Case Center)
Detects cleartext passwords being stored at rest (such as in the Unix password file). Looking across a realtime
window of /5 minutes, search for Last Time, Original Raw Event Data, tag and count grouped by
destination(host, IP, name), user ...
Aug 14, 2016

UCESS041 Network Device Rebooted (Narrative and Use Case Center)


past 1 hour, using all summary data even if the model has changed, provide a count of device restarts grouped
by the device that reported the change dvc (host, IP, name) and time where the time span is 1 second.
Problem ...
Aug 14, 2016

UCESS044 Personally Identifiable Information Detected (Narrative and Use Case Center)
Looking across a realtime window of /5 minutes, find integer sequences and lookup against luhnlikelookup and
output fields pii and piiclean. Lookup iinissuer in the iinlookup table based on the piiclean string and length of
the string. Output event id (macro that creates ...
Aug 14, 2016

UCESS052 Substantial Increase In Port Activity (Narrative and Use Case Center)
Alerts when a statistically significant increase in events on a given port is observed. For the past hour, using all
summary data even if the model has changed, generate a count by destination port and compare that count
against the previous hour and trigger if the destination ...
Aug 14, 2016

UCESS002 Abnormally High Number of Endpoint Changes By User (Narrative and Use Case Center)
Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits,
filesystem, user, and registry modifications. For the past 24 hours starting on the hour, using all summary data
even if the model has changed, generate a count ...
Aug 14, 2016

UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center)
Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA
limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig
DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ...
Apr 28, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0051 Excessive physical access failures to CIP assets (Narrative and Use Case Center)
user with continuous physical access failures could be someone searching for a physical vulnerability within the
organization. When this occurs in an area that is protecting CIP assets, it is something that should be followed
up on immediately. Problem Types Addressed Risk Addressed Event Data ...
Apr 27, 2016

Copyright 2016, Splunk Inc.

UCESS003 Abnormally High Number of HTTP Method Events By Src (Narrative and Use Case Center)
Alerts when a host has an abnormally high number of HTTP requests by http method. For the past 24 hours
starting on the hour, using all summary data even if the model has changed, generate a count of the source of
the network traffic and the HTTP ...
Jul 22, 2016

UCESS010 Anomalous New Listening Port (Narrative and Use Case Center)
Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the
devices have been compromised or have had new (and potentially vulnerable) software installed. Listening
ports tracker contains destination IP and port ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT04-ProcessEffectivness
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
PRT04-ProcessEffectivness-HuntPaths

Supporting Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT04-ProcessEffectivness".

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT04-ProcessEffectivness".

UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains
via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and
potentially identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

PRT04-ProcessEffectivness-HuntPaths
Utilizing searches and automated prompts the analyst will investigate selected events that are considered low fidelity to identify using analytic
process potential security weakness or previously unknown threats.

Copyright 2016, Splunk Inc.

PRT05-Tactical Threat
In the constantly evolving threat landscape organizations often must set aside strategic plans and react to specific threats. Tactical threat
motivations support the urgent on boarding of missing critical data sources.
PRT05-TacticalThreat-InsiderThreat
PRT05-TacticalThreat-Ransomeware
PRT05-TacticalThreat-SpearphishingCampaign

Copyright 2016, Splunk Inc.

PRT05-TacticalThreat-InsiderThreat
Insiders, defined as employees, contractors, partners, or anyone else with AUTHORIZED internal access often have the knowledge and access
necessary to allow them to bypass security measures to critical systems through legitimate means. The nature of the insider threat is different
from external threats, and therefore require a different strategy for preventing and addressing them. The following use cases and data sources
are helpful in detecting and mitigating potential insider threat activity.

Domain

Supporting Use Case

Description

Enrichment

Data Sources

Status

Data
Exfiltration

UCESS031 Host Sending


Excessive Email

Detects where a host that is not


categorized as an email server is sending
an excessive amount of email. Tune or
create variant of this CS to search only
for excessive email to non-corporate
domains by user

DDE001 Asset
Information

DS001Mail-ET03Send

Adoptable:
ES Product
UC

Notable event is triggered when a single


internal user sends more than 20 emails
to a single non-corporate email address
over a 60 minute period. Extreme Search
should be used to set dynamic threshold
when available.

DDE001 Asset
Information

DS001Mail-ET03Send

Draft
Narrative

Detects when a user attempts to access


an excessive number of unique file or
directory objects.

DDE002 Identity
Information

Windows Security
Logs

Draft
Narrative

Auditing: File/Directory
Object Access

(EventCodes 4656,
4663)

Data
Exfiltration

Data
Exfiltration

UC0090 High Volume of Email


to Non-Corporate Email Address

UC0091 Excessive Unique File


Object Access

DDE023 CIM Corporate


Email Domains

DDE002 Identity
Information
DDE023 CIM Corporate
Email Domains

Malicious
Insider

UCESS060 Vulnerability
Scanner Detected (by events)

Detects IDS/IPS signatures from a single


source to a destination where the distinct
signature count is greater than 25. Tune
or create variant of this CS to search only
for internally sourced events

DDE001 Asset
Information

IDS/IPS

Adoptable:
ES Product
UC

Malicious
Insider

UCESS061 Vulnerability
Scanner Detected (by targets)

Detect IDS/IPS signatures from a single


source to 25 or more distinct
destinations. Tune or create variant of
this CS to search only for internally
sourced events

DDE001 Asset
Information

IDS/IPS

Adoptable:
ES Product
UC

Unauthorized
Access

UCESS011 Brute Force Access


Behavior Detected

Excessive failed access attempts


followed by successful authentication.
Datamodel acceleration should be used
for this UC whenever possible.

DDE001 Asset
Information

Authentication

Adoptable:
ES Product
UC

Detects successful login activity outside


of normal work hours. Thresholds and
work hours should be defined within CS
as per customer requirements

DDE001 Asset
Information

Authentication

In
Development

Privileged user authenticates to more


than X number of new targets
successfully or is denied access to more
than Y targets in the prior Z hours.For
example:

DDE001 Asset
Information

Authentication

Adoptable
Narrative Custom

Web

In
Development

Unauthorized
Access

Unauthorized
Access

UCXXXX Excessive Logins


Outside of Company Work
Hours (by user)

UC0015 Privileged user


accessing more than expected
number of machines in period

DDE002 Identity
Information

DDE002 Identity
Information

DDE002 Identity
Information

More than 5 new targets


More than 3 failures
In the last 4 hours
Potential
Threat
(various
categories)

UCXXXX Excessive Watchlisted


Website Activity by User

Copyright 2016, Splunk Inc.

Searches for users visiting an excessive


number of watchlisted sites. Threshold
and site categories should be defined as
per customer requirements. Designed to
highlight possible job seekers,
employees prone to violence, radicalists,
etc.

DDE002 Identity
Information
Watchlisted Sites

Potential
Threat
(various
categories)

UCXXXX Insider Threat


Detected - High Probability

Copyright 2016, Splunk Inc.

Takes into account all "insider threat


content pack" rules. Flags on single user
triggering multiple events (threshold to be
defined) within a predefined time period,
as defined by customer

DDE002 Identity
Information
Insider Threat "Content
Pack"

Insider Threat
Content Pack
Correlation Rules

In
Development

PRT05-TacticalThreat-Ransomeware
Ransomware includes multiple broad categories including denial of service by encryption and extortion by data ex filtration. The following
collection of data sources and use cases highlight strategies found useful in mitigation of this threat.

DS001MAIL

Found 1 search result(s) for contentBody:DS001* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate
the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields.
Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

DS002DNS

Found 5 search result(s) for contentBody:DS002* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate
the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields.
Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case
Center)

Using an algorithm determine text of the registration domain is likely to be generated by a computer
excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established
communication with the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may
indicate the presence of malicious code. Assets communicating with external services excluding Alexa
TOP 1M whose reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center)


endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of
security controls can be detected by either a large volume or high number of unique DNS queries.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center)


Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or
evasion of security controls. Detected by large total size of DNS traffic OR large number of unique
queries. Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

DS004EndPointAntiMalware

Copyright 2016, Splunk Inc.

Found 8 search result(s) for contentBody:DS004* title:UC* PRT05-TacticalThreat-Ransomeware.

UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center)
Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA
limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig
DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ...
Apr 28, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data
Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or
quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability
of other controls are deficient. Review the sequence of events leading to the infection to determine if additional
preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use
the information available for the event and determine how existing ...

Copyright 2016, Splunk Inc.

Apr 11, 2016


Labels: prt05-tacticalthreat-ransomeware
DS005WebProxyRequest
Found 3 search result(s) for contentBody:DS005* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
DS010NetworkCommunication
Found 2 search result(s) for contentBody:DS010* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
DS012NetworkIntrusionDetection-ET01SigDetection
Found 1 search result(s) for contentBody:DS012* title:UC* PRT05-TacticalThreat-Ransomeware.

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

PRT05-TacticalThreat-SpearphishingCampaign

Copyright 2016, Splunk Inc.

PRT06-SecureConfigurationMgmt
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
PRT06-SecureConfigurationMgmtUpdateManagement
PRT06-SecureConfigurationMgmtVulnerability

Supporting Use Cases


Essentials
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibility".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT06-SecureConfigurationMgmtUpdateManagement
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.

Supporting Data Sources


DS019PatchManagement

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Copyright 2016, Splunk Inc.

PRT06-SecureConfigurationMgmtVulnerability
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.

Supporting Data Sources


DS018VulnerabilityDetection

Supporting Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Copyright 2016, Splunk Inc.

PRT07-SpecialRequests
A set of curated use case collections based on specific field requests
PRT07-SpecialRequests-Creative

Supporting Use Cases


Essentials
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibility".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT07-SpecialRequests-Creative
A set of curated use case collections based on specific field requests

Supporting Use Cases


Click here to expand...
Found 3 search result(s) for title:UC0* labelText:creative.

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is
less than 48 ...
Jun 24, 2016
Labels: creative

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise
by comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as
a network or batch ...
Jun 24, 2016
Labels: creative

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative

Copyright 2016, Splunk Inc.

PRT08-ProductAdoption
Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and grouped by Supporting Data Source to
assist the customer and consultant in the selection of use cases for implementation based on the likely readiness of the customer.
PRT08-ProductAdoption-ES
PRT08-ProductAdoption-ES-Essentials
PRT08-ProductAdoption-ES-Mature
PRT08-ProductAdoption-ES-Maturing

Copyright 2016, Splunk Inc.

PRT08-ProductAdoption-ES

Copyright 2016, Splunk Inc.

PRT08-ProductAdoption-ES-Essentials

DS010NetworkCommunication

Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network.
All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private
network from third party network peers that are not part of the public internet should be included.

Found 2 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*"


contentBody:"APC-Essential".
UCESS053 Threat Activity Detected (Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016

DS004EndPointAntiMalware

Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting
database. Events including, detected, definition update and scheduled scan execution should be indexed.

Found 8 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*"


contentBody:"APC-Essential".
UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the
model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the
count is greater ...
Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even
if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is
MalwareAttacks ...
Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if
the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user
priority ...
Aug 14, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center)


Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor

Copyright 2016, Splunk Inc.

the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system
that was affected by the malware ...
Apr 26, 2016

UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center)
Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should
be evaluated to determine why they are not updating their malware signatures.Execute the malware operations
tracker macro and calculate the timesignatureversion and return results that the day difference between ...
Apr 26, 2016

UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center)
Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5
minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against
the malwaretracker and match on destination and signature. If a match ...
Apr 26, 2016

UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center)
Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past
10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ...
Apr 26, 2016

DS005WebProxyRequest

Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers
however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.

Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*"


contentBody:"APC-Essential".

DS002DNS

Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event
the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.

Found 1 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Essential".


UCESS053 Threat Activity Detected (Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

DS003Authentication

Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as
all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.

Found 4 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Essential".


UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for
application ...
Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful

Copyright 2016, Splunk Inc.

brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications,
count of failures ...
Aug 14, 2016

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of
the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw
Event Data, user ...
Aug 14, 2016

DS001MAIL

Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where
authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall
communication logs where destination port is 25.

Found 2 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Essential".


UCESS053 Threat Activity Detected (Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS031 Host Sending Excessive Email (Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the
past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate
...
May 02, 2016

DS007AuditTrail

Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.

Found 1 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Essential".


UCESS022 Expected Host Not Reporting (Narrative and Use Case Center)
... Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware
RV6Misconfiguration DS007AuditTrail DE001AssetInformation Adoption Phase Customer Adoption Phase SME
Adoption Phase Industry ...
Aug 14, 2016

DS012NetworkIntrusionDetection-ET01SigDetection

Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which
monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall
based on destination port.

Found 2 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*"


contentBody:"APC-Essential".
UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of
unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they
are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events.
Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016

DS014WebServer-ET01Access

Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user
account, (actual) source ip, reverse proxy ip, site, url, and port.

Found 0 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Essential".

DS006UserActivity

User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems
inscope for logging and monitoring within this phase.

Found 1 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Essential".


UCESS045 Potential Gap in Data (Narrative and Use Case Center)
Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps
in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were
successful where the app context ...
Aug 16, 2016

Copyright 2016, Splunk Inc.

PRT08-ProductAdoption-ES-Maturing

DS010NetworkCommunication

Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network.
All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private
network from third party network peers that are not part of the public internet should be included.

Found 3 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*"


contentBody:"APC-Maturing".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016

DS004EndPointAntiMalware

Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting
database. Events including, detected, definition update and scheduled scan execution should be indexed.

Found 0 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*"


contentBody:"APC-Maturing".

DS005WebProxyRequest

Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers
however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.

Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*"


contentBody:"APC-Maturing".

DS002DNS

Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event
the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.

Found 2 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Maturing".


UCESS019 Excessive DNS Queries (Narrative and Use Case Center)
Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5
minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

UCESS018 Excessive DNS Failures (Narrative and Use Case Center)


Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting
5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016

DS003Authentication

Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as
all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.

Found 7 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Maturing".


UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center)


Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5
minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user
...
Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center)


Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by
attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time
seen, 2nd to last time seen and user ...
Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use
Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016

DS001MAIL

Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where
authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall
communication logs where destination port is 25.

Copyright 2016, Splunk Inc.

Found 0 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Maturing".

DS007AuditTrail

Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.

Found 2 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Maturing".


UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files
in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a
realtime window of /5 minutes, search for action ...
Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016

DS012NetworkIntrusionDetection-ET01SigDetection

Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which
monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall
based on destination port.

Found 0 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*"


contentBody:"APC-Maturing".

DS014WebServer-ET01Access

Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user
account, (actual) source ip, reverse proxy ip, site, url, and port.

Found 1 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Maturing".


UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
DS006UserActivity

User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems
inscope for logging and monitoring within this phase.

Found 4 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Maturing".


UCESS049 Short-lived Account Detected (Narrative and Use Case Center)
past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and
destination and use only two events and only return events where the count is greater than 1 and the time range ...
Aug 14, 2016

UCESS004 Account Deleted (Narrative and Use Case Center)


Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value
delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the
count is greater than 0: Last ...
Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values
where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count
grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and
the command that initiated the change. Problem Types ...
Aug 14, 2016
DS013TicketManagement-ET01

Notable event ticket data is indexed with no administrator action required.

Found 2 search result(s) for title:UCESS* contentBody:"DS013TicketManagement*"


contentBody:"APC-Maturing".
UCESS058 Untriaged Notable Events (Narrative and Use Case Center)
Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status,
rule ...
Aug 14, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center)


Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all
summary data even if the model has changed, generate a count by signature and compare that count against the
previous hour and trigger if the signature is above medium ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

PRT08-ProductAdoption-ES-Mature

DS010NetworkCommunication

Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network.
All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private
network from third party network peers that are not part of the public internet should be included.

Found 3 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*"


contentBody:"APC-Mature".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016

DS004EndPointAntiMalware

Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting
database. Events including, detected, definition update and scheduled scan execution should be indexed.

Found 0 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*"


contentBody:"APC-Mature".

DS005WebProxyRequest

Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers
however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.

Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*"


contentBody:"APC-Mature".

DS002DNS

Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event
the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.

Found 2 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Mature".


UCESS019 Excessive DNS Queries (Narrative and Use Case Center)
Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5
minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016

UCESS018 Excessive DNS Failures (Narrative and Use Case Center)


Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting

Copyright 2016, Splunk Inc.

5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016

DS003Authentication

Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as
all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.

Found 7 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Mature".


UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center)


Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5
minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user
...
Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center)


Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by
attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time
seen, 2nd to last time seen and user ...
Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use
Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016

DS001MAIL

Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where
authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall
communication logs where destination port is 25.

Found 0 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Mature".

Copyright 2016, Splunk Inc.

DS007AuditTrail

Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.

Found 2 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Mature".


UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files
in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a
realtime window of /5 minutes, search for action ...
Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016

DS012NetworkIntrusionDetection-ET01SigDetection

Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which
monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall
based on destination port.

Found 0 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*"


contentBody:"APC-Mature".

DS014WebServer-ET01Access

Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user
account, (actual) source ip, reverse proxy ip, site, url, and port.

Found 1 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Mature".


UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
DS006UserActivity

User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems
inscope for logging and monitoring within this phase.

Found 4 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Mature".


UCESS049 Short-lived Account Detected (Narrative and Use Case Center)
past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and
destination and use only two events and only return events where the count is greater than 1 and the time range ...
Aug 14, 2016

UCESS004 Account Deleted (Narrative and Use Case Center)


Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value
delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the
count is greater than 0: Last ...
Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values

Copyright 2016, Splunk Inc.

where firstTime is greater than or equal to earliestQual ...


Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count
grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and
the command that initiated the change. Problem Types ...
Aug 14, 2016
DS013TicketManagement-ET01

Notable event ticket data is indexed with no administrator action required.

Found 2 search result(s) for title:UCESS* contentBody:"DS013TicketManagement*"


contentBody:"APC-Mature".
UCESS058 Untriaged Notable Events (Narrative and Use Case Center)
Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status,
rule ...
Aug 14, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center)


Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all
summary data even if the model has changed, generate a count by signature and compare that count against the
previous hour and trigger if the signature is above medium ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

Motivating Risk View Perspective


Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an
artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business
leadership that risks are being addressed proactively through the development of detection and monitoring processes.
Each use case will be further labeled to collect the use cases into a risk based paradigm
RV1-AbuseofAccess Abuse of access addressed the risk of authorized or entitled access in such a way as to cause harm

to the organization
RV2-Access Access addressed the risk of unauthorized access in such a way as to cause harm to the organization
RV3-MaliciousCode Malicious code addressed the risk of processes used against the organization, these risks include
"malware" as well as authorized software used for malicious intent.
RV4-ScanProbe Risk of activities that could discover a weakness in the organizations systems, controls, or configuration
that could latter be used to harm the organization
RV5-DenialofService Risk of denial of service includes such concerns as load based and destructive change to the
infrastructure.
RV6-Misconfiguration Modification of a system that results in a misconfiguration defined as insecure or unreliable
impacting the compliance, security, or availability of the system. Such configuration may increase the likelihood or impact
of other adverse events.

Copyright 2016, Splunk Inc.

RV1-AbuseofAccess
Abuse of access addressed the risk of authorized or entitled access in such a way as to cause harm to the organization

Supporting Use Cases


Essentials
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV1-AbuseofAccess".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if
the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert
when the count is greater ...
Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data
even if the model has changed, return and estimated distinct count of destination (host, IP, name) where
nodename is MalwareAttacks ...
Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data
even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime
where user priority ...
Aug 14, 2016

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end
date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time,
Original Raw Event Data, user ...
Aug 14, 2016

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016

UC0006 Windows security event log purged (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Manually clearing the security event log on a windows system is a violation of policy and could indicate an
attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate
that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all
summary data even ...
Apr 26, 2016

Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV1-AbuseofAccess".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5
minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and
the domain is not in the corporate web domain lookup ...
Aug 14, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016

Copyright 2016, Splunk Inc.

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies
no explicit permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets
identified as loaner ...
May 16, 2016

Copyright 2016, Splunk Inc.

RV2-Access
Access addressed the risk of unauthorized access in such a way as to cause harm to the organization

Supporting Use Cases


Essentials
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV2-Access".

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
... Following a successful authentication, an attacker will attempt to determine what resources may be accesse
d without causing host intrusion or DLP technologies to detect activity. Commonly the attacker ...
Apr 08, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center)


Direct authentication via SSH or console session to a non human account indicates a violation of security policy
by recording the password of a non human account for later use or by association of a SSH key to a non
human account. Problem Types Addressed Risk ...
Apr 11, 2016

Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV2-Access".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016

Copyright 2016, Splunk Inc.

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
... Identify accounts no longer in use with access to high/critical or enclave systems and remove access when
no longer required. Implement a tracking list of accounts and the accessed enclave or business service
identifier, maintain the last accessed time and alert when the last access ...
Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
... indicate an adversary has identified a specific high value account and is attempting to gain access. Problem
Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity ...
Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center)


Following provisioning, nix servers seldom require local administration. Investigate any use of local
authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
... RV6Misconfiguration DS003AuthenticationET01Success
DS010NetworkCommunicationET01TrafficAppAware DE001AssetInformation Categorization providing
information to identify authorized remote access systems DE002IdentityInformation Categorization providing
information on which users may access an individual remote access technology Adoption Phase Customer
Adoption Phase SME Adoption ...
Apr 08, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
... Detection of a new key should be investigated to determine the owner of the key and validate authorization
to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment ...
Apr 11, 2016

Copyright 2016, Splunk Inc.

RV3-MaliciousCode
Malicious code addressed the risk of processes used against the organization, these risks include "malware" as well as authorized software used
for malicious intent.

Supporting Use Cases


Essentials
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV3-MaliciousCode".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if
the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert
when the count is greater ...
Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data
even if the model has changed, return and estimated distinct count of destination (host, IP, name) where
nodename is MalwareAttacks ...
Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data
even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime
where user priority ...
Aug 14, 2016

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end
date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time,
Original Raw Event Data, user ...
Aug 14, 2016

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate
that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all
summary data even ...
Apr 26, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center)


Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same
infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct
count of the system that was affected by the malware ...
Apr 26, 2016

Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV3-MaliciousCode".

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For
the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the
max time by destination and compare ...
Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative
and Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes.
Creation of new child processes other than the process name defined in the service or batch definition may
indicate compromise. Problem Types Addressed ...
Apr 08, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is
less than 48 ...
Jun 24, 2016
Labels: creative

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed

Copyright 2016, Splunk Inc.

Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe


...
Apr 08, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more
than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port
with the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible
worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how
many hosts are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

RV4-ScanProbe
Risk of activities that could discover a weakness in the organizations systems, controls, or configuration that could latter be used to harm the
organization

Supporting Use Cases


Essentials
Click here to expand...
Found 6 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV4-ScanProbe".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016

UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center)
External IDS devices reporting an attack using a signature not previously encountered are more likely be
successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ...
Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case
Center)

Any attempted communication through the firewall not previously granted by ingress/egress policies could
indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions
(bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

Maturing
Click here to expand...
Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV4-ScanProbe".

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext

Copyright 2016, Splunk Inc.

(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe
...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure
indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions
indicate system probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port
with the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count
grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and
the command that initiated the change. Problem Types ...
Aug 14, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation
of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a
backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return
values ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

RV5-DenialofService
Risk of denial of service includes such concerns as load based and destructive change to the infrastructure.

Supporting Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV5-DenialofService".

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV5-DenialofService".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

RV6-Misconfiguration
Modification of a system that results in a misconfiguration defined as insecure or unreliable impacting the compliance, security, or availability of
the system. Such configuration may increase the likelihood or impact of other adverse events.

Supporting Use Cases


Essentials
Click here to expand...
Found 5 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV6-Misconfiguration".

UCESS045 Potential Gap in Data (Narrative and Use Case Center)


Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be
gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that
were successful where the app context ...
Aug 16, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used
to identify which server may generate email and what recipients are permitted. Identify servers receiving email
from the internet without approval Identify ...
Apr 19, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center)


Direct authentication via SSH or console session to a non human account indicates a violation of security policy
by recording the password of a non human account for later use or by association of a SSH key to a non
human account. Problem Types Addressed Risk ...
Apr 11, 2016

UCESS022 Expected Host Not Reporting (Narrative and Use Case Center)
Discovers hosts that are longer reporting events but should be submitting log events. This rule is used to
monitor hosts that you know should be providing a constant stream of logs in order to determine why the host
has failed to provide log data.Every 15 ...
Aug 14, 2016

Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV6-Misconfiguration".

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For
the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the
max time by destination and compare ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center)


Alerts when there are assets that define a specific priority and category but do not have an assigned owner.
Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the
category is not null and the length of the value in category is greater than ...
Aug 14, 2016

UCESS058 Untriaged Notable Events (Narrative and Use Case Center)


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner,
status, rule ...
Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
... Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Communication filtered ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

Copyright 2016, Splunk Inc.

Supporting Data View


Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be
consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not
equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the
user to head off failure on implementation when a give combination can not achieve success.
DS001MAIL Email remains the primary form of formal communication in most organizations. As such, mail server

databases and logs are some of the most important business records. Email messages and activity logs can be required
to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and
may be subpoenaed or legally held as part of civil or criminal investigations.
DS002DNS The domain name system (DNS) is the Internet's phone book, providing a mapping between system or
network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a
top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a
system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources
for particular domains, such as a company or governme
DS003Authentication Authentication systems establish the identity of an actor using one or more secret values i.e.
password and one time pin. The authentication system typically issues a new secret which can be provided to
applications i.e. Kerberos token or web cookie to permit access to a secured resource.
DS004EndPointAntiMalware The weakest link in corporate security are individuals, and antivirus is one way to protect
them from performing inadvertently harmful actions. Whether it is clicking on an untrustworthy web link, downloading
malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague),
antivirus can often prevent, mitigate or reverse the damage.
DS005WebProxyRequest Web Proxies and some next generation firewalls may act in transparent or explicit mode
communicating with (s) servers on behalf of a client. Using a number of related technologies the request and response
can and permitted or blocked based on users role, site or resource category or attack indicator. Data logged in the events
can potentially be used in detective correlation.
DS006UserActivity User activity within the organization environment such as Create Read(display), update, delete,
search events must include critical data such as action, result, app, and a locator uri allowing normalized search on the
targets of activity.
DS007AuditTrail Audit trail events represent a special class of events which can be triggered based on automated or
user interaction with systems and indicate a condition has occurred where the integrity of the source is suspect at a point
in time.
DS008HRMasterData Master Data system for Human Resources may publish an event indicating critical changes
impacting people in an organization. Human Resources records include the entire employee lifecycle including
recruitment, selection, hiring, job position and classification, promotion, salary, and bonuses, performance and ratings,
disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR data often
includes time and attendance records. HR systems often feed payr
DS009EndPointIntel In this context, endpoint refers to the security client software or agent installed on a client device that
logs security-related activity not otherwise generated by the host operating system from the client OS, login, logout,
shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office
applications. Endpoints also log their configuration and various security parameters (certificates, local anti-malware
signatures, etc.), all of which is useful
DS010NetworkCommunication Network communication data is a record of communication between two system commonly
using TCP version 4 or TCP version 6. Network communication can be recorded by a number of technologies including
host operating systems, firewalls, switches, routers, deep packet inspection, and intrusion detection systems.
DS011MalwareDetonation Malware detonation systems also are known as sandboxing systems execute potentially
malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and
manual analysis indicators can be determined which can inform additional breach detection and prevention capability
DS012NetworkIntrusionDetection What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel
security systems that supplement firewalls IDS by exposing successful network and server attacks that penetrate a
firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the
network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to
provide greater intelligence about all attacks. Likewise, IPS is typic
DS013TicketManagement Ticket management from tracking systems responsible for the security, and operational health
of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the
detective, and preventive controls in place.
DS014WebServer Web server logs allow attribution of activity to a specific source ip and user when authenticated. The
logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include
items such as the time, remote IP address, browser type and page requested. Web Servers also log various error
conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with
extension modules. Web Server logs are criti
DS015ConfigurationManagement Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef,
System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems

Copyright 2016, Splunk Inc.

can provide valuable security investigations by providing information about who and what changes have been applied to
systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to
identify windows of vulnerability.
DS016DataLossPrevention Data loss prevention solutions can identify human and automated activities as they interact
with restricted information creating an audit trail of attempted actions and the systems response such as allow or block.
DS017PhysicalSecurity Most organizations use automated systems to secure physical access to facilities. Historically,
these have been simple magnetic strips affixed to employee badges; however, locations with stringent security
requirements may use some form of a biometric reader or digital key. Regardless of the technology, the systems compare
an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As
digital systems, badge readers record information su
DS018VulnerabilityDetection An effective way to find security holes is to examine one's infrastructure from the attacker's
point of view. Vulnerability scans probe an organization's network for known software defects that provide entry points for
external agents. The scans yield data about open ports and IP addresses that can be used by malicious agents to gain
entry to a particular system or entire network. Systems often keep network services running by default, even when they
aren't required for a particular server. The
DS019PatchManagement Keeping operating systems and applications updated with the latest bug fixes and security
patches is an essential task that can prevent unplanned downtime, random application crashes and security breaches.
Although commercial apps and OSs often have embedded patching software, some organizations use independent patch
management software to consolidate patch management and ensure the consistent application of patches across their
software fleet and to build patch jobs for custom, internal applic
DS020HostIntrustionDetection Host based Intrusion Detection events provide signature based detection of changes that
could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be
very valuable in identifying when critical changes have occurred in the environment.
DS021Telephony Real-time business communications no longer are limited to voice calls provided by Plain Old
Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over
existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications
applications have strict requirements on network quality of service, latency and packet loss, making service quality and
reliability much more sensitive to network condi
DS022Performance Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT
equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of
system activity over time that shows normal, baseline levels and unusual events. By registering myriad system
parameters, performance logs also can highlight mismatches between system capacity and application requirements,
such as a database using all available system memory and frequ
DS023CrashReporting Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at
exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure
of business services.
DS024ApplicationServer Application server logs, considering the actual business application, middleware such as Tomcat,
and run time logs such as java runtime. contain a wealth of information created when users and systems interact.
Anomalies in the logs can indicate potential failures or compromise attempts.

How to read the Supporting Data View


Each data source represents a parent type of event and can contain zero or more specific event types for use by use case narratives and
providing technologies.

Consuming use cases


Consuming use cases are listed based on a dynamic search grouped by Adoption Phase Customer listing filtered for APC-Essential and APC-Mat
uring

Provider Types
Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases
identified.

Copyright 2016, Splunk Inc.

DS001MAIL
Introduction
Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most
important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security,
retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations.

Security Value
Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender,
recipient, IP and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation
Utilize email log events in contribution of other events to identify potential actors involved in targeted activity
Utilize email log events to identify additional possible victims of email based attacks
Utilize email log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize email logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Available Continuous Monitoring Use Cases


Essentials
Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS031 Host Sending Excessive Email (Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the
past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate
...
May 02, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used to
identify which server may generate email and what recipients are permitted. Identify servers receiving email from
the internet without approval Identify ...
Apr 19, 2016
Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-*".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

Copyright 2016, Splunk Inc.

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam
sending, abusing company resources, or attempting to solve a business problem using a technique not approved
by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-*".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam
sending, abusing company resources, or attempting to solve a business problem using a technique not approved
by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016

Providing Technologies
Found 3 search result(s) for title:PT* contentBody:"DS001MAIL".

PT001-Microsoft-Exchange (Narrative and Use Case Center)


... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0
01MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication
Authentication occurs for Administrative action Active Sync ...
Apr 01, 2016
Labels: provider-type

PT003-ExtraHop-SMTP (Narrative and Use Case Center)


... Provides DS001MAIL providertype
Feb 05, 2016
Labels: provider-type

PT002-Splunk-Stream-SMTP (Narrative and Use Case Center)


... Provides DS001MAIL providertype
Feb 05, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS002DNS
The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP
addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a
second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy
either by acting as authoritative sources for particular domains, such as a company or government agency or by acting as caching servers that
store DNS query results for subsequent lookup by users in a specific location or organization; for example, a broadband provider caching
addresses for its customers.

Security Value
Continuous Monitoring
Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify potential
command and control systems
Forensic Investigation
Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity
Utilize communication log events to identify additional ingress and egress points
Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments
Utilize communication log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 7 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS".

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative

UCESS019 Excessive DNS Queries (Narrative and Use Case Center)


Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5
minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016

UCESS018 Excessive DNS Failures (Narrative and Use Case Center)


Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting
5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search
for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a
company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center)


endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security
controls can be detected by either a large volume or high number of unique DNS queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center)


Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of
security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 7 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS002DNS".

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative

UCESS019 Excessive DNS Queries (Narrative and Use Case Center)


Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5
minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016

UCESS018 Excessive DNS Failures (Narrative and Use Case Center)


Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting
5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search
for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a
company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security
controls can be detected by either a large volume or high number of unique DNS queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center)


Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of
security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

Providing Technologies
Found 3 search result(s) for title:PT* contentBody:"DS002DNS".

PT002-Splunk-Stream-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016
Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016
Labels: provider-type

PT013-ISCBIND-DNS (Narrative and Use Case Center)


Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS003Authentication
Authentication systems establish the identity of an actor using one or more secret values i.e. password and one time pin. The authentication
system typically issues a new secret which can be provided to applications i.e. Kerberos token or web cookie to permit access to a secured
resource.
Enterprise Directory is a central system containing information about accounts such as name, phone, public certificates, email addresses,
and group membership. Common enterprise directories such as Microsoft Active Directory, Tivoli Directory Server or Oracle Directory
Server are widely distributed systems across multiple geographies and may involve thousands of servers.
Application Authentication logs are a subset of application telemetry focused on user identity and login attempts.
Network access (or admission, if you are a Cisco customer) control is a form of client/endpoint security that uses a locally installed
software agent to pre-authorize connections to a protected network. NAC screens client devices for contamination by known malware and
adherence to security policies such as running an approved OS with the most recent patches. Clients failing NAC screens are rerouted to
an isolated quarantine network until any detected problems are corrected.
Network appliances, including switches, routers, firewalls, proxies and performance monitoring tools have access to read and modify
significant amounts of enterprise data and their modification could weaken the security posture of the organization.
Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches
work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a
two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine
switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber
Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch.
Network proxies are used in several ways in IT infrastructure: as Web application accelerators and intelligent traffic direction,
application-level firewalls and content filters. By acting as a transparent, 'bump-in-the-wire' intermediary, proxies see the entire Layer 7
network protocol stack, which allows them to implement application-specific traffic management and security policies.
Hosting platforms including on-prem physical systems such as Cisco UCS, HP Insights, Virtual systems such as Vmware, and cloud
providers such as AWS, Azure, and Digital Ocean contain significant critical infrastructure.
Online and Backup storage systems contain all enterprise raw data. While all logical access is otherwise monitored frequently the ability
of the actor to clone and read data from storage is unmonitored.
Midrange and Mainframe systems such as IBM system Z, HP Nonstop Server (tandem), IBM system I, VAX, and Stratus are often
overlooked.

Security Value
Continuous Monitoring
Monitoring using analytic concepts such as new, rare, extremely over fields IP and source host increasing identify actors and
potential victims of account takeover based attacks
Monitoring evidence of password guessing in single factor authentication schemes.
Forensic Investigation
Utilize authentication log events in contribution of other events to identify potential actors involved in targeted activity
Utilize authentication log events to identify additional ingress and egress points
Utilize authentication log events to identify pivot points utilized by attackers to move into controlled network segments
Utilize authentication log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.

Adoption Phase
APC-Essential
All central authentication solutions
All authentication points for systems of elevated risk such as those with confidential information or identified as critical
All border authentication points such as:
Webmail
VPN
Single sign on
Employee external portal
APC-Maturing
All servers
All network devices
All network authentication
APC-Mature
All endpoint local authentication

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Copyright 2016, Splunk Inc.

Problem Types Addressable


Found 9 search result(s) for title:PRT* contentBody:"DS003Authentication".

PRT02-SecurityVisibilityLateralMovement (Narrative and Use Case Center)


... within an organizations network following the compromise of an initial endpoint. Supporting Data Types DS003A
uthentication DS006UserActivity DS009EndPointIntel DS010NetworkCommunication
DS012NetworkIntrusionDetectionET01SigDetection Supporting Use Cases Essentials Maturing
May 16, 2016

PRT01Compliance-PCI (Narrative and Use Case Center)


... logging and monitoring processes 10.1 Implement collection and retention of the following log sources DS003A
uthentication DS003AuthenticationET01Success DS003AuthenticationET02Failure 10.2 See below 10.2.1
Implement collection and retention of the following ...
Jun 24, 2016

PRT02-SecurityVisibilityExfiltration (Narrative and Use Case Center)


... from many types of systems in the enterprise and in the cloud. Supporting Data Sources DS001MAIL DS003Au
thentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS007AuditTrail
DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS014WebServerET01Access
Supporting Use ...
May 16, 2016

PRT02-SecurityVisibilityZeroDayAttacks (Narrative and Use Case Center)


... many types of systems in the enterprise and in the cloud. Supporting Data Sources DS001MAIL DS002DNS DS
003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel
DS010NetworkCommunication DS011MalwareDetonationET01Detection
DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Supporting Use Cases ...
May 16, 2016

PRT02-SecurityVisibilityPriviledgeUserMonitoring (Narrative and Use Case Center)


... monitored with greater scrutiny than users not similarly entrusted. Supporting Data Types DS003Authenticatio
n DS006UserActivity DS008HRMasterData DS009EndPointIntel DS017PhysicalSecurityET01Access Supporting
Use Cases Essentials Maturing
May 05, 2016

PRT02-IdentifyPatientZero (Narrative and Use Case Center)


... methods of the attackers and assist in the preparation of improved defenses. Supporting Data Types
DS002DNS DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity
DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication
DS011MalwareDetonationET01Detection DS017PhysicalSecurityET01Access Supporting Use ...
May 05, 2016

PRT08-ProductAdoption-ES-Maturing (Narrative and Use Case Center)


... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication
Authentication logs covering all central authentication systems such as Active Directory, ADFS ...
Aug 14, 2016

PRT08-ProductAdoption-ES-Mature (Narrative and Use Case Center)


... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication
Authentication logs covering all central authentication systems such as Active Directory, ADFS ...
Aug 14, 2016

PRT08-ProductAdoption-ES-Essentials (Narrative and Use Case Center)


... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication
Authentication logs covering all central authentication systems such as Active Directory, ADFS ...
Aug 14, 2016

Consuming Use Cases

Copyright 2016, Splunk Inc.

Essentials
Found 6 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication".

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for
application ...
Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful
brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications,
count of failures ...
Aug 14, 2016

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of
the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw
Event Data, user ...
Aug 14, 2016

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center)


Direct authentication via SSH or console session to a non human account indicates a violation of security policy by
recording the password of a non human account for later use or by association of a SSH key to a non human
account. Problem Types Addressed Risk ...
Apr 11, 2016
Maturing
Found 31 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication".

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ
e and Use Case Center)

human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted,
we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk
Addressed Event ...
Apr 08, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center)


Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5
minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user

Copyright 2016, Splunk Inc.

...
Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs without
the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be remediated
Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016

UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center)
Single IP address attempting authentication of more than two valid users within ten minutes where one or more
unique accounts is successful, and one or more accounts is not successful against an approved SSO System.
Problem Types Addressed ...
Apr 08, 2016

UC0034 Brute force successful authentication (Narrative and Use Case Center)
source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use
case successfully logins after failing once from the same source address. Problem Types Addressed Risk
Addressed Event Data ...
Apr 27, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2
IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is
attempting ...
Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center)


Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication
as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk
Addressed Event Data Sources ...
Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment

Copyright 2016, Splunk Inc.

PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode


RV6Misconfiguration ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be
investigated to determine the owner of the key and validate authorization to access the resource. Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016

UC0044 Network authentication using password auth (Narrative and Use Case Center)
Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases
the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of
network authentication utilizing password. Problem Types Addressed ...
Apr 11, 2016

UC0032 Brute force authentication attempt (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ...
Apr 08, 2016

UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)
Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of
the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer
is a workstation or terminal server Problem Types Addressed Risk ...
Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)

user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could
indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success ...
Apr 08, 2016

UC0008 Activity on previously inactive account (Narrative and Use Case Center)
Excluding computer accounts in active directory, an account with new activity that has not been active in the
previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success
DE002IdentityInformation Adoption ...
Apr 08, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center)


Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by
attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time
seen, 2nd to last time seen and user ...
Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use

Copyright 2016, Splunk Inc.

Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016

UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center)
Internet facing authentication system has allowed authenticated access from a risky source network. Always
Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications
consider the following sources risky Dial ...
Apr 08, 2016

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by
comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a
network or batch ...
Jun 24, 2016
Labels: creative

UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case
Center)

Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger
a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ...
Apr 08, 2016

UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case
Center)

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than
Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ...
Apr 08, 2016

UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center)
employers that allow remote external connectivity the detection of two or more distinct values of external source IP
address for successful authentications to a remote access solution in a short period of time indicates a likely
compromise of credentials. The short period of time value ...
Apr 25, 2016

UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case
Center)

Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A
small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts
or shares (such as sysvol or netlogon), such access ...
Apr 08, 2016

UC0011 Improbable distance between logins (Narrative and Use Case Center)
Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for
mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful
connections. Detect where: Total distance is greater than ...
Apr 08, 2016

UC0035 Compromised account access testing (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016
Mature
Found 31 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS003Authentication".

Copyright 2016, Splunk Inc.

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ
e and Use Case Center)

human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted,
we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk
Addressed Event ...
Apr 08, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center)


Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5
minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user
...
Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs without
the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be remediated
Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016

UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center)
Single IP address attempting authentication of more than two valid users within ten minutes where one or more
unique accounts is successful, and one or more accounts is not successful against an approved SSO System.
Problem Types Addressed ...
Apr 08, 2016

UC0034 Brute force successful authentication (Narrative and Use Case Center)
source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use
case successfully logins after failing once from the same source address. Problem Types Addressed Risk
Addressed Event Data ...
Apr 27, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016

Copyright 2016, Splunk Inc.

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2
IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is
attempting ...
Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center)


Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication
as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk
Addressed Event Data Sources ...
Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be
investigated to determine the owner of the key and validate authorization to access the resource. Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016

UC0044 Network authentication using password auth (Narrative and Use Case Center)
Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases
the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of
network authentication utilizing password. Problem Types Addressed ...
Apr 11, 2016

UC0032 Brute force authentication attempt (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ...
Apr 08, 2016

UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)
Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of
the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer
is a workstation or terminal server Problem Types Addressed Risk ...
Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)

user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could
indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success ...
Apr 08, 2016

UC0008 Activity on previously inactive account (Narrative and Use Case Center)
Excluding computer accounts in active directory, an account with new activity that has not been active in the
previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success

Copyright 2016, Splunk Inc.

DE002IdentityInformation Adoption ...


Apr 08, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center)


Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by
attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time
seen, 2nd to last time seen and user ...
Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use
Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016

UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center)
Internet facing authentication system has allowed authenticated access from a risky source network. Always
Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications
consider the following sources risky Dial ...
Apr 08, 2016

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by
comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a
network or batch ...
Jun 24, 2016
Labels: creative

UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case
Center)

Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger
a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ...
Apr 08, 2016

UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case
Center)

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than
Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ...
Apr 08, 2016

UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center)
employers that allow remote external connectivity the detection of two or more distinct values of external source IP
address for successful authentications to a remote access solution in a short period of time indicates a likely
compromise of credentials. The short period of time value ...
Apr 25, 2016

UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case
Center)

Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A
small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts
or shares (such as sysvol or netlogon), such access ...
Apr 08, 2016

Copyright 2016, Splunk Inc.

UC0011 Improbable distance between logins (Narrative and Use Case Center)
Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for
mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful
connections. Detect where: Total distance is greater than ...
Apr 08, 2016

UC0035 Compromised account access testing (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication" NOT contentBody:"DS003Authentication-*".

Copyright 2016, Splunk Inc.

DS004EndPointAntiMalware
The weakest link in corporate security are individuals, and antivirus is one way to protect them from performing inadvertently harmful actions.
Whether it is clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them
by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage.

Security Value
Continuous Monitoring
Monitoring for detection of malicious code using signatures to maintain a clean environment and react to newly identified
weakness as exploited by attackers
Forensic Investigation
Identification of point of origin and potentially involved hosts in targeted and untargeted attacks
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware".

UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the
model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the
count is greater ...
Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even
if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is
MalwareAttacks ...
Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if
the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user
priority ...
Aug 14, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center)


Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor
the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system
that was affected by the malware ...
Apr 26, 2016

UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center)
Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should

Copyright 2016, Splunk Inc.

be evaluated to determine why they are not updating their malware signatures.Execute the malware operations
tracker macro and calculate the timesignatureversion and return results that the day difference between ...
Apr 26, 2016

UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center)
Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5
minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against
the malwaretracker and match on destination and signature. If a match ...
Apr 26, 2016

UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center)
Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past
10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ...
Apr 26, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or
quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability
of other controls are deficient. Review the sequence of events leading to the infection to determine if additional
preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 6 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware".

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified
as loaner ...
May 16, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data

Copyright 2016, Splunk Inc.

Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...


Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use
the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware
Mature
Found 6 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS004EndPointAntiMalware".

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified
as loaner ...
May 16, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data
Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use
the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware".

Copyright 2016, Splunk Inc.

DS005WebProxyRequest
Web Proxies and some next generation firewalls may act in transparent or explicit mode communicating with (s) servers on behalf of a client.
Using a number of related technologies the request and response can and permitted or blocked based on users role, site or resource category or
attack indicator. Data logged in the events can potentially be used in detective correlation.

Security Value
Continuous Monitoring
Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP, and domain
increasing identify actors and potential victims of web-based attacks
Monitor user agent strings in relation to websites and categories for potential indication of malware command and control.
Monitor user agent strings and change in requests for a resource for potential indication of data exfiltration
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of related attacks
Utilize log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebProxyRequest".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 4 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebProxyRequest".

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes
after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain
is not in the corporate web domain lookup ...
Aug 14, 2016

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016

UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware

Copyright 2016, Splunk Inc.

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Mature
Found 4 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS005WebProxyRequest".

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes
after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain
is not in the corporate web domain lookup ...
Aug 14, 2016

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016

UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

Providing Technologies
Found 6 search result(s) for title:PT* contentBody:"DS005WebProxyRequest".

PT004-McAfee Web Gateway (Narrative and Use Case Center)


Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware providertype
Apr 06, 2016
Labels: provider-type

PT009-SourceFire (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT008-Snort (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center)


Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware

Copyright 2016, Splunk Inc.

DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT011-Bluecoat (Narrative and Use Case Center)


... Provides DS003Authentication DS005WebProxyRequest providertype
Feb 05, 2016
Labels: provider-type

PT010-Websense (Narrative and Use Case Center)


... Provides DS003Authentication DS005WebProxyRequest providertype
Feb 05, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS006UserActivity
User activity within the organization environment such as Create Read(display), update, delete, search events must include critical data such as
action, result, app, and a locator uri allowing normalized search on the targets of activity.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity".

UCESS045 Potential Gap in Data (Narrative and Use Case Center)


Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps
in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were
successful where the app context ...
Aug 16, 2016
Maturing
Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-*".

UCESS049 Short-lived Account Detected (Narrative and Use Case Center)


past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and
destination and use only two events and only return events where the count is greater than 1 and the time range ...
Aug 14, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of
other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016

UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity
RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity
category reductioninforce ...
Apr 08, 2016

UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center)
Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ...
Apr 11, 2016

UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Use of a secret/shared secret account for access to such a system rather than accountable credentials could
indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access
DS006UserActivityET07ExecuteAs ...
Apr 11, 2016

UCESS004 Account Deleted (Narrative and Use Case Center)


Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value
delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the
count is greater than 0: Last ...
Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values
where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count
grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and
the command that initiated the change. Problem Types ...
Aug 14, 2016
Mature
Found 9 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS006UserActivity-*".

UCESS049 Short-lived Account Detected (Narrative and Use Case Center)


past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and
destination and use only two events and only return events where the count is greater than 1 and the time range ...
Aug 14, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of
other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016

UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity
RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity
category reductioninforce ...
Apr 08, 2016

UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center)
Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ...
Apr 11, 2016

Copyright 2016, Splunk Inc.

UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)
Use of a secret/shared secret account for access to such a system rather than accountable credentials could
indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access
DS006UserActivityET07ExecuteAs ...
Apr 11, 2016

UCESS004 Account Deleted (Narrative and Use Case Center)


Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value
delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the
count is greater than 0: Last ...
Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values
where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count
grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and
the command that initiated the change. Problem Types ...
Aug 14, 2016

Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS006UserActivity".

PT012-Splunk-InternalLogging (Narrative and Use Case Center)


... extensive internal logging covering performance and usage. Provides DS003Authentication
DS003AuthenticationET01Success DS003AuthenticationET02Failure DS006UserActivity Key Facts Impact to
index/license None LOADLow Work Estimates None ...
Apr 01, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS007AuditTrail
Audit trail events represent a special class of events which can be triggered based on automated or user interaction with systems and indicate a
condition has occurred where the integrity of the source is suspect at a point in time.

Security Value
Continuous Monitoring - Identification of conditions which may impact the trustworthiness of a log source
Forensic Investigation - Identification of point in time where trust in the log source may be suspect
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Utilize logs to establish a time sequence

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail".

UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt
to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016

UCESS022 Expected Host Not Reporting (Narrative and Use Case Center)
... Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware
RV6Misconfiguration DS007AuditTrail DE001AssetInformation Adoption Phase Customer Adoption Phase SME
Adoption Phase Industry ...
Aug 14, 2016
Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-*".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files
in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a
realtime window of /5 minutes, search for action ...
Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016
Mature

Copyright 2016, Splunk Inc.

Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS007AuditTrail-*".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files
in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a
realtime window of /5 minutes, search for action ...
Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016

Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail".

PT005-Microsoft-Windows (Narrative and Use Case Center)


... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS007A
uditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on log
files ...
Aug 09, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS008HRMasterData
Master Data system for Human Resources may publish an event indicating critical changes impacting people in an organization. Human
Resources records include the entire employee lifecycle including recruitment, selection, hiring, job position and classification, promotion, salary,
and bonuses, performance and ratings, disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR
data often includes time and attendance records. HR systems often feed payroll and finance systems for processing salary and benefits. HR
records provide the definitive source of employee information for identity management systems and enterprise directories, making them an
important source for authentication and authorization data. Although HR data traditionally has been textual, it increasingly includes images and
biometric information such as an employee's portrait, fingerprints, and iris scans.

Security Value
Continuous Monitoring - Identification of events which could increase the risk of a user

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData".

Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-*".

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use
Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of
adverse separation, include but are not limited to the following: User has entered a remediation program with
human resources User has been identified as included in a reduction ...
Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)

... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation
Adoption Phase Customer Adoption Phase SME Adoption Phase ...
Apr 08, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS008HRMasterData-*".

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use
Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of
adverse separation, include but are not limited to the following: User has entered a remediation program with
human resources User has been identified as included in a reduction ...
Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)

... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation
Adoption Phase Customer Adoption Phase SME Adoption Phase ...
Apr 08, 2016

Copyright 2016, Splunk Inc.

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData".

Copyright 2016, Splunk Inc.

DS009EndPointIntel
In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity not otherwise
generated by the host operating system from the client OS, login, logout, shutdown events and various applications such as the browser
(Explorer, Edge), mail client (Outlook) and Office applications. Endpoints also log their configuration and various security parameters (certificates,
local anti-malware signatures, etc.), all of which is useful in posthoc forensic security incident analysis. Sources of endpoint data vary in their
coverage consider Microsoft EMET, Microsoft Symon, Tripwire, Bit9, SolidCore, or Mcafee HIDs as examples.

Security Value
Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP
and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation
Utilize email log events in contribution of other events to identify potential actors involved in targeted activity
Utilize email log events to identify additional possible victims of email based attacks
Utilize email log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize email logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 5 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel".

UCESS008 Anomalous New Service (Narrative and Use Case Center)


... Data Sources Enrichment Select PRT Values RV3MaliciousCode
https://securitykit.atlassian.net/wiki/display/GD/RV3MaliciousCode?src=contextnavpagetreemode
RV6Misconfiguration
https://securitykit.atlassian.net/wiki/display/GD/RV6Misconfiguration?src=contextnavpagetreemode DS009EndPoi
ntIntel https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode
DS009EndPointIntelET01ServiceChange
https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DDE001
Asset Information
https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation?src=contextnavpagetreemode DDE004
Threat List ...
Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the
past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time
by destination and compare ...
Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and

Copyright 2016, Splunk Inc.

Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation
of new child processes other than the process name defined in the service or batch definition may indicate
compromise. Problem Types Addressed ...
Apr 08, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that
isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the
output: origeventid (macro creates hash of indexer, time and raw event ...
Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is
set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid
(macro creates hash of indexer, time and raw ...
Aug 14, 2016
Mature
Found 5 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS009EndPointIntel".

UCESS008 Anomalous New Service (Narrative and Use Case Center)


... Data Sources Enrichment Select PRT Values RV3MaliciousCode
https://securitykit.atlassian.net/wiki/display/GD/RV3MaliciousCode?src=contextnavpagetreemode
RV6Misconfiguration
https://securitykit.atlassian.net/wiki/display/GD/RV6Misconfiguration?src=contextnavpagetreemode DS009EndPoi
ntIntel https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode
DS009EndPointIntelET01ServiceChange
https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DDE001
Asset Information
https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation?src=contextnavpagetreemode DDE004
Threat List ...
Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the
past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time
by destination and compare ...
Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and
Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation
of new child processes other than the process name defined in the service or batch definition may indicate
compromise. Problem Types Addressed ...
Apr 08, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that
isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the
output: origeventid (macro creates hash of indexer, time and raw event ...
Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is
set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid
(macro creates hash of indexer, time and raw ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel".

Copyright 2016, Splunk Inc.

DS010NetworkCommunication
Network communication data is a record of communication between two system commonly using TCP version 4 or TCP version 6. Network
communication can be recorded by a number of technologies including host operating systems, firewalls, switches, routers, deep packet
inspection, and intrusion detection systems.
Firewalls demarcate zones of different security policy. By controlling the flow of network traffic, firewalls act as gatekeepers collecting
valuable data that might not be captured in other locations due to the firewall's unique position as the gatekeeper to network traffic.
Firewalls also execute security policy and thus may break applications using unusual or unauthorized network protocols.
Deep Package Inspection Data (DPI) is a fundamental technique used by firewalls to inspect headers and the payload of network packets
before passing them down the network subject to security rules. DPI provides information about the source and destination of the packet,
the protocol, other IP and TCP/UDP header information and the actual data.
Virtual private networks (VPNs) are a way of building a secure extension of a private network over an insecure, public one. VPNs can be
established either between networks, routing all traffic between two sites, or between a client device and a network. Network-to-network
VPNs typically are created using strong credentials such as certificates on each end of the connection. Client-to-network VPNs rely on
user authentication, which can be as simple as a username and password. VPNs use network tunneling
IDS and IPS are complementary, parallel security systems that supplement firewalls IDS by exposing successful network and server
attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at
the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater
intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other
points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting
specific IP addresses or ranges. Though this type of source can provide this data it is rare to implement at scale due to performance and
placement constraints in the enterprise network
Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches
work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a
two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine
switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber
Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch.
Routers are devices responsible for ensuring that traffic goes to the right network segment. Unlike switches that operate at Layer 2,
routers work at Layer 3, directing traffic based on TCP/IP address and protocol (port number). Routers are responsible for particular
Layer 3 address spaces and manage traffic using information in routing tables and configured policies. Routers exchange information and
update their forwarding tables using dynamic routing protocols.
Netflow is a network monitoring protocol originally developed by Cisco but now supported by most equipment vendors, that provides a
detailed record of network traffic organized by packet flow. A flow is defined as a set of IP packets sharing a set of five to seven
attributes, namely IP source and destination address, source and destination port, Layer 3 protocol type, class of service (CoS) and
router or switch interface (physical port). Flow records can be exported and aggregated to show traffic movement, statistics, and historical
trends.

Security Value
Continuous Monitoring
Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify actors and
potential victims of network based attacks
Monitoring for blocked communication activity by intermediate defensive systems such as firewalls and intrusion detection
systems
Forensic Investigation
Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity
Utilize communication log events to identify additional ingress and egress points
Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments
Utilize communication log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 4 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on

Copyright 2016, Splunk Inc.

the match ...


Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit

Copyright 2016, Splunk Inc.

permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016

Providing Technologies

Copyright 2016, Splunk Inc.

Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".

PT009-SourceFire (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT008-Snort (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center)


Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average
...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS011MalwareDetonation
Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of
collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach
detection and prevention capability

Security Value
Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender,
recipient, ip and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 4 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the

Copyright 2016, Splunk Inc.

function and their distinct count grouped by destination (host ...


Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all

Copyright 2016, Splunk Inc.

summary data even ...


Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Mature
Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may

Copyright 2016, Splunk Inc.

indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".

PT009-SourceFire (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT008-Snort (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center)


Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day
(average ...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

Copyright 2016, Splunk Inc.

DS012NetworkIntrusionDetection
What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls IDS by exposing
successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS
is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to
provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at
other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting
specific IP addresses or ranges.

Security Value
Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature
increasing identify actors and potential victims network vulnerability based attacks
Forensic Investigation
Identify compromised or potentially compromised hosts based on exploitation data
Legal compliance
Utilize email logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS012NetworkIntrusionDetection".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of
unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they
are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events.
Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".

Providing Technologies

Copyright 2016, Splunk Inc.

Found 2 search result(s) for title:PT* contentBody:"DS012NetworkIntrusionDetection".

PT017-Trend-TippingPoint (Narrative and Use Case Center)


Trend Micro tippingpoint IPS product Provides DS012NetworkIntrusionDetectionET01SigDetection Key Facts
Impact to index/license Based on log files total size of message tracking log file over 7 days from devices where
local log collection ...
Jul 25, 2016
Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average
...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS013TicketManagement
Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for
evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.

Security Value
Continuous Monitoring - Monitoring the effective execution of triage and remediation activities.
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Establish a timeline of what was known, when and by whom

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essentials" contentBody:"DS013TicketManagement-*".

Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center)


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status,
rule ...
Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption
Phase ...
Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center)


Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all
summary data even if the model has changed, generate a count by signature and compare that count against the
previous hour and trigger if the signature is above medium ...
Aug 14, 2016
Mature
Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center)


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status,
rule ...
Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment

Copyright 2016, Splunk Inc.

PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption


Phase ...
Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center)


Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all
summary data even if the model has changed, generate a count by signature and compare that count against the
previous hour and trigger if the signature is above medium ...
Aug 14, 2016

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".

Copyright 2016, Splunk Inc.

DS014WebServer
Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every
transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and
page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate
permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are
also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Security Value
Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and IP
increasing identify actors and potential victims of attacks
Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or
specific resource
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify scope of exploitation
Utilize log events to identify scope of time for an incident
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS014WebServer".

Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016
Mature
Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".

Copyright 2016, Splunk Inc.

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016

Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average
...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS015ConfigurationManagement
Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center
Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and
what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data
useful to identify windows of vulnerability.

Security Value
Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration
values or modification to critical controls
Forensic Investigation
Establish a time line of activities of a privileged user
Establish when controls were placed or removed on a specific host
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS015ConfigurationManagement*".

Maturing
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center)


Alerts when there are assets that define a specific priority and category but do not have an assigned owner.
Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the
category is not null and the length of the value in category is greater than ...
Aug 14, 2016
Mature
Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center)


Alerts when there are assets that define a specific priority and category but do not have an assigned owner.
Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the
category is not null and the length of the value in category is greater than ...
Aug 14, 2016

Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average
...

Copyright 2016, Splunk Inc.

Jul 25, 2016


Labels: provider-type

Copyright 2016, Splunk Inc.

DS016DataLossPrevention
Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of
attempted actions and the systems response such as allow or block.

Security Value
Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring.
Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise
Forensic Investigation
Utilize events in contribution of other events to identify potential actors involved in targeted activity
Utilize events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Utilize logs to support documentation of compliance

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS016DataLossPrevention".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".

Copyright 2016, Splunk Inc.

DS017PhysicalSecurity
Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to
employee badges; however, locations with stringent security requirements may use some form of a biometric reader or digital key. Regardless of
the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular
location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access
attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.

Security Value
Forensic Investigation
Utilize log events to place a badge (single factor) or person (two-factor bio/pin) in a specific location
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS017PhysicalSecurity".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".

Copyright 2016, Splunk Inc.

DS018VulnerabilityDetection
An effective way to find security holes is to examine one's infrastructure from the attacker's point of view. Vulnerability scans probe an
organization's network for known software defects that provide entry points for external agents. The scans yield data about open ports and IP
addresses that can be used by malicious agents to gain entry to a particular system or entire network. Systems often keep network services
running by default, even when they aren't required for a particular server. These running, yet orphaned, i.e. unmonitored services are a common
means of external attack since they may not be patched with the latest OS security updates. Broadscale vulnerability scans can reveal security
holes that could be leveraged to access an entire enterprise network.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS018VulnerabilityDetection".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS018VulnerabilityDetection-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection".

Copyright 2016, Splunk Inc.

DS019PatchManagement
Keeping operating systems and applications updated with the latest bug fixes and security patches is an essential task that can prevent
unplanned downtime, random application crashes and security breaches. Although commercial apps and OSs often have embedded patching
software, some organizations use independent patch management software to consolidate patch management and ensure the consistent
application of patches across their software fleet and to build patch jobs for custom, internal applications. Patch management software keeps a
patch inventory using a database of available updates and can match these against an organizations installed software. Other features include
patch scheduling, post-install testing and validation and documentation of required system configurations and patching procedures.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS019PatchManagement*".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS019PatchManagement-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS019PatchManagement-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS019PatchManagement".

Copyright 2016, Splunk Inc.

DS020HostIntrustionDetection
Host based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on
changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the
environment.

Security Value
Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of email based attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS020HostIntrustionDetection".

Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

Copyright 2016, Splunk Inc.

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".

Copyright 2016, Splunk Inc.

DS021Telephony
Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video,
text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web
applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss,
making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned
people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony;
as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP
protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional
phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are
interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes
features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their
delivery through the network.

Security Value
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS021Telephony".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".

Copyright 2016, Splunk Inc.

DS022Performance
Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs
that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and
unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and
application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance
management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end
user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or
error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or
performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to
remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis
of complex application problems that may involve subtle interactions between multiple machines and/or network devices.

Security Value
Continuous Monitoring
Monitor system resources for increased utilization or exhaustion as possible indication of denial of service attack
Monitor system resources for increased utilization or exhaustion as possible indication of brute force attack.
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS022Performance".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS022Performance".

Copyright 2016, Splunk Inc.

DS023CrashReporting
Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or
significant programing errors allowing possible future exploitation or failure of business services.

Security Value
Continuous Monitoring
Monitor and triage occurrences as possible indication of attack
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS023CrashReporting".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".

Copyright 2016, Splunk Inc.

DS024ApplicationServer
Application server logs, considering the actual business application, middleware such as Tomcat, and run time logs such as java runtime. contain
a wealth of information created when users and systems interact. Anomalies in the logs can indicate potential failures or compromise attempts.

Security Value
Continuous Monitoring
Develop implementation specific monitoring to alert security operations to potential issues created by external interaction
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS024ApplicationServer".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".

Copyright 2016, Splunk Inc.

Supporting Event Type View

Copyright 2016, Splunk Inc.

DS001Mail-ET01Access
Event indicates a specific message has been accessed by a user from a specific source system

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET01Send".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01Send".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET01Send".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01Send".

Copyright 2016, Splunk Inc.

DS001Mail-ET02Receive
An event indicates a message has been received one or more user.

Consuming Use Cases


Essentials
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET02Receive".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET02Receive".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
Mature
Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET02Receive".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET02Receive".

PT001-Microsoft-Exchange (Narrative and Use Case Center)


... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0
01MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication
Authentication occurs for Administrative action Active Sync ...
Apr 01, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS001Mail-ET03Send
Indicates a authorized user or system has sent a message to one or more recipients.

Consuming Use Cases


Essentials
Click here to expand...
Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001Mail-ET03Send".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS031 Host Sending Excessive Email (Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For
the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed,
calculate ...
May 02, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used
to identify which server may generate email and what recipients are permitted. Identify servers receiving email
from the internet without approval Identify ...
Apr 19, 2016

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET03Send".

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of
spam sending, abusing company resources, or attempting to solve a business problem using a technique not
approved by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016

Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET03Send".

PT001-Microsoft-Exchange (Narrative and Use Case Center)


... solution and channel of communication useful in various attacks access monitoring is imperative. Provides D
S001MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication
Authentication occurs for Administrative action Active Sync ...
Apr 01, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS002DNS-ET01Query
DNS request and response reassembled into a single event

DS002DNS-ET01QueryRequest DNS Request from a client, response reassembly is not required


DS002DNS-ET01QueryResponse Reassembled request response as a single event containing the original client ip

Consuming Use Cases


Essentials
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01Query".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

Maturing
Click here to expand...
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01Query".

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative

UC0076 Excessive DNS Failures (Narrative and Use Case Center)


endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of
security controls can be detected by either a large volume or high number of unique DNS queries. Problem
Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center)


Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of
security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

Providing Technologies
Click here to expand...
Found 2 search result(s) for title:PT* contentBody:"DS002DNS-ET01Query".

PT002-Splunk-Stream-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest

Copyright 2016, Splunk Inc.

providertype
Apr 25, 2016
Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest
providertype
Apr 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS002DNS-ET01QueryRequest
DNS Request from a client, response reassembly is not required

Consuming Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryRequest".

Maturing

Click here to expand...


Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryRequest".

UCESS019 Excessive DNS Queries (Narrative and Use Case Center)


Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5
minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain.
Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain
portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate
the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware

Providing Technologies
Click here to expand...
Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryRequest".

PT013-ISCBIND-DNS (Narrative and Use Case Center)


Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016
Labels: provider-type

PT002-Splunk-Stream-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest
providertype
Apr 25, 2016
Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest
providertype
Apr 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS002DNS-ET01QueryResponse
Reassembled request response as a single event containing the original client ip

Consuming Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryResponse".

Maturing

Click here to expand...


Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryResponse".

UCESS018 Excessive DNS Failures (Narrative and Use Case Center)


Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period
starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryResponse".

PT013-ISCBIND-DNS (Narrative and Use Case Center)


Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016
Labels: provider-type

PT002-Splunk-Stream-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest
providertype
Apr 25, 2016
Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center)


Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest
providertype
Apr 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS003Authentication-ET01Success
Indicates the authentication system validated the factors provided

Consuming Use Cases


Essentials
Click here to expand...
Found 5 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET01Success".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end
date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time,
Original Raw Event Data, user ...
Aug 14, 2016

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center)


Direct authentication via SSH or console session to a non human account indicates a violation of security policy
by recording the password of a non human account for later use or by association of a SSH key to a non
human account. Problem Types Addressed Risk ...
Apr 11, 2016

Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET01Success".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016

Copyright 2016, Splunk Inc.

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016

UC0045 Local authentication server (Narrative and Use Case Center)


Following provisioning, nix servers seldom require local administration. Investigate any use of local
authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure
indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions
indicate system probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should
be investigated to determine the owner of the key and validate authorization to access the resource. Problem
Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016

Providing Technologies
Click here to expand...
Found 2 search result(s) for title:PT* contentBody:"DS003Authentication-ET01Success".

PT012-Splunk-InternalLogging (Narrative and Use Case Center)


... Enterprise Application includes extensive internal logging covering performance and usage. Provides DS003
Authentication DS003AuthenticationET01Success DS003AuthenticationET02Failure DS006UserActivity Key

Copyright 2016, Splunk Inc.

Facts Impact to index/license None LOADLow ...


Apr 01, 2016
Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day
(average ...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS003Authentication-ET02Failure
The authentication system did not approve the attempted based on invalid factors

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02Failure" NOT
contentBody:"DS003Authentication-ET02Failure*".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02Failure" NOT
contentBody:"DS003Authentication-ET02Failure*".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02Failure" NOT
contentBody:"DS003Authentication-ET02Failure*".

Copyright 2016, Splunk Inc.

DS003Authentication-ET02FailureBadFactor
Indicates the authentication system determined the factors provided were invalid

Consuming Use Cases


Essentials

Click here to expand...


Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureBadFactor".

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016

Maturing

Click here to expand...


Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureBadFactor".

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center)


Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting
5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct
user ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureBadFactor".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day
(average ...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS003Authentication-ET02FailureError
Indicates the authentication system encountered and error and was unable to authenticate the user.

Consuming Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureError".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureError".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureError".

Copyright 2016, Splunk Inc.

DS003Authentication-ET02FailureUnknownAccount
Indicates the authentication system was unable to locate the account, factors were not evaluated

Consuming Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Copyright 2016, Splunk Inc.

DS004EndPointAntiMalware-ET01SigDetected
Endpoint product detected based on a signature or specified heuristics class

Consuming Use Cases


Essentials
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if
the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert
when the count is greater ...
Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data
even if the model has changed, return and estimated distinct count of destination (host, IP, name) where
nodename is MalwareAttacks ...
Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data
even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime
where user priority ...
Aug 14, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center)


Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same
infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct
count of the system that was affected by the malware ...
Apr 26, 2016

UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center)
Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts
should be evaluated to determine why they are not updating their malware signatures.Execute the malware
operations tracker macro and calculate the timesignatureversion and return results that the day difference
between ...
Apr 26, 2016

UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center)
Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5
minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup
against the malwaretracker and match on destination and signature. If a match ...
Apr 26, 2016

UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center)
Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the
past 10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ...
Apr 26, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or

Copyright 2016, Splunk Inc.

quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or
capability of other controls are deficient. Review the sequence of events leading to the infection to determine if
additional preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

Maturing
Click here to expand...
Found 5 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more
than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible
worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how
many hosts are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack.
Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external
URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat
prevention. Use the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware

Providing Technologies

Copyright 2016, Splunk Inc.

Click here to expand...


Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

Copyright 2016, Splunk Inc.

DS004EndPointAntiMalware-ET02UpdatedSig
Update occurrence for the signature data used by the anti malware engine, in a multiple engine/database relationship the database updated
should be specified

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET02UpdatedSig".

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET02UpdatedSig".

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets
identified as loaner ...
May 16, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006EndPointAntiMalware-ET02UpdatedSig".

Copyright 2016, Splunk Inc.

DS004EndPointAntiMalware-ET03UpdatedEng
Update occurrence for the engine used by the anti malware product, in a multiple engine/database relationship the engine updated should be
specified

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Copyright 2016, Splunk Inc.

DS005WebProxyRequest-ET01Requested
Tradditional HTTP request from a client

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebClientRequest-ET01Requested".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET01Requested".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET01Requested".

Copyright 2016, Splunk Inc.

DS005WebProxyRequest-ET01RequestedWebAppAware
Indicates a traditional web application request with additional context provided by the generating system detecting the "application" implied by the
request such as Facebook/Farmvile or Teamviewer

Consuming Use Cases


Essentials

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Maturing

Click here to expand...


Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Copyright 2016, Splunk Inc.

DS005WebProxyRequest-ET02Connect
Connect (tunnel) request from an http clienthttp

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebClientRequest-ET02Connect".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET02Connect".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET02Connect".

Copyright 2016, Splunk Inc.

DS006UserActivity-ET01List
User activity listing the contents of a container

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET01List".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET01List".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET01List".

Copyright 2016, Splunk Inc.

DS006UserActivity-ET02Read
User activity Reading the contents of a object

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET02Read".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET02Read".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET02Read".

Copyright 2016, Splunk Inc.

DS006UserActivity-ET03Create
User activity creating a new object

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET03Create".

Maturing
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET03Create".

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return
values where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016

UCESS049 Short-lived Account Detected (Narrative and Use Case Center)


past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and
destination and use only two events and only return events where the count is greater than 1 and the time
range ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET03Create".

Copyright 2016, Splunk Inc.

DS006UserActivity-ET04Update
User activity updating an object

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET04Update".

Maturing
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET04Update".

UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access DS006UserActivityET04Update DE002IdentityInformation
Identity category terminated Identity category reductioninforce ...
Apr 08, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count
grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and
the command that initiated the change. Problem Types ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET04Update".

Copyright 2016, Splunk Inc.

DS006UserActivity-ET05Delete
User activity deleting an object

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET05Delete".

Maturing
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET05Delete".

UCESS004 Account Deleted (Narrative and Use Case Center)


Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the
value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values
when the count is greater than 0: Last ...
Aug 14, 2016

UCESS049 Short-lived Account Detected (Narrative and Use Case Center)


past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and
destination and use only two events and only return events where the count is greater than 1 and the time
range ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET05Delete".

Copyright 2016, Splunk Inc.

DS006UserActivity-ET06Search
User activity searching for additional content

Consuming Use Cases


Essentials
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET06Search".

UCESS045 Potential Gap in Data (Narrative and Use Case Center)


Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be
gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that
were successful where the app context ...
Aug 16, 2016

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case
Center)

Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior
of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".

Copyright 2016, Splunk Inc.

DS006UserActivity-ET07ExecuteAs
User activity searching for additional content

Consuming Use Cases


Essentials
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET06Search".

UCESS045 Potential Gap in Data (Narrative and Use Case Center)


Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be
gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that
were successful where the app context ...
Aug 16, 2016

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case
Center)

Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior
of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".

Copyright 2016, Splunk Inc.

DS007AuditTrail-ET01Clear
Events such as Clear, Delete, Purge or Rotate should record the controlling user, target of the action and result

Consuming Use Cases


Essentials
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET01Clear".

UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an
attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET01Clear".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET01Clear".

PT005-Microsoft-Windows (Narrative and Use Case Center)


... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS00
7AuditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on
log files ...
Aug 09, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS007AuditTrail-ET02Alter
Where possible identify the acting user, current and new log retention parameters

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET02Alter".

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".

PT005-Microsoft-Windows (Narrative and Use Case Center)


... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS00
7AuditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on
log files ...
Aug 09, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS007AuditTrail-ET03TimeSync
Where possible identify the acting user where not result is included success must be assumed due to limitations of common time sync software

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET02Alter".

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".

PT005-Microsoft-Windows (Narrative and Use Case Center)


... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS00
7AuditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on
log files ...
Aug 09, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS008HRMasterData-ET01Joined
Information regarding a new person in the organization

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET01Joined".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET01Joined".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET01Joined".

Copyright 2016, Splunk Inc.

DS008HRMasterData-ET02SeperationNotice
Advanced notice of separation for a human in the organization

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET02SeperationNotice".

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET02SeperationNotice".

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET02SeperationNotice".

Copyright 2016, Splunk Inc.

DS008HRMasterData-ET03SeperationImmediate
Final notice of separation for a human in the organization

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Copyright 2016, Splunk Inc.

DS009EndPointIntel-ET01ObjectChange
Change to an object such as file, registry, service or configuration

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel-ET01ObjectChange".

Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ObjectChange".

UCESS047 Prohibited Service Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited
is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output:
origeventid (macro creates hash of indexer, time and raw ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel-ET01ObjectChange".

Copyright 2016, Splunk Inc.

DS009EndPointIntel-ET01ProcessLaunch
Endpoint product record of process launch

Consuming Use Cases


Essentials
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel-ET01ProcessLaunch".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

Maturing
Click here to expand...
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ProcessLaunch".

UCESS028 High Process Count (Narrative and Use Case Center)


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For
the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the
max time by destination and compare ...
Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative
and Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes.
Creation of new child processes other than the process name defined in the service or batch definition may
indicate compromise. Problem Types Addressed ...
Apr 08, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center)


Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes
that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields
to the output: origeventid (macro creates hash of indexer, time and raw event ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

Copyright 2016, Splunk Inc.

DS010NetworkCommunication-ET01Traffic
Communication event including a result (allowed/denied) logged at the time the connection is created

Consuming Use Cases


Essentials
Click here to expand...
Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET01Traffic".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending
on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate
that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all
summary data even ...
Apr 26, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case
Center)

Any attempted communication through the firewall not previously granted by ingress/egress policies could
indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions
(bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware

Maturing
Click here to expand...
Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET01Traffic".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies
no explicit permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by

Copyright 2016, Splunk Inc.

dvc alert when a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB
devices ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe
...
Apr 08, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port
with the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation
of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a
backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return
values ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01Traffic".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day
(average ...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS010NetworkCommunication-ET01TrafficAppAware
Communication event including a result (allowed/denied) logged at the time the connection is created

Consuming Use Cases


Essentials

Click here to expand...


Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016

Maturing

Click here to expand...


Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure
indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions
indicate system probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

Providing Technologies
Click here to expand...
Found 3 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".

PT009-SourceFire (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT008-Snort (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

PT006-PaloAlto Firewall (Narrative and Use Case Center)


Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS010NetworkCommunication-ET02State
Event indicating the state of the firewall has changed (start/stop block/noblock)

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET02State".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET02State".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET02State".

Copyright 2016, Splunk Inc.

DS011MalwareDetonation-ET01Detection
Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of
collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach
detection and prevention capability

Security Value
Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender,
recipient, ip and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party

Event Types

Consuming Use Cases


Essentials
Found 4 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication".

UCESS053 Threat Activity Detected (Narrative and Use Case Center)


past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the
eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on
the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Mature
Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center)


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication

Copyright 2016, Splunk Inc.

of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016

Providing Technologies
Click here to expand...
Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".

PT009-SourceFire (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT008-Snort (Narrative and Use Case Center)


Provides DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center)


Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day
(average ...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS012NetworkIntrusionDetection-ET01SigDetection
What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls IDS by exposing
successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS
is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to
provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at
other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting
specific IP addresses or ranges.

Security Value
Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature
increasing identify actors and potential victims network vulnerability based attacks
Forensic Investigation
Identify comproised or potentially compromised hosts based on exploitation data
Legal compliance
Utilize email logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS012NetworkIntrusionDetection".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of
unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they
are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events.
Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".

Providing Technologies
Found 2 search result(s) for title:PT* contentBody:"DS012NetworkIntrusionDetection".

PT017-Trend-TippingPoint (Narrative and Use Case Center)

Copyright 2016, Splunk Inc.

Trend Micro tippingpoint IPS product Provides DS012NetworkIntrusionDetectionET01SigDetection Key Facts


Impact to index/license Based on log files total size of message tracking log file over 7 days from devices where
local log collection ...
Jul 25, 2016
Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average
...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS013TicketManagement-ET01
Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for
evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.

Security Value

Continuous Monitoring - Monitoring the effective execution of triage and remediation activities.
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Establish a timeline of what was known, when and by whom

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essentials" contentBody:"DS013TicketManagement-*".

Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center)


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status,
rule ...
Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption
Phase ...
Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center)


Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all
summary data even if the model has changed, generate a count by signature and compare that count against the
previous hour and trigger if the signature is above medium ...
Aug 14, 2016
Mature
Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center)


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return
notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status,
rule ...
Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment

Copyright 2016, Splunk Inc.

PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption


Phase ...
Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center)


Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all
summary data even if the model has changed, generate a count by signature and compare that count against the
previous hour and trigger if the signature is above medium ...
Aug 14, 2016

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".

Copyright 2016, Splunk Inc.

DS014WebServer-ET01Access
Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every
transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and
page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate
permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are
also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.

Event Types

Security Value
Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and ip increasing
identify actors and potential victims of attacks
Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or
specific resource
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify scope of exploitation
Utilize log events to identify scope of time for an incident
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS014WebServer".

Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016
Mature
Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...

Copyright 2016, Splunk Inc.

Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016

Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average
...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS015ConfigurationManagement-ET01General
Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center
Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and
what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data
useful to identify windows of vulnerability.

Security Value
Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration
values or modification to critical controls
Forensic Investigation
Establish a time line of activities of a privileged user
Establish when controls were placed or removed on a specific host
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS015ConfigurationManagement*".

Maturing
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center)


Alerts when there are assets that define a specific priority and category but do not have an assigned owner.
Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the
category is not null and the length of the value in category is greater than ...
Aug 14, 2016
Mature
Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center)


Alerts when there are assets that define a specific priority and category but do not have an assigned owner.
Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the
category is not null and the length of the value in category is greater than ...
Aug 14, 2016

Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center)


Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success
DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average
...
Jul 25, 2016
Labels: provider-type

Copyright 2016, Splunk Inc.

DS016DataLossPrevention-ET01Violation
Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of
attempted actions and the systems response such as allow or block.

Security Value
Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring.
Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise
Forensic Investigation
Utilize events in contribution of other events to identify potential actors involved in targeted activity
Utilize events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Utilize logs to support documentation of compliance

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS016DataLossPrevention".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".

Copyright 2016, Splunk Inc.

DS017PhysicalSecurity-ET01Access
Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to
employee badges; however, locations with stringent security requirements may use some form of biometric reader or digital key. Regardless of
the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular
location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access
attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.

Security Value
Forensic Investigation
Utilize log events to place a badge (single factor) or person (two factor bio/pin) in a specific location
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS017PhysicalSecurity".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".

Copyright 2016, Splunk Inc.

DS018VulnerabilityDetection-ET01SigDetected
Vulnerability by signature detected based on a signature or specified heuristics class

Consuming Use Cases


Essentials
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Copyright 2016, Splunk Inc.

DS019PatchManagement-Applied

Copyright 2016, Splunk Inc.

DS019PatchManagement-Eligable

Copyright 2016, Splunk Inc.

DS019PatchManagement-Failed

Copyright 2016, Splunk Inc.

DS020HostIntrustionDetection-ET01SigDetected
Host-based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on
changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the
environment.

Security Value
Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of email based attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS020HostIntrustionDetection".

Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".

Copyright 2016, Splunk Inc.

Copyright 2016, Splunk Inc.

DS021Telephony-ET01CDR
Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video,
text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web
applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss,
making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned
people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony;
as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP
protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional
phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are
interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes
features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their
delivery through the network.

Security Value
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS021Telephony".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".

Copyright 2016, Splunk Inc.

DS022Performance-ET01General
Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs
that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and
unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and
application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance
management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end
user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or
error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or
performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to
remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis
of complex application problems that may involve subtle interactions between multiple machines and/or network devices.

Security Value
Continuous Monitoring
Monitor system resources for increased utilization or exaustion as possible indication of denial of service attack
Monitor system resources for increased utilization or excaustion as possible indication of brute force attack.
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS022Performance".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS022Performance".

Copyright 2016, Splunk Inc.

DS023CrashReporting-ET01General
Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or
significant programing errors allowing possible future exploitation or failure of business services.

Security Value
Continuous Monitoring
Monitor and triage occurances as possible indication of attack
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS023CrashReporting".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".

Copyright 2016, Splunk Inc.

DS024ApplicationServer-ET01General
Application server logs, considering the actual business application, middle ware such as Tomcat, and run time logs such as java runtime. contain
a wealth of information created as users and systems interact. Anomolies in the logs can indicate potential failures or compromise attempts.

Security Value
Continuous Monitoring
Develop implementation specific monitoring to alert security operations to potential issues created by external interaction
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases


Essentials
Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS024ApplicationServer".

Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".

Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".

Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".

Copyright 2016, Splunk Inc.

Technology Provider View


Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting technology implementations the user can
utilize this view to determine what use cases may be possible in a customer environment.

Copyright 2016, Splunk Inc.

PT001-Microsoft-Exchange
The Microsoft Exchange collaboration platform is a significant information resource to many organizations. Representing both a information
storage solution and channel of communication useful in various attacks access monitoring is imperative.

Provides
DS001MAIL
DS001Mail-ET01Access
DS001MAIL-ET02Receive
DS001Mail-ET03Send
DS003Authentication Authentication occurs for
Administrative action
Active Sync
Exchange Web Services
Outlook Web Access
RPC (Deprecated)

Key Facts
Impact to index/license
Educated 3k * nm * nu = Total K per Day (average over at least 7 days dropping lowest 2)
nm= number of emails sent recommend 40
nu= weighted number of users
Educated option 2: 3k * actual message count = Total K per Day (average over at least 7 days dropping lowest 2)
Based on log files
total size of message tracking log file over 7 days from all exchange servers
total size of iis logs over 7 days from all exchange servers
Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files. This can result in a
large historical load impacting or exceeding the license utilization for that day. If implementing over multiple days prepare
with a license reset key.
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer

Data Acquisition Procedure Microsoft Exchange 2013


Deployment Servers
Stage the following apps to deployment-apps
TA-Exchange-2013-ClientAccess
TA-Exchange-2013-Mailbox
TA-Windows-2012-Exchange-IIS
Index app (one of)
SecKit_splunk_index_2_exchange_home
SecKit_splunk_index_2_exchange_vol
Review the inputs in the following apps with the exchange SME verify the monitor paths are correct for the customer
implementation and update in local as required
TA-Exchange-2013-ClientAccess_SecKit_0_inputs
TA-Exchange-2013-ClientAccess_SecKit_1_inputs
TA-Exchange-2013-Mailbox_SecKit_0_inputs
TA-Exchange-2013-Mailbox_SecKit_1_inputs
Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming standards
for Exchange 2013 Client Access Servers

[serverClass:seckit_all_2_msexchange2013_cas_0]
whitelist.0 = ^-

Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming standards


for Exchange 2013 Mailbox Servers

Copyright 2016, Splunk Inc.

[serverClass:seckit_all_2_msexchange2013_1]
whitelist.0 = ^-

(Optional) Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming


standards for Exchange 2013 Client Access Servers. This configuration group support performance and specialized data collection
for Splunk App for Exchange

[serverClass:seckit_all_2_msexchange2013_cas_1]
whitelist.0 = ^-

(Optional) Update SecKit_all_deploymentserver_2_msexchange/local/serverclass.conf define the whitelist.0 to capture host naming


standards for Exchange 2013 Mailbox ServersThis configuration group support performance and specialized data collection for
Splunk App for Exchange

[serverClass:seckit_all_2_msexchange2013_mailbox_1]
whitelist.0 = ^-

Copyright 2016, Splunk Inc.

PT002-Splunk-Stream
Splunk App for Stream is a scalable and easy-to-configure software solution that captures real-time streaming wire data from anywhere in your
datacenter or from any public Cloud infrastructure.

Provides
PT002-Splunk-Stream-DHCP
PT002-Splunk-Stream-DNS
PT002-Splunk-Stream-SMTP

Key Facts
Impact to index/license - Variable based on collection configuration see child pages
LOAD-Low - Variable based on collection configuration see child pages
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
TAP
Dedicated deployment requires the addition of a capture server and availability of a TAP on the desired network.
Coexistance deployment is possible with common open source IDS solutions such as BRO, Suritcata, and Snort
HOST
Deployment on host such as common DNS and DHCP servers may only require deployment via Splunk Deployment
server
Opposition: Low
Skills: SKILLI-Customer

Data Acquisition Procedure Stream App 6.4


Decide where to install your Stream App. Typically this will be the Enterprise Security search head. However if your ES search head is also a
search head cluster you will need to use an AD-HOC search head, dedicated search head or a deployment server.
Note: If using the deployment server (DS) you must configure the server to search the indexer or index cluster containing your stream data.
1. Install Splunk App for Stream using the standard procedures located here.
2. Configure Stream for collection per appropriate protocol specific instructions on child pages.

Copyright 2016, Splunk Inc.

PT002-Splunk-Stream-DHCP

Copyright 2016, Splunk Inc.

PT002-Splunk-Stream-DNS
Provides
DS002DNS-ET01Query
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest

Copyright 2016, Splunk Inc.

PT002-Splunk-Stream-SMTP
Provides
DS001MAIL

Copyright 2016, Splunk Inc.

PT003-ExtraHop

Copyright 2016, Splunk Inc.

PT003-ExtraHop-DNS
Provides
DS002DNS-ET01Query
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest

Copyright 2016, Splunk Inc.

PT003-ExtraHop-SMTP
Provides
DS001MAIL

Copyright 2016, Splunk Inc.

PT004-McAfee Web Gateway


Provides
DS003Authentication
DS005WebProxyRequest-ET01RequestedWebAppAware

Copyright 2016, Splunk Inc.

PT005-Microsoft-Windows
Provides
DS003Authentication Authentication occurs for
User Authentication
Computer Authentication
DS007AuditTrail
DS007AuditTrail-ET01Clear
DS007AuditTrail-ET02Alter

Key Facts
Impact to index/license
Based on log files
total size of change in oswin* indexes over 7 days
Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files and very large windows
event logs to support problem resolution when no central solution exists. This can result in a large historical load impacting
or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key.
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <4 hours
Change Control Process 3-4 hours (Possibly require multiple iterations)
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer

Data Acquisition Procedure Microsoft Windows XP/2008R2+


Data collection for security use case today requires collection via universal forwarder using windows event log classic format. Other options
such as WMI, Snare and Windows Event Log XML are known to produce search results that are not consistant with expected values.
Bitbucket Link https://bitbucket.org/rfaircloth-splunk/securitykit/src/8304061fc8c6f4a87f3a26adf51710f58b8fd375/base/ds/?at=master
Deployment Servers
Stage the following apps to deployment-apps
Splunk_TA_windows
Index app (one of)
SecKit_splunk_index_2_win_home
SecKit_splunk_index_2_win_vol
Splunk_TA_windows_SecKit_0_all_inputs
Splunk_TA_windows_SecKit_1_all_inputs
Splunk_TA_windows_SecKit_2_dcadmon_inputs
Splunk_TA_windows_SecKit_2_dcadmonsync_inputs
Splunk_TA_microsoft_ad
Splunk_TA_microsoft_ad_SecKit_0_all_inputs
Splunk_TA_microsoft_dns
Splunk_TA_microsoft_dns_SecKit_0_all_inputs
Update SecKit_all_deploymentserver_2_oswin/local/serverclass.conf define the whitelist.0 to capture host naming standards
for Active Directory servers

[serverClass:seckit_all_2_os_windows_dc]
whitelist.0 = ^-

Update SecKit_all_deploymentserver_2_oswin/local/serverclass.conf define whitelist.0 to include exactly one Active


Directory server per domain

[serverClass:seckit_all_2_os_windows_dc_admon_sync]
whitelist.0 = ^-

Copyright 2016, Splunk Inc.

Wait until "sync" events are no longer streaming into index=appmsad expect on 30-90 min
Replace SecKit_all_deploymentserver_2_oswin/local/serverclass.conf entry above as follows including 2-6 Active Directory
servers per domain

[serverClass:seckit_all_2_os_windows_dc_admon]
machineTypesFilter = windows-*
whitelist.0 = ^-

Copyright 2016, Splunk Inc.

PT006-PaloAlto Firewall
Provides
DS003Authentication
DS005WebProxyRequest-ET01RequestedWebAppAware
DS010NetworkCommunication-ET01TrafficAppAware

Copyright 2016, Splunk Inc.

PT008-Snort
Provides
DS005WebProxyRequest-ET01RequestedWebAppAware
DS010NetworkCommunication-ET01TrafficAppAware

Copyright 2016, Splunk Inc.

PT009-SourceFire
Provides
DS005WebProxyRequest-ET01RequestedWebAppAware
DS010NetworkCommunication-ET01TrafficAppAware

Copyright 2016, Splunk Inc.

PT010-Websense
Provides
DS003Authentication
DS005WebProxyRequest

Copyright 2016, Splunk Inc.

PT011-Bluecoat
Provides
DS003Authentication
DS005WebProxyRequest

Copyright 2016, Splunk Inc.

PT012-Splunk-InternalLogging
The Splunk Enterprise Application includes extensive internal logging covering performance and usage.

Provides
DS003Authentication
DS003Authentication-ET01Success
DS003Authentication-ET02Failure
DS006UserActivity

Key Facts
Impact to index/license
None
LOAD-Low
Work Estimates
None
Meetings None
Opposition: Low
Skills: SKILLI-Customer

Data Acquisition Procedure


NA

Copyright 2016, Splunk Inc.

PT013-ISCBIND-DNS
Provides
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest

Copyright 2016, Splunk Inc.

PT014-PhysicalAccessControl

Copyright 2016, Splunk Inc.

PT015-Linux-Deb/RH
Provides
DS003Authentication Authentication occurs for
User Authentication

Key Facts
Impact to index/license
Based on log files
average size of change in osnix* indexes over 7 days
Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files and very large windows
event logs to support problem resolution when no central solution exists. This can result in a large historical load impacting
or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key.
LOAD-Low additional impact to authentication datamodels
Work Estimates. Note presumption that no deviation from OS default configuration os the syslog service.
Splunk Core Resource <4 hours
Change Control Process 3-4 hours (Possibly require multiple iterations)
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer

Data Acquisition Procedure Supported versions of RedHat and Debian based OSes
Bitbucket Link https://bitbucket.org/rfaircloth-splunk/securitykit/src/8304061fc8c6f4a87f3a26adf51710f58b8fd375/base/ds/?at=maste
Nix Deployment Servers and Cluster Masters
Deploy the following apps from base/ds/deployment-servers
Splunk_TA_nix
TA-linux_auditd
SA-LinuxAuditd
Index app (one of)
SecKit_splunk_index_1_splunk_vol
SecKit_splunk_index_1_splunk_home
Splunk_TA_nix_SecKit_0_all_inputs
Splunk_TA_nix_SecKit_1_all_inputs
Stage the following apps to deployment-apps
Splunk_TA_nix
TA-linux_auditd
SA-LinuxAuditd
Index app (one of)
SecKit_splunk_index_1_splunk_vol
SecKit_splunk_index_1_splunk_home
Splunk_TA_nix_SecKit_0_all_inputs
Splunk_TA_nix_SecKit_1_all_inputs

sudo /usr/bin/setfacl -m "u:splunk:r-x" /var/log


sudo /usr/bin/setfacl -m "u:splunk:r--" /var/log/*
sudo /usr/bin/setfacl -m d:user:splunk:r /var/log

Copyright 2016, Splunk Inc.

PT016-Cisco-ASA/PIX/FWSM
The Cisco ASA is a multi function firewall, VPN, reverse proxy device

Provides
DS003Authentication-ET01Success
DS003Authentication-ET02Failure
DS003Authentication-ET02FailureBadFactor
DS010NetworkCommunication-ET01Traffic
DS012NetworkIntrusionDetection-ET01SigDetection
DS014WebServer-ET01Access

Key Facts
Impact to index/license
Educated 3k * nm * nu = Total K per Day (average over at least 7 days dropping lowest 2)
nm= number of emails sent recommend 40
nu= weighted number of users
Educated option 2: 3k * actual message count = Total K per Day (average over at least 7 days dropping lowest 2)
Based on log files
total size of message tracking log file over 7 days from devices where local log collection is enabled
Day 0 Impact, none no prior logs can be collected
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer

Data Acquisition Procedure ASA


Prerequisites
Ensure static or dynamic assets inventory contains ip, nt_host and dns entries for the management interface of each device
PCI_DOMAIN per enterprise requirements
category: vendor_Cisco
category: product_ASA
category (one or more): svc_firewall svc_ips svc_vpn
is_expected true
ASA configured
With current supported vendor firmware
Time SYNC enabled
Clock set to GMT
Ensure reverse and forward DNS entries exist for each device
Index:
firewall

Step-by-step guide
1. Deploy TA
a. Deployment Server
i. Unzip Splunk_TA_cisco-asa.zip to $SPLUNK_HOME/etc/deployment-apps
ii. Create Splunk_TA_cisco-asa/local/props.conf

Copyright 2016, Splunk Inc.

#Note the following transforms are undesirable as


they will not match so we set the TRANSFORM =
[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco =
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco =
[syslog]
TRANSFORMS-force_sourcetype_for_cisco =
#Custom source type for initially routing data
[syslog:cisco]
TRANSFORMS-force_sourcetype_for_cisco =
force_sourcetype_for_cisco_asa,force_sourcetype_for_
cisco_pix,force_sourcetype_for_cisco_fwsm

2.
3.
4.
5.

iii. Update
b. Cluster Master(s)
i. Apply Cluster Bundle
Deploy Syslog inputs.conf
Deploy syslog-ng configuration
Deploy VIP
Configure the ASA
a.

logging
logging
logging
logging
logging
logging

Copyright 2016, Splunk Inc.

enable
host interface_name ip_address tcp 514
permit-hostdown
trap 6
buffered 6
facility 20

PT017-Trend-TippingPoint
The Trend Micro tippingpoint IPS product

Provides
DS012NetworkIntrusionDetection-ET01SigDetection

Key Facts
Impact to index/license
Based on log files
total size of message tracking log file over 7 days from devices where local log collection is enabled
Day 0 Impact, none no prior logs can be collected
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer

Data Acquisition Procedure


Prerequisites
a. Ensure static or dynamic assets inventory contains ip, nt_host and dns entries for the management interface of each
device
PCI_DOMAIN per enterprise requirements
category: vendor_TrendMicro
category: product_Tippingpoint
category (one or more): EPP
is_expected true
b. Syslog Configuration
i. SMS Configuration
1. Open SMS console
2. Goto Admin System Properties
3. Click Add under Remote Syslog for Events
a. Syslog Server: IP of syslog server
b. Port: 514
c. Log Type: SMS 2.0/2.1 Syslog format
d. Facility: Local 7
e. Severity: Severity in Event
f. Delimiter: TAB
4. Select "Use Original Event Timestamp"
5. Select "Include SMS Hostname in Header"
6. Click "OK"

Copyright 2016, Splunk Inc.

Enrichment Data View


Enrichment data represents types of data utilized to provide color, context, or assessment when applied to events from a data source. Such feeds
allow more refined searches producing better more useful results
DE001AssetInformation Creating or having access to a robust asset inventory is a foundational activity because it is

critical for a security team to know what it is defending before there can be any hope of securing it. Indeed, many
attackers succeed because they have a deeper understanding of the target environment than the teams who are tasked
with defending them thus increasing their attack surface. The Assets and Identities framework in Splunk Enterprise
Security provides a simple yet very useful way to store ass
DE002IdentityInformation

Provider Types
Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases
identified.

Copyright 2016, Splunk Inc.

DE001AssetInformation

Creating or having access to a robust asset inventory is a foundational activity because it is critical for a security team to know what it is defending
before there can be any hope of securing it. Indeed, many attackers succeed because they have a deeper understanding of the target
environment than the teams who are tasked with defending them thus increasing their attack surface. The Assets and Identities framework in
Splunk Enterprise Security provides a simple yet very useful way to store asset data and correlate it with activity observed across the
environment. An asset for the purpose of security monitoring is an authorized presence on the internal network which may be identified as a
source or destination network address by IP address, MAC address, hostname, or fully qualified domain name.

Prioritization
The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a desktop
machine is less urgent than the same issue against an externally facing web server that processes credit card information. Asset management
allows an urgency to be computed based on the priority of hosts and assign higher urgency to high priority assets.

Categorization
Asset management allows information about the assets to be added to events. For example, identity management can look up the source of an
event and find the location of the asset, indicate whether the source is subject to PCI compliance or identify the owner.

Normalization
Asset management allows hosts to be normalized and determine whether two events relate to the same host. For example, two events may use
different information to refer to the host; one event may use an IP address and another event may use a DNS name. Identity management can
determine that both of the events are for the same host by recognizing that the IP address and DNS name are for the same host.

The following table describes each field:


Field

Description

Example

ip

single value of IP address (can be a range).

2.0.0.0/8,1.2.3.4, 192.168.15.9-192.169.15.27

mac

single value of The MAC address of the host (can


be a range).

00:25:bc:42:f4:60, 00:25:bc:42:f4:60-00:25:bc:42:f4:6F

nt_host

single value of The Windows machine name of the


host

ACME-0005

dns

single value of The DNS name of the host.

acme-0005.corp1.acmetech.com

owner

The name of the user who owns or uses the host

user principal name or email address of asset owner, or primary


contact

priority

The priority of the host.

Must be one of the following: unknown, informational, low, medium,


high or critical

lat

The latitude of the asset.

41.040855.

long

The longitude of the asset.

28.986183.

city

The city in which the asset is located

Chicago

country

The country in which the asset is located

USA

bunit

The business unit of the asset

emea

category

One or more categories for the asset. To specify


multiple categories for an asset, use a vertical bar.
To use this field, you must set up the category list.

server

pci_domain

Used to identify assets which should be included


in reporting or alerting used to support PCI
compliance

trust
trust|wireless
trust|cardholder
trust|dmz
untrust (not this value is the default when left
blank)

Copyright 2016, Splunk Inc.

is_expected

Indicates whether events from this asset should


always be expected; if set to true, then an alert will
be triggered when this asset quits reporting
events.

true (leave blank to indicate "false")

should_timesync

Indicates whether this asset must be monitored for


time-syncing events

true (leave blank to indicate "false")


If true, then an alert will be triggered if the host has not performed a
time-sync event (such as an NTP request)

should_update

Indicates whether this asset must be monitored for


system update events

true (leave blank to indicate "false")

requires_av

Indicates whether this asset must have anti-virus


software installed

true (leave blank to indicate "false")

A-C

D-M

N-T

U-Z

access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative

data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer

nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng

ucd-access

Copyright 2016, Splunk Inc.

DE002IdentityInformation
An identity (for the purpose of security monitoring) is an authorized or previously authorized presence on the network which may be identified as a
source or destination account. Multiple records are grouped together by account to identify one human identity or nonhuman application.

Prioritization
The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a marketing user
is less urgent than the same issue against an assistant to the CEO. Identity management allows an urgency to be computed based on the priority
of identities.

Categorization
Identity management allows information about the assets to be added to events. For example, categories such as executive, legal, pic, or hr can
inform the analyst of the types of information at risk should the user's access be used maliciously.users

Normalization
Identity management allows accounts to be normalized; regardless of the account name or format used in a specific log, the identity will be
available for evaluation in the rule or by the analyst.
The following table describes the fields:
Column

Description

Examples

Identity (key)

Pipe-delimited list of usernames representing the identity

system | manager, admin | ESadmin, PS | BD

prefixprefix

Prefix of the identityPrefix

Mr., Mrs., Ms., Dr.

nick

Nickname of the identity

Bobby, Spud, Dr. Z

firstfirst

First name of the identityFirst

Gordon

lastlast

Last name of the identityLast

Trisler

suffixsuffix

Suffix of the identitySuffix

Jr., Esq., M.D.

emailemail

Email address of the identityEmail

accounting@acmetech.com, gntrisler@acmetech.com

phone

Telephone number of the identity

+1 (800)555-8924

phone2

Secondary telephone number of the identity

+1 (800)555-7152

managedBy

Username representing manager of the identity

lietzow.tim, a.koskitim

prioritypriority

Priority of the identityPriority

Value can be "low," "medium," "high," or "critical";


for instance, CEO would be "critical"

bunit

Business unit of the identity

emea, americas

categorycategory

Category of the identity;Category


can be a pipe-delimited list

intern, officer, pip, pci | secure, default | privilegedpci

watchlist

Is the identity on a watchlist?

Value can be "true" or "false"

startDate

Start/Hire date of the identity

Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s

endDate

End/Termination date of the identity

Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s

Copyright 2016, Splunk Inc.

Adoption Narratives

Copyright 2016, Splunk Inc.

Adoptable Compliance and Security Narratives


Adoptable Compliance and Security Narratives are use cases developed by consultants or gathered from industry knowledge for implementation
on the Splunk Platform, typically utilizing the advanced capabilities of Enterprise Security to reduce time to value.

Create a new UC

UC0001 Detection of new/prohibited web application A prohibited web application such as Box or a game on the Facebook

platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited
applications or New application instances should be reviewed to ensure proper use.
UC0002 Detection of prohibited protocol (application) A prohibited protocol such as IRC, FTP, or gopher could indicate
malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and
accepted communications from the internet
UC0003 Server generating email outside of approved usage Server operating systems often generate email for routine
purposes. Configuration management can be used to identify which server may generate email and what recipients are
permitted.
UC0004 Excessive number of emails sent from internal user Excessive email generation by an authorized user could indicate
the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business
problem using a technique not approved by policy. For this use case, email generated from endpoint networks and
operating systems should be considered. Servers often can impersonate users for the purpose of email transmission;
when this is allowed in an environment, these could generate false positives.
UC0005 System modification to insecure state Authorized or unauthorized users may attempt to modify the system such that
hardened configuration policies are removed or security monitoring tools are disabled.
UC0006 Windows security event log purged Manually clearing the security event log on a windows system is a violation of
policy and could indicate an attempt to cover malicious actions.
UC0007 Account logon successful method outside of policy The logon event properties could indicate account misuse in
violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of
the logon to determine if the account is authorized for such usage.
UC0008 Activity on previously inactive account Excluding computer accounts in active directory, an account with new activity
that has not been active in the previous thirty days is suspicious.
UC0009 Authenticated communication from a risky source network An Internet facing authentication system has allowed
authenticated access from a risky source network.
UC0010 Detect unauthorized use of remote access technologies Identify users gaining access via an unapproved or unknown
access control. This could indicate malicious activity or an internal control failure.
UC0011 Improbable distance between logins Utilizing source IP address, geolocation data, and where available for
company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between
the authenticated successful connections.
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated Increase the risk score of users
who have indication of adverse separation.
UC0013 Monitor change for high value groups Detection of change for groups used to control access for sensitive,
regulated, or critical infrastructure systems.
UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted A human user may own
multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further
activity from any other account owned by the user.
UC0015 Privileged user accessing more than expected number of machines in period Privileged user authenticates to more than
X number of new targets successfully or is denied access to more than Y targets in the prior Z hours.
UC0016 Successfully authenticated computer accounts accessing network resources Batch, Windows Services, App Pools, and
specially constructed Windows shells can access network resources. A small number of technical solutions will require
this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access
attempts (success or fail) could indicate the presence of malware or attempts to elevate access. Exclude infrastructure file
servers.
UC0017 Unauthorized access or risky use of NHA Detect the use of a Windows account designated by the organization as a
non human account (NHA) outside of the normal usage of such an account.
UC0018 Unauthorized access SSO brute force Single IP address attempting authentication of more than two valid users
within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against
an approved SSO System.
UC0019 User authenticated to routine business systems while on extended absense A user on leave, vacation, sabbatical, or
other types of leave should not access business systems. This could indicate malicious activity by the employee or a
compromised account.
UC0020 Attempted communication through external firewall not explicitly granted Any attempted communication through the
firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind
the firewall to be vulnerable) or malicious actions (bypassing the firewall).
UC0021 Communication outbound to regions without business relationship Outbound communication with servers hosted in
regions where the organization does not expect to have employees, customers, or suppliers.

Copyright 2016, Splunk Inc.

UC0022 Endpoint communicating with an excessive number of unique hosts Endpoints attempting to communicate with an

excessive number of unique hosts over a given time period may indicate malicious code. Exclude category
svc_network_scanner
UC0023 Endpoint communicating with an excessive number of unique ports Endpoints communicating with an excessive
number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications
will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows
server. Utilize category wl_hv_open_client_ports
UC0024 Endpoint communicating with external service identified on a threat list. Superceded by UCESS053 Threat Activity
Detected
UC0025 Endpoint Multiple devices in 48 hours in the same site Multiple infected devices in the same site could indicate a
successful watering hole attack. Monitor for more than 5% of the hosts in a site.
UC0026 Endpoint Multiple devices in 48 hours in the same subnet Multiple infected devices in the same subnet could indicate
lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is
not readily possible to know how many hosts are active on a subnet.
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit Multiple infected devices in the
same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an
organizational unit.
UC0028 Endpoint Multiple infections over short time Multiple infections detected on the same endpoint in a short period of
time could indicate the presence of a undetected loader malware component (apt).
UC0029 Endpoint new malware detected by signature When a new malware variant is detect by endpoint antivirus
technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events
leading to the infection to determine if additional preventive measures can be put in place.
UC0030 Endpoint uncleaned malware detection Endpoint with malware detection where anti malware product attempted to
and was unable to clean, remove or quarantine.
UC0031 Non human account starting processes not associated with the purpose of the account Accounts designated for use by
services and batch process should start a limited set of child processes. Creation of new child processes other than the
process name defined in the service or batch definition may indicate compromise.
UC0032 Brute force authentication attempt When more than 10 failed authentication attempts for known accounts occur
from single endpoint
UC0033 Brute force authentication attempt distributed When more than 10 failed authentication attempts for known accounts
occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a
specific high value account and is attempting to gain access.
UC0034 Brute force successful authentication If a source IP identified by a brute force use case authenticates successfully
OR an account identified by a brute use case successfully logins after failing once from the same source address.
UC0035 Compromised account access testing Following a successful authentication, an attacker will attempt to determine
what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the
attacker will enumerate and browse to shares, access email, access web applications, or connect to databases yet
perform minimal or no activity.
UC0036 Compromised account access testing (Critical/Sensitive Resource) Following a successful authentication, an attacker
will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect
activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect
to databases yet not perform any or minimal activity. Critical and Sensitive systems during routine use should not log
access denied events.
UC0037 Network Intrusion External - New Signatures External IDS devices reporting an attack using a signature not
previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild.
UC0038 Excessive use of Shared Secrets Usage of greater than X number of unique shared/secret credentials or more
than 1 standard deviation from peers
UC0039 Use of Shared Secret for access to critical or sensitive system Use of a secret/shared secret account for access to
such a system rather than accountable credentials could indicate an attempt to avoid detection.
UC0040 Use of Shared Secret for or by automated process with risky attributes Usage (checkout) by an automated process
such as software installation of a shared secret or service account where the source of the retrieval is new or outside of
the change window.
UC0041 SSH v1 detected Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently
insecure indication of accepted SSHv1 sessions indicate a mis-configured system. Attempted and denied sessions
indicate system probing or scanning.
UC0042 SSH Authentication using unknown key The public key utilized for authentication is recorded in the SSHD
authentication log. Detection of a new key should be investigated to determine the owner of the key and validate
authorization to access the resource.
UC0043 Direct Authentication to NHA Direct authentication via SSH or console session to a non human account indicates a
violation of security policy by recording the password of a non human account for later use or by association of a SSH key
to a non human account.
UC0044 Network authentication using password auth Even using SSH encryption, allowing password authentication to
Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account.
Investigate and resolve all instances of network authentication utilizing password.

Copyright 2016, Splunk Inc.

UC0045 Local authentication server Following provisioning, nix servers seldom require local administration. Investigate any

use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console.
UC0046 Endpoint failure to sync time Failure to synchronize time will impact the usefulness of security log data from the
endpoint, and potentially prevent valid authentication.
UC0047 Communication with newly seen domain Newly seen domain's may indicated interaction with risky or malicious
servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore
the relevant data and potentially identify weaknesses or risky behavior than could be identified. The daily number of new
domains will be substantial in a typical organization the search will select a subset of those for triage.
UC0049 Detection of DNS Tunnel Endpoint utilizing DNS as a method of transmission for data exfiltration, command and
control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries.
UC0051 Excessive physical access failures to CIP assets A user with continuous physical access failures could be someone
searching for a physical vulnerability within the organization. When this occurs in an area that is protecting CIP assets, it
is something that should be followed up on immediately.
UC0052 Non-CIP user attempts to access CIP asset CIP assets require special protections; therefore, users that have not
been vetted for CIP access, or should have had their access removed, should not have access. System owners should
be notified immediately should a non-CIP user attempt to access a CIP asset.
UC0065 Malware detected compliance asset Malware detection on a asset designated as compliance such as PCI, CIP or
HIPPA requires review even when automatic clean has occurred
UC0071 Improbably short time between Remote Authentications with IP change For employers that allow remote external
connectivity the detection of two or more distinct values of external source IP address for successful authentications to a
remote access solution in a short period of time indicates a likely compromise of credentials.
UC0072 Detection of unauthorized using DNS resolution for WPAD Detection of an endpoint utilizing DNS as a method of
proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare
host) and wpad.* where the domain portion is not a company owned domain.
UC0073 Endpoint detected malware infection from url Endpoint antimalware detection event occurred where the malicious
content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention,
or advanced threat prevention. Use the information available for the event and determine how existing prevention controls
can be modified to prevent future infections.
UC0074 Network Intrusion Internal Network IDS/IPS detecting or blocking an attack based on a known signature.
UC0075 Network Malware Detection Internal malware detection system such as fire eye devices reporting an attack.
UC0076 Excessive DNS Failures An endpoint utilizing DNS as a transmission method for data exfiltration, command and
control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries.
UC0077 Detection Risky Referral Domains Maintain a tracking list of public domain suffix and data source "seen" by first
epoch. Identify where one of the following sequence occurs
UC0079 Use of accountable privileged identity to access new or rare sensitive resource Use of an identity identified as privileged
to access a system for the first time within a rolling time period will trigger a notable event for review of access reason.
UC0080 Trusted Individual exceeds authorization in observation of other users Evaluate queries executed by authorized trusted
individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's
job function.
UC0081 Communication with unestablished domain Egress communication with a newly seen, newly registered, or
registration date unknown domain may indicate the presence of malicious code. Assets communicating with external
services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged.
UC0082 Communication with enclave by default rule Communication from a enclave network may indicate a misconfiguration
that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by
the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider
ingress communication allowed by the default rule, and egress communication allowed or blocked.
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule Communication
from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or
actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a
allowed communication where the reviewed time is null or prior to the last known modification time.
UC0084 Monitor Execution of Triage Activtity Define and maintain eventypes for unsuppressed notable events separately
identifying review work flow, and triage SLA required.
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF Communication to any web
application server without filtering by a network web application firewall indicates a security misconfigration.
UC0086 Detect Multiple Primary Functions Using network communication fingerprinting detect distinct primary functions
such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols
(RDP,SSH, iDrac).
UC0087 Malware signature not updated by SLA for compliance asset Malware signature last updated on a asset designated as
compliance such as PCI, CIP or Hippa beyond SLA limits
UC0088 User account sharing detection by source device ownership Detection of logon device by asset name (may require
resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than
two in the prior 24 hours. Exclude assets identified as loaner, and public or shared.
UC0089 Detection of Communication with Algorithmically Generated Domain Using an algorithm determine text of the
registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M

Copyright 2016, Splunk Inc.

domains and domains with long established communication with the organization.
UC0090 User account cross enclave access Detection of logon with the same account to a production and a non production
environment. If an account (not user) has logged into more than one account access management controls have failed
and must be remediated
UC0091 Validate Execution of Vulnerability Scan Using host based logs such as firewall or host intrusion detection for each
asset with a governance category verify communication (accept or reject) has occurred with origination from one or more
authorized vulnerability scanners,
UC0092 Exception to Approved Flow for Web Applications Using web application access logs for assets deemed high/crticial
or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF
devices are placed in front of NLB devices ensure the first "x-forwardedfor" entry is the address of the WAF
UC0093 Previously active account has not accessed enclave/lifecycle Identify accounts no longer in use with access to
high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and
the accessed enclave or business service identifier, maintain the last accessed time and alert when the last access time is
more than 90 days from current date.
UC0094 Insecure authentication method detected For each authentication technology in the network identify the values of
authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where
a successful event occurs without the required indicators

Copyright 2016, Splunk Inc.

UC0001 Detection of new/prohibited web application


A prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by modern web proxy solutions
and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS005WebProxyRequest-ET01RequestedWebAppAware

RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-ProposedField

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DE002IdentityInformation
DDE005 Prohibited
Network
Protocol/Application List
DDE006 Acceptable
Network
Protocol/Application List

UC0002 Detection of prohibited protocol (application)


A prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the
network. Consider intranetwork communication and accepted communications from the internet
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS010NetworkCommunication-ET01TrafficAppAware

RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-ProposedField

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DDE005 Prohibited
Network
Protocol/Application List

UC0003 Server generating email outside of approved usage


Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may
generate email and what recipients are permitted.
Identify servers receiving email from the internet without approval
Identify servers sending email to the internet without approval
Identify servers relaying email to internal users without approval
Identify servers relaying email to external users without approval
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode
RV6-Misconfiguration

DS001Mail-ET03Send

Enrichment

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-ProposedField

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP008 Unauthorized service detected on an endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

DE001AssetInformation

UC0004 Excessive number of emails sent from internal user


Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing
company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated
from endpoint networks and operating systems should be considered. Servers often can impersonate users for the purpose of email
transmission; when this is allowed in an environment, these could generate false positives.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS001Mail-ET03Send

PRT02-SecurityVisibilityUserActivity

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Enrichment
DE001AssetInformation
CAT-svc:mailgw Exclude from detection
DE002IdentityInformation
CAT-nha Exclude from detection
CAT-svc:mail Exclude from detection

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts

Context Gen
Email sent count by account in 10 min
Using context, create a notable event when number of email sent is sharply increasing over two 10 min blocks

Related articles

Copyright 2016, Splunk Inc.

UC0005 System modification to insecure state


Authorized or unauthorized users may attempt to modify the system such that hardened configuration policies are removed or security
monitoring tools are disabled.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess
RV6-Misconfiguration

DS TBD - Host IDS/IPS

PRT02-SecurityVisibilityEndpointMalware

DS TBD - System logs (Windows Event Log)


Group policy modification
Local security policy modification
Start configuration change or removal of
critical service
Add / change local user object
DS TBD - System logs (Linux audit logs)
Modification of init level or removal of
existing service
Addition / modification of local user
Modification of critical configuration file

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-ProposedField

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

TBD

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Response RP007 Potentially Unauthorized change detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by organizational unit
2. Trend Reporting by result of investigation
Metrics Review
1. Review after-action reports to identify control weaknesses enabling recurrence
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DDE012 Service State by
platform
DDE013 Critical Policy
Objects

UC0006 Windows security event log purged


Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS007AuditTrail-ET01Clear

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-RFC

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP007 Potentially Unauthorized change detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UC0007 Account logon successful method outside of policy


The logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified
purpose of the account to the context of the logon to determine if the account is authorized for such usage.
Accounts provisioned for human access should NOT be identified as logging on as a network or batch account in windows or as a
cron task or service on Linux/Unix.
Accounts provisioned for NON-human access should NOT be identified as logging on to server operating systems interactively
except for those accounts identified as privileged.
Accounts provisioned for service, batch or app pool usage should not logon interactively. Occurrences of this activity may indicate the
account password has been compromised.
Accounts provisioned for service, batch or app pool usage should not logon to non server operating systems.
Accounts identified as default where the authentication source is not an asset identified as a privilege credential management jump
server

Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

PRT02-SecurityVisibilityUserActivity

RV2-Access
RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-TBD

API-TBD

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Enrichment
DE001AssetInformation
DE002IdentityInformation
Category indicating exception list listing
accounts to exclude from this search

Adoption Phase Industry

Response
1. RP010 Contain potentially compromised account
2. RP012 Contain potentially compromised non human account

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend time to resolve
Metrics Review
1. Review time to resolve trends
2. Review exception list to determine if entries may be invalid and remove as required.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0008 Activity on previously inactive account


Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is
suspicious.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Enrichment
DE002IdentityInformation

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-RFC

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type
2. Trend Reporting by result of investigation
Metrics Review
1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0009 Authenticated communication from a risky source network


An Internet facing authentication system has allowed authenticated access from a risky source network.
Always
Anonymizing services such as VPN providers, Proxy systems
Threat list identification of IP
B2B communications consider the following sources risky
Dial up
Dsl/cable/fios ISP
Mobile broadband
Satellite broadband
Education networks
B2E
Hosting provider networks
Education networks
B2C
Hosting provider networks
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV2-Access

DS003Authentication-ET01Success

RV3-MaliciousCode

Web server logs

Enrichment
DE002IdentityInformation
DDE003 Public Network attributes
DDE004 Threat List

VPN logs
email server logs
instance messaging logs
file transfer servers

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-RFC

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response RP003 Authentication on Internet facing system with potentially compromised account
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type (employee vs customer vs business)
2. Trend Reporting by result of investigation
3. Trend Reporting of call center impact (customer)
Metrics Review
1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0010 Detect unauthorized use of remote access technologies


Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control
failure.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV2-Access

DS003Authentication-ET01Success

PRT02-SecurityVisibilityUserActivity

RV3-MaliciousCode

DS010NetworkCommunication-ET01TrafficAppAware

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-RFC

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-SecurtityEnabled

Response RP014 Unknown remote access observed


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend resolution and escalation types
Metrics Review
1. Review identity enrichment to determine if any access controls are no longer approved
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
Categorization
providing
information to
identify authorized
remote access
systems
DE002IdentityInformation
Categorization
providing
information on which
users may access
an individual remote
access technology

UC0011 Improbable distance between logins


Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for mobile devices. Using the
Haversine algorithm, calculate the distance between the authenticated successful connections.Detect where:
Total distance is greater than 7000 mi
If the distance between events is greater than 500mi, then evaluate the distance between points in mi/Time delta between events (T)
in hours>600
If the distance between events is less than 500mi, then evaluate the distance between points in mi/Time delta between events (T) in
hours>100
Do not consider special connection types dial up, cellular, satellite
Do not consider cloud service providers
Do not consider anonymized connections
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success
network authentication only

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Enrichment
DDE TBD (Customer)
Can manage account
Can admin users
DE002IdentityInformation (Employee)

Adoption Phase Industry

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type (employee vs customer)
2. Trend Reporting by result of investigation
3. Trend Reporting of call center impact (customer)
Metrics Review
1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated
Increase the risk score of users who have indication of adverse separation.Examples of users with an indication of adverse separation,
include but are not limited to the following:
User has entered a remediation program with human resources
User has been identified as included in a reduction in force
User has announced voluntary separation
User has been identified in a reorganization program
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV1-AbuseofAccess

DS008HRMasterData-ET02SeperationNotice

RV2-Access

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-TBD

Initial Severity

Occurrence/Fidelity

Fidelity

SV - TBD

RATED0-Rare

TBD

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Response RP TBD
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
N/A

UC0013 Monitor change for high value groups


Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS006UserActivity-ET04Update

Enrichment

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response RP013 Change to critical access control detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Time to investigate
2. Time to close
3. Number of reportable incidents
Metrics Review
1. Quarterly review risky groups list for additions and removals
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

DE002IdentityInformation
Identity category terminated
Identity category reduction_in_force
Identity category org_change
Identity termination date (including future)
Identity category access_admin
DDE0016 List of risky groups.

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted
A human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no
further activity from any other account owned by the user.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Enrichment
DE002IdentityInformation

DS003AUTHENTICATION-ET02Failure

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-SecurtityEnabled

Response RP009 Unauthorized (actual or attempted) access by employees or contractors


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend time to resolve
Metrics Review
1. Review incidents to identify root cause failures permitting accounts to remain active.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0015 Privileged user accessing more than expected number of machines in period
Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z
hours.For example:
More than 5 new targets
More than 3 failures
In the last 4 hours
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Enrichment
DE002IdentityInformation
DDT002 Logon Tracker

Adoption Phase Industry

Response RP009 Unauthorized (actual or attempted) access by employees or contractors


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend positive vs false positive rate
2. Trend time to resolve
Metrics Review
1. Review thresholds and adjust for risk tolerance
Artifacts

Detection Activities
1. Search Logic
index=wineventlog user_priority=critical Source_Workstation=* | stats dc(Source_Workstation) as systemcount
values(Source_Workstation) as systems by user | where systemcount>5
2. Drilldown
| datamodel Authentication Authentication search | search Authentication.user=$user$

Related articles

Copyright 2016, Splunk Inc.

UC0016 Successfully authenticated computer accounts accessing network resources


Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A small number of technical
solutions will require this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access
attempts (success or fail) could indicate the presence of malware or attempts to elevate access. Exclude infrastructure file servers.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-RFC

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Low

SKILLI-PS-General

Response
Determine appropriate response based on information available in the event.
1. RP007 Potentially Unauthorized change detected on endpoint
2. RP009 Unauthorized (actual or attempted) access by employees or contractors
3. RP011 Unwanted/Unauthorized Code detected on endpoint

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend positive vs false positive rate
2. Trend time to resolve
Metrics Review
1. Review thresholds and adjust for risk tolerance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DE002IdentityInformation
DDE015 Share Access exclusion list

UC0017 Unauthorized access or risky use of NHA


Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an
account.
Login where the interactive indicator is set
Login where the caller computer is a workstation or terminal server
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Enrichment
DE001AssetInformation
DE002IdentityInformation

Windows Security Logs


Windows Security Logs Endpoint
Windows Security Logs Active Directory
Endpoint security logs
Physical Access
CCTV

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response RP012 Contain potentially compromised non human account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Time to investigate
2. Time to close
3. Number of reportable incidents
Metrics Review
1. Review 10 longest investigations per quarter determine if additional log source on boarding could reduce time to close.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0018 Unauthorized access SSO brute force


Single IP address attempting authentication of more than two valid users within ten minutes where one or more unique accounts is
successful, and one or more accounts is not successful against an approved SSO System.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success
SSO Systems, Active Directory, Customer SSO
DS003Authentication-ET02Failure

Enrichment
Customer
Can manipulate accounts
Can admin users
Employee
Privileged

SSO Systems, Active Directory, Customer SSO

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

<note on "Urgency">
Urgency:
Customer
No fraud = Low
Fraud = High
Employee
Privileged user = High
All others = Low
</note>

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type (employee vs customer)
2. Trend Reporting by result of investigation
3. Trend Reporting of call center impact (customer)
Metrics Review
1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0019 User authenticated to routine business systems while on extended absense


A user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could indicate malicious activity by
the employee or a compromised account.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Enrichment
DE001AssetInformation
DE002IdentityInformation

DS008HRMasterData

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response RP009 Unauthorized (actual or attempted) access by employees or contractors


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type
2. Trend Reporting by result of investigation
3. Trend Reporting of call center impact (customer)
Metrics Review
1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0020 Attempted communication through external firewall not explicitly granted


Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration
(causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall).
Legacy Command and Control (a.k.a. C&C or C2) channels included protocols such as Domain Name Service (DNS), AOL Instant
Messenger (AIM), and Internet Relay Chat (IRC); the default ports for those protocols are 53, 5190, and 6667, respectively. Commonly C2
channels will use protocols on alternate ports, especially for egress. Additionally, modern malware will frequently attempt to utilize ingress
ports that are almost always allowed for legitimate traffic such as http (80) and https (443). As a result, Application/Protocol detection is
required to effectively implement this use case.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS010NetworkCommunication-ET01Traffic

PRT02-SecurityVisibilityEndpointMalware

RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED2-Frequent

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Assess suspect application list , add/remove as required
2. Assess allowed service category and asset list remove old entries
3. Trend false positive vs positive assess continued value of the use case
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DDE005 Prohibited Network
Protocol/Application List
DDE006 Acceptable Network
Protocol/Application List

UC0021 Communication outbound to regions without business relationship


Outbound communication with servers hosted in regions where the organization does not expect to have employees, customers, or
suppliers.
Exclude authorized DNS servers communicating on a standard DNS port
Exclude destination DNS servers on the ICANN root list
Exclude authorized SMTP server communicating on a standard SMTP port
Exclude HTTP traffic (requires protocol aware firewall or web proxy) to domains on the Alexa Top 1 Million via proxy or NG firewall
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS TBD - Firewall, Web Proxy, IDS/IPS,


DNS logs

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Enrichment
DE001AssetInformation
DDE010 Alexa TOP 1 million sites
DDE011 External Known systems list
DDE021 Commercially maintained Geo
IP Database

Adoption Phase Industry

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Quantity of events closed by tier 1 by intel source
2. Quantity of events investigated by intel source
a. QTY false positive
b. QTY true positive
Metrics Review
1. Monthly review active threat source lists to determine if the list should continue to be included
2. Monthly review industry news to identify potential new sources
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0022 Endpoint communicating with an excessive number of unique hosts


Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code.
Exclude category svc_network_scanner
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS010NetworkCommunication-ET01Traffic

RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Review false positive rate and adjust threshold based on organization risk tolerance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UC0023 Endpoint communicating with an excessive number of unique ports


Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities.
Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on
windows server. Utilize category wl_hv_open_client_ports
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS010NetworkCommunication-ET01Traffic

RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Review false positive rate and adjust threshold based on organization risk tolerance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UC0024 Endpoint communicating with external service identified on a threat list.


Superceded by UCESS053 Threat Activity Detected
The endpoint has attempted (success or fail) to communicate with an external server identified on a threat list using any protocol. An
attempted communication could indicate activity generated by malicious code.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS001Mail-ET02Receive

Enrichment
DE001AssetInformation
DDE010 Alexa TOP 1 million sites

DS002DNS-ET01Query
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest
DS005WebProxyRequest
DS010NetworkCommunication-ET01Traffic

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Superceded

APS-Obsolete

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-High

SKILLI-PS-SecurtityEnabled

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive by threat list source
2. Trend time to close
Metrics Review
1. Review false positive vs positive results by threat list determine if the threat list should remain active
2. Review industry trends and white papers to identify potential new threat list sources
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0025 Endpoint Multiple devices in 48 hours in the same site


Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response RP006 Potential outbreak or targeted attack


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
DDE008 Network CIDR Details

UC0026 Endpoint Multiple devices in 48 hours in the same subnet


Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5%
of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-SecurtityEnabled

Response RP006 Potential outbreak or targeted attack


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
DDE008 Network CIDR Details

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit
Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the
hosts in an organizational unit.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP006 Potential outbreak or targeted attack


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
DDE008 Network CIDR Details

UC0028 Endpoint Multiple infections over short time


Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware
component (apt).
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-SecurtityEnabled

Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List

Adoption Phase Industry

Response RP006 Potential outbreak or targeted attack


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts

Detection Activities
Rule Name - UC0027-S01-V001 Multiple infections for host
Notable Title - UC0027-S01 $gov$ Multiple infections ($count$) occurred on $dest$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0027
Search Logic

| tstats allow_old_summaries=true dc(Malware_Attacks.signature) as unique_signature values(Malware_Attacks.signature) as


signatures earliest(Malware_Attacks.signature) as first_signature latest(Malware_Attacks.signature) as last_signature count
from datamodel=Malware where nodename=Malware_Attacks NOT "Malware_Attacks.action"=Allowed by
"Malware_Attacks.dest" | `drop_dm_object_name("Malware_Attacks")` | where count>3 OR unique_signature>2
Drilldown
Name View Contributing Events
Search

| datamodel Malware Malware_Attacks search | search Malware_Attacks.dest="$dest$"


Compliance YES
Container App DA-ESS-SecKit-EndpointProtection

Related articles

| tstats allow_old_summaries=true dc(Malware_Attacks.signature) as unique_signature values(Malware_Attacks.signature) as signatures

Copyright 2016, Splunk Inc.

earliest(Malware_Attacks.signature) as first_signature latest(Malware_Attacks.signature) as last_signature countfrom datamodel=Malware


where nodename=Malware_Attacks NOT "Malware_Attacks.action"=Allowed by "Malware_Attacks.dest"|
`drop_dm_object_name("Malware_Attacks")`| where count>3 OR unique_signature>2

Copyright 2016, Splunk Inc.

UC0029 Endpoint new malware detected by signature


When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are
deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

Adoption Phase Customer

Adoption Phase SME

APC-Essential

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-General

Enrichment
DDE007 Signature Special
Processing List
DDT001 Signature Tracker

Adoption Phase Industry

Response
RP005 Malicious Code detected on endpoint
Open investigation to determine method of infection and possible preventive measure

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
Rule Name - UC0029-S01-V001 New malware signature detected
Notable Title - UC0029-S01 $gov$ First detection for $signature$ occurred on $dest$ user $user$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0029
Search Logic

| inputlookup append=T seckit_endpoint_malware_tracker | stats min(firstTime) as firstTime,dc(dest) as affected first(dest) as


dest first(user) as user by signature | eval _time=firstTime | `daysago(1)` | sort 100 - firstTime | `uitime(firstTime)` | table
signature dest user firstTime
Drilldown
Name View Contributing Events
Search

| datamodel Malware Malware_Attacks search | search


Malware_Attacks.dest="$dest$"

Compliance YES
Rabbit hole
+/- 60 min web activity by fqdn
Did this infection occur from materials accessed on the internet?
Did this infection lead to additional activity based on a remote access tool?
+/- 60 min emails accessed
Did this infection occur from materials accessed via email?

Copyright 2016, Splunk Inc.

Did this infection lead to additional email activity (ie to spread the infection)?
+/- 60 min new processes started
If not email/web origin, did this malware get added by an automated process on the machine (lateral movement)?
Did this malware (whatever this infection was) also unpack and install more stuff?
Container App DA-ESS-SecKit-EndpointProtection

Related articles

Copyright 2016, Splunk Inc.

UC0030 Endpoint uncleaned malware detection


Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or quarantine.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED2-Frequent

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-High

SKILLI-PS-General

Enrichment
DDE007 Signature Special
Processing List
DDT001 Signature Tracker

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
Rule Name - UC0030-S01-V002 Endpoint uncleaned malware detection
Notable Title - UC0030-S01 Endpoint uncleaned malware $signature$ detection occurred on $dest$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0030
Search Logic

| datamodel "Malware" "Malware_Attacks" search


| `drop_dm_object_name("Malware_Attacks")`
| fillnull value="unknown" file_hash file_path
| stats max(_time) as "lastTime",latest(_raw) as "orig_raw",latest(dest_priority) as "dest_priority", latest(action) as action count
by dest,signature,file_path,file_hash
| search NOT action=blocked
Drilldown
Name View Contributing Events
Search

| datamodel Malware Malware_Attacks search | search Malware_Attacks.dest="$dest$"


Compliance YES
Container App DA-ESS-SecKit-EndpointProtection

Related articles

Copyright 2016, Splunk Inc.

UC0031 Non human account starting processes not associated with the purpose of the account
Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes
other than the process name defined in the service or batch definition may indicate compromise.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS009EndPointIntel-ET01ProcessLaunch

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response RP011 Unwanted/Unauthorized Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Review enrichment lists for items no longer valid
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DDE014 Service Account process
name/hash

UC0032 Brute force authentication attempt


When more than 10 failed authentication attempts for known accounts occur from single endpoint
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET02Failure

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED1-Common

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Enrichment
DE001AssetInformation
DE002IdentityInformation

Adoption Phase Industry

Response internal source IP RP009 Unauthorized (actual or attempted) access by employees or contractors
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend false positive vs positive
Metrics Review
1. Review trending determine if changes should be made to threshold
Artifacts

Automated Response external source IP


Add account to watchlist for successful authentication

Related articles

Copyright 2016, Splunk Inc.

UC0033 Brute force authentication attempt distributed


When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60
minutes. This could indicate an adversary has identified a specific high value account and is attempting to gain access.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET02Failure

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Enrichment
DE001AssetInformation
DE002IdentityInformation

Adoption Phase Industry

Response internal source IP RP009 Unauthorized (actual or attempted) access by employees or contractors
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend false positive vs positive
Metrics Review
1. Review trending determine if changes should be made to threshold
Artifacts

Automated Response external source IP


Add account to watchlist for successful authentication

Related articles

Copyright 2016, Splunk Inc.

UC0034 Brute force successful authentication


If a source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use case successfully logins
after failing once from the same source address.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success
DS003Authentication-ET02Failure

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Enrichment
DE001AssetInformation
DE002IdentityInformation
Assets
Identities
Brute force watchlist

Adoption Phase Industry

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend false positive vs positive
Metrics Review
1. Review trending determine if changes should be made to threshold
Artifacts
Code:
| tstats `summariesonly` values(Authentication.tag) as tag values(Authentication.app) as app count from datamodel=Authentication by
Authentication.src Authentication.action | rename count as actioncount | `drop_dm_object_name("Authentication")` | eval
successes=case(action=="success",actioncount) | eval failures=case(action=="failure",actioncount) | stats values(tag) as tag values(app)
as app values(failures) as failures values(successes) as successes by src | search successes>0 | xswhere failures from
failures_by_src_count_1h in authentication is above medium

Related articles

Copyright 2016, Splunk Inc.

UC0035 Compromised account access testing


Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion
or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications,
or connect to databases yet perform minimal or no activity.For example:
Consider where more than 10 distinct resources are accessed within 10 minutes.
Exclude common systems such as domain controllers from consideration.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Enrichment
DE002IdentityInformation

Session Start,
Session End,
Share access

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response RP009 Unauthorized (actual or attempted) access by employees or contractors


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend positive vs false positive
Metrics Review
1. Identify resources where access is frequently denied
Artifacts

Automated Response external source IP


Add account to watchlist for successful authentication

Related articles

Copyright 2016, Splunk Inc.

UC0036 Compromised account access testing (Critical/Sensitive Resource)


Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion
or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications,
or connect to databases yet not perform any or minimal activity. Critical and Sensitive systems during routine use should not log access
denied events.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET02Failure

Enrichment

Adoption Phase Customer

Adoption Phase SME

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

DE001AssetInformation
DE002IdentityInformation

Adoption Phase Industry

Response RP009 Unauthorized (actual or attempted) access by employees or contractors


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend positive vs false positive
Metrics Review
1. Identify resources accessed leading to false positive events.
2. Determine if improvements to the architecture of the environment or suppression of events related to false positives are
appropriate.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0037 Network Intrusion External - New Signatures


External IDS devices reporting an attack using a signature not previously encountered are more likely be successful as new signatures are
prompted by newly know attacks in the wild.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS TBD - Network Intrusion Detection


System

OR is this something new, like


SecurityVisibilityNetwork?

RV4-ScanProbe

Enrichment
DE001AssetInformation

(IDS or equivalent)

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0038 Excessive use of Shared Secrets


Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET07ExecuteAs

PRT02-SecurityVisibilityUserActivity

RV2-Access

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Enrichment
DE002IdentityInformation

Adoption Phase Industry

Response RP009 Unauthorized (actual or attempted) access by employees or contractors


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Time to investigate
2. Time to close
3. Number of reportable incidents
Metrics Review
1. Review thresholds determine if adjustments to reduce thresholds should be made
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0039 Use of Shared Secret for access to critical or sensitive system


Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid
detection.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET07ExecuteAs

PRT02-SecurityVisibilityUserActivity

RV2-Access

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

LOAD-Moderate

SKILLI-PS-SecurtityEnabled

Enrichment
DE002IdentityInformation

Adoption Phase Industry

Response RP009 Unauthorized (actual or attempted) access by employees or contractors


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Time to investigate
2. Time to close
3. Number of reportable incidents
Metrics Review
1. Review thresholds determine if adjustments to reduce thresholds should be made
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0040 Use of Shared Secret for or by automated process with risky attributes
Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the
retrieval is new or outside of the change window.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET07ExecuteAs

PRT02-SecurityVisibilityUserActivity

RV2-Access

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response RP012 Contain potentially compromised non human account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE002IdentityInformation

UC0041 SSH v1 detected


Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1
sessions indicate a mis-configured system. Attempted and denied sessions indicate system probing or scanning.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV4-ScanProbe

DS003Authentication-ET01Success

PRT02-SecurityVisibilityEndpointMalware

RV6-Misconfiguration

DS010NetworkCommunication-ET01TrafficAppAware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Dated

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response:
RP008 Unauthorized service detected on an endpoint
RP002 Endpoint generating suspicious network activity

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UC0042 SSH Authentication using unknown key


The public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to
determine the owner of the key and validate authorization to access the resource.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

PRT02-SecurityVisibilityUserActivity

RV2-Access

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-General

Response:
RP015 New SSH Private key

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE002IdentityInformation

UC0043 Direct Authentication to NHA


Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of
a non human account for later use or by association of a SSH key to a non human account.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

PRT02-SecurityVisibilityEndpointMalware

RV2-Access

PRT02-SecurityVisibilityUserActivity

RV6-Misconfiguration

PRT02-SecurityVisibilityPriviledgeUserMonitoring

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response RP012 Contain potentially compromised non human account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE002IdentityInformation

UC0044 Network authentication using password auth


Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases the attack surface and the
possible impact of a compromised account. Investigate and resolve all instances of network authentication utilizing password.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV2-Access

DS003Authentication-ET01Success

DE002IdentityInformation

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

<note>
rare in a tuned environment after the migration
</note>
System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response:
RP010 Contain potentially compromised account
RP007 Potentially Unauthorized change detected on endpoint

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0045 Local authentication server


Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an
attempt to compromise the host via KVM or virtual console.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

PRT02-SecurityVisibilityEndpointMalware

RV2-Access

PRT02-SecurityVisibilityUserActivity

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE002IdentityInformation

UC0046 Endpoint failure to sync time


Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid
authentication.Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV6-Misconfiguration

DS007AuditTrail-ET03TimeSync

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Response RP017 Asset Symptomatic of abnormal condition


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UC0047 Communication with newly seen domain


Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other
IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky behavior than could be
identified. The daily number of new domains will be substantial in a typical organization the search will select a subset of those for triage.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-IdentifyPatientZero

RV3-MaliciousCode

DS005WebProxyRequest-ET01Requested

PRT04-ProcessEffectivness-HuntPaths

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV1 - Low

RATED2-Frequent

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Enrichment
DDE001 Asset Information
DDE010 Alexa TOP 1 million sites
DDT004 New Domain Tracker

Adoption Phase Industry

Response RP019 Unauthorized device detected

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts

Detection Activities

Copyright 2016, Splunk Inc.

| tstats `summariesonly` max(_time) as _time,dc(Web.src) as srccount,


values(Web.src) as srcs, values(Web.user) as users count from
datamodel=Web.Web where web.action=allowed by Web.dest
| `drop_dm_object_name("Web")`
| `get_whois`
| search newly_seen=*
| eval "Age (days)"=ceil((_time-newly_seen)/86400)
| where 'Age (days)'=1 OR 'Age (days)'=2
| eval domain=if(isnull(domain), dest, domain)
| `swap_resolved_domain(domain)`
| `per_panel_filter("ppf_new_domains","domain")`
| `alexa_lookup(domain)`
| where isnull(domain_rank)
| eval alexa_rank=if(isnull(domain_rank), "below 1 million",
domain_rank)
| rename ppf_filter as filter
| eval resolved_domain=if(isnull(resolved_domain) OR
resolved_domain=="unknown",null(),resolved_domain)
| sort - srccount | head 10 | `uitime(newly_seen)`
| fields _time,dest,domain,newly_seen,count,srcs,srccount,users
| mvexpand srcs
| mvexpand users
| rename users as user
| rename srcs as src
| `get_asset(src)`
| `get_identity4events(user)`

Related articles

Copyright 2016, Splunk Inc.

UC0049 Detection of DNS Tunnel


Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by
large total size of DNS traffic OR large number of unique queries.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS002DNS-ET01Query

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Enrichment
DE001AssetInformation
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control domains
DDE010 Alexa TOP 1 million sites

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Indicator value
Metrics Review
Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted
Artifacts
Rule Name - UC0049-S01-V001 Potential use of DNS tunneling
Notable Title - UC0049-S01 $gov$-$asset_name$ High DNS traffic size $length$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0049
Search Logic

Copyright 2016, Splunk Inc.

| tstats allow_old_summaries=true dc("DNS.query") as count


from datamodel=Network_Resolution
where nodename=DNS "DNS.message_type"="QUERY"
NOT (`cim_corporate_web_domain_search("DNS.query")`)
NOT "DNS.query"="*.in-addr.arpa"
NOT ("DNS.src_category"="svc_infra_dns"
"DNS.src_category"="svc_infra_webproxy" OR
"DNS.src_category"="svc_infra_email*"
)
by "DNS.src","DNS.query"
| rename "DNS.src" as src "DNS.query" as message
| eval length=len(message)
| stats sum(length) as length by src
| append [
tstats allow_old_summaries=true dc("DNS.answer") as count
from datamodel=Network_Resolution
where nodename=DNS "DNS.message_type"="QUERY"
NOT (`cim_corporate_web_domain_search("DNS.query")`)
NOT "DNS.query"="*.in-addr.arpa"
NOT ("DNS.src_category"="svc_infra_dns"
"DNS.src_category"="svc_infra_webproxy" OR
"DNS.src_category"="svc_infra_email*"
)
by "DNS.src","DNS.answer"
| rename "DNS.src" as src "DNS.answer" as message
| eval message=if(message=="unknown","",message)
| eval length=len(message)
| stats sum(length) as length by src
]
| stats sum(length) as length by src
| where length > 10000

Note alternative implementation with XS should be considered


Compliance YES
Drilldown

Copyright 2016, Splunk Inc.

| tstats allow_old_summaries=true dc("DNS.query") as count


from datamodel=Network_Resolution
where nodename=DNS "DNS.message_type"="QUERY"
"DNS.src"="$src$"
NOT (`cim_corporate_web_domain_search("DNS.query")`)
NOT "DNS.query"="*.in-addr.arpa"
NOT ("DNS.src_category"="svc_infra_dns"
"DNS.src_category"="svc_infra_webproxy" OR
"DNS.src_category"="svc_infra_email*"
)
by "DNS.src","DNS.query"
| rename "DNS.src" as src "DNS.query" as message
| append [
tstats allow_old_summaries=true dc("DNS.answer") as count
from datamodel=Network_Resolution
where nodename=DNS "DNS.message_type"="QUERY"
"DNS.src"="$src$"
NOT (`cim_corporate_web_domain_search("DNS.query")`)
NOT "DNS.query"="*.in-addr.arpa"
NOT ("DNS.src_category"="svc_infra_dns"
"DNS.src_category"="svc_infra_webproxy" OR
"DNS.src_category"="svc_infra_email*"
)
by "DNS.src","DNS.answer"
| rename "DNS.src" as src "DNS.answer" as message
| eval message=if(message=="unknown","",message)
]

Container App DA-ESS-SecKit-NetworkProtection


Rule Name - UC0049-S02-V001 Potential use of DNS tunneling
Notable Title - UC0049-S02 $gov$-$src$ High DNS query count
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0049
Search Logic -

| tstats allow_old_summaries=true dc("DNS.query") as count


from datamodel=Network_Resolution
where nodename=DNS "DNS.message_type"="QUERY"
NOT (`cim_corporate_web_domain_search("DNS.query")`)
NOT "DNS.query"="*.in-addr.arpa"
NOT ("DNS.src_category"="svc_infra_dns"
"DNS.src_category"="svc_infra_webproxy" OR
"DNS.src_category"="svc_infra_email*"
)
by "DNS.src"
| rename "DNS.src" as "src" | where 'count'>100

Windows -65m@m to -5m@m


Cron 20 * * * *
Compliance YES
Container App DA-ESS-SecKit-NetworkProtection

Copyright 2016, Splunk Inc.

Related articles

Copyright 2016, Splunk Inc.

UC0051 Excessive physical access failures to CIP assets


A user with continuous physical access failures could be someone searching for a physical vulnerability within the organization. When this
occurs in an area that is protecting CIP assets, it is something that should be followed up on immediately.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV2-Access

PT014-PhysicalAccessControl

TBD

PRT02-SecurityVisibilityUserActivity

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Response
Investigate identity - add to watchlist for successful authentication
<note>
This needs to be merged with OR added to a new Response Plan pertaining to Physical access responses
</note>

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trending vs False positives
Metrics Review
1. Review legitimate badge access attempts/failures (security officers, vulnerability assessments, etc); add to false positive
database
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0052 Non-CIP user attempts to access CIP asset


CIP assets require special protections; therefore, users that have not been vetted for CIP access, or should have had their access removed,
should not have access. System owners should be notified immediately should a non-CIP user attempt to access a CIP asset.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV2-Access

DS003Authentication-ET01Success

PRT02-SecurityVisibilityUserActivity

RV6-Misconfiguration

DS003Authentication-ET02Failure

Adoption Phase Customer

Adoption Phase SME

APC-Edge

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Enrichment
DE001AssetInformation
CAT-gov:CIP
DDE002 Identity Information
CAT-gov:CIP

Adoption Phase Industry

Response
Alert and Investigate cause of identity access attempt
document disposition (examples below)
administrative process error - user access incorrectly removed after review cycle due to inactivity; user needs to go
through the process to be added back to the list
employee training error - new employee without CIP access mistakenly tried to connect before completing the CIP
training and vetting process; user needs to complete process to get on the list
suspicious / malicious behavior - unjustified actions (including no explanation); incident response team to investigate
the asset, and identify actors and follow up with management / HR / legal actions, and file relevant compliance
paperwork
<note>
This needs to be merged with OR added to a new Response Plan pertaining to electronic access responses
</note>

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0065 Malware detected compliance asset


Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even when automatic clean has
occurred
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP005 Malicious Code detected on endpoint

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DDE001 Asset Information
CAT-gov

UC0071 Improbably short time between Remote Authentications with IP change


For employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful
authentications to a remote access solution in a short period of time indicates a likely compromise of credentials.The short period of
time value will need to be tuned for any given environment. A good starting point might be 15 minutes.
Rare but valid exceptions (false positives) might include:
employee logs in briefly from home, then goes to local coffee shop and logs in again there
employee logs in from home, has power outage that resets router and gets new DHCP assignment from ISP
employee alternates between two specific IPs such as mobile broadband and coffee shop connection due to IOS Wifi Assist
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Enrichment

DE001AssetInformation
SRC IP not found in the asset information
DE002IdentityInformation
Employee
Customer
Can manage account
Can admin users

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High (Customer)

RATED0-Rare

FIDELITY-Moderate

SV4 - Critical (Employee)

Adoption Phase Industry

well tuned
RATED1-Common
poorly tuned

System Load

Analyst Load

LOAD-Moderate

AnalystLoad-High

Implementation Skill

Response RP010 Contain potentially compromised account

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type (employee vs customer)
2. Trend Reporting by result of investigation
3. Trend Reporting of call center impact (customer)
Metrics Review
1. Review thresholds and monitoring statistics quarterly to determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

UC0072 Detection of unauthorized using DNS resolution for WPAD


Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies
for A/AAA queries for wpad (bare host) and wpad.* where the domain portion is not a company owned domain.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS002DNS-ET01QueryRequest

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Automation

SKILLI-Customer

Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control
domains

Adoption Phase Industry

Response RP019 Unauthorized device detected

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. N/A
Artifacts

Detection Activities
Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution
Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072
Search Logic - TBD
Compliance YES
Container App DA-ESS-SecKit-NetworkProtection

Related articles

Copyright 2016, Splunk Inc.

UC0073 Endpoint detected malware infection from url


Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps
in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine
how existing prevention controls can be modified to prevent future infections.Possible control gaps could include:
detection signatures, white lists, and black lists not being updated on appliances
possible misconfiguration of network traffic - for example a cable bypass of one or more of the network appliances
endpoint connected to wrong network - for example an open wifi access point instead of a company provisioned network
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint


Begin response plan at lessons learned stage.
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts

Detection Activities
Rule Name - UC0073-S01-V001 Endpoint malware infection from url
Dependency
Notable Title - UC0073-S01 Endpoint malware infection from $domain$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0073
Search Logic

tag=attack tag=malware url=*


| rex field=url "(?:http|https)://(?<domain>[^\/]*)"
| rex field=url "(?<url_noquery>[^?]*)"
| stats first(domain) as domain first(url) as url by url_noquery
Drilldown
Name View Contributing Events
Search

$domain$ (( tag=attack tag=malware ) OR (tag=web tag=proxy))


Compliance YES
Container App DA-ESS-SecKit-EndpointProtection

Related articles

Copyright 2016, Splunk Inc.

Copyright 2016, Splunk Inc.

UC0074 Network Intrusion Internal Network


IDS/IPS detecting or blocking an attack based on a known signature.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS012NetworkIntrusionDetection-ET01SigDetection

Enrichment
DE001AssetInformation

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts

Detection Activities
Rule Name - UC0074-S01-V001 Network Intrusion Internal Network
Notable Title - UC0074-S01 $gov$-$src$ Network Intrusion Internal Network $signature$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0074
Search Logic

| tstats `summariesonly` dc(IDS_Attacks.signature) as attack_count last(IDS_Attacks.severity) as severity


values(IDS_Attacks.src_tag) as tag
from datamodel=Intrusion_Detection
where NOT IDS_Attacks.dest_category=ZONE_DMZ NOT IDS_Attacks.src_category=svc_scanner
by IDS_Attacks.src,IDS_Attacks.category,IDS_Attacks.signature | `drop_dm_object_name("IDS_Attacks")`
Note alternative implementation with XS should be considered
Compliance YES
Container App SecKit-DA-ESS-NetworkProtection
Windows -65m@m to -5m@m
Cron 20 * * * *
Compliance YES
Container App SecKit-DA-ESS-NetworkProtection

Related articles

Copyright 2016, Splunk Inc.

UC0075 Network Malware Detection


Internal malware detection system such as fire eye devices reporting an attack.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS011MalwareDetonation-ET01Detection

Enrichment
DE001AssetInformation

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

TBD

TBD

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts

Detection Activities
Rule Name - UC0075-S01-V001 FireEye detection unblocked
Notable Title - UC0075-S01 $gov$-$src$ Fire Eye APT detection $signature$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0075
Search Logic

eventtype=fe
action=notified
NOT "169.250.0.1"
| table src dvc_ip dest product signature severity impact ext_ref
| `get_asset(src)`
Compliance YES
Container App SecKit-DA-ESS-NetworkProtection
Windows -65m@m to now
Cron */2 * * * *
Compliance YES
Container App SecKit-DA-ESS-NetworkProtection

Related articles

Copyright 2016, Splunk Inc.

UC0076 Excessive DNS Failures


An endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be
detected by either a large volume or high number of unique DNS queries.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS002DNS-ET01Query

PRT02-SecurityVisibilityUserActivity

RV3-MaliciousCode

Enrichment

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

DE001AssetInformation
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control domains
DDE010 Alexa TOP 1 million sites
DDE019 CIM Corporate Web Domains

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Indicator value
Metrics Review
Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted
Artifacts

Detection Activities
Rule Name - UC0076-S01-V001 Excessive DNS Failures
Notable Title - UC0076-S01 $gov$-$asset_name$ Excessive DNS Failures $count$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0076
Search Logic

Copyright 2016, Splunk Inc.

| tstats allow_old_summaries=true count values("DNS.query")


as queries
from datamodel=Network_Resolution
where
nodename=DNS
"DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError"
DNS.reply_code!="unknown"
NOT "DNS.query"="*.arpa" "DNS.query"="*.*"
by "DNS.src","DNS.query"
| `drop_dm_object_name("DNS")`
| lookup cim_corporate_web_domain_lookup domain as query
OUTPUT domain
| where isnull(domain)
| lookup alexa_lookup_by_str domain as query OUTPUT rank
| where isnull(rank)
| stats sum(count) as count mode(queries) as queries by src
| `get_asset(src)`
| where count>50

Drilldown

| tstats allow_old_summaries=true count from


datamodel=Network_Resolution where
nodename=DNS
"DNS.src"="$src$"
"DNS.reply_code"!="No Error"
"DNS.reply_code"!="NoError" DNS.reply_code!="unknown"
NOT "DNS.query"="*.arpa" "DNS.query"="*.*"
by
"DNS.src","DNS.query" | `drop_dm_object_name("DNS")` |
lookup cim_corporate_web_domain_lookup domain as query
OUTPUT domain | where isnull(domain) | lookup
alexa_lookup_by_str domain as query OUTPUT rank | where
isnull(rank) | stats sum(count) as count by src query |
`get_asset(src)`

Compliance YES
Container App DA-ESS-SecKit-NetworkProtection

Related articles

Copyright 2016, Splunk Inc.

UC0077 Detection Risky Referral Domains


Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs
New domain in http referrer field
First occurrence of domain as sender domain is less than 48 hours after first seen

Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS001Mail-ET02Receive

Enrichment

DS014WebServer-ET01Access

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

System LoadAnalystLoad-Low

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts

Detection Activities
Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution
Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072
Search Logic - TBD
Compliance YES
Container App DA-ESS-SecKit-NetworkProtection

Related articles

Copyright 2016, Splunk Inc.

UC0079 Use of accountable privileged identity to access new or rare sensitive resource
Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review
of access reason.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

PRT02-SecurityVisibilityPriviledgeUserMonitoring

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-High

TBD

TBD

Enrichment
DE001AssetInformation
CAT-gov_identifier
DE002IdentityInformation
CAT-privileged

Adoption Phase Industry

Response RP009 Unauthorized (actual or attempted) access by employees or contractors

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Time to investigate
2. Time to close
3. Number of re-portable incidents
Metrics Review
1. Review thresholds determine if adjustments to reduce thresholds should be made
Artifacts
Dependencies
DDT002 Logon Tracker
Correlation Search
"New/Rare Login"

|inputlookup logon_tracker
| `get_asset(dest_dns)`
| `get_identity(user_nick)`
| search user_category="privlidged"
| where _time<24hours OR isnotnull(mvfind("gov\:",dest_category)
Suppress by dest_dns,user_nick time 86400

Dashboard
Conditions
nick
time
Display
Distinct hosts
Distinct gov categories involved (word cloud)
Time chart of access count and dc(dest_dns)
Map of access sources geo coded

Copyright 2016, Splunk Inc.

Reporting
Daily produce report by managed_by
Roll up of users and systems accessed
Roll up of critical changes by user
Time of day by user

Related articles

Copyright 2016, Splunk Inc.

UC0080 Trusted Individual exceeds authorization in observation of other users


Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not
authorized as part of the user's job function.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET06Search

PRT02-SecurityVisibilityUserActivity

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

TBD

TBD

Response TBD

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
DE002IdentityInformation
Actor Title
List values for user_category requiring review
when observed
List of eventtypes on access logs requiring
review

UC0081 Communication with unestablished domain


Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious
code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be
flagged.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS002DNS-ET01QueryRequest
DS005WebProxyRequest-ET01Requested

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command
and control domains
DDE010 Alexa TOP 1 million sites
DDE022 Domain Reputation Score
Provider
DDT004 New Domain Tracker

Adoption Phase Industry

Response RP019 Unauthorized device detected

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts

Detection Activities

Related articles

Copyright 2016, Splunk Inc.

UC0082 Communication with enclave by default rule


Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or
actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted
and should be reviewed. Consider ingress communication allowed by the default rule, and egress communication allowed or blocked.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS010NetworkCommunication-ET01Traffic

Enrichment
DDE001 Asset Information

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts

Detection Activities

Related articles

Copyright 2016, Splunk Inc.

UC0083 Communication from or to an enclave network permited by previously unknown or modified


firewall rule
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or
actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication
where the reviewed time is null or prior to the last known modification time.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS010NetworkCommunication-ET01Traffic

Enrichment
DDE001 Asset Information

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts

Detection Activities

Related articles

Copyright 2016, Splunk Inc.

UC0084 Monitor Execution of Triage Activtity


Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS013TicketManagement-ET01

Enrichment
TBD

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts

Detection Activities

Related articles

Copyright 2016, Splunk Inc.

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF
Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS014WebServer-ET01Access

Enrichment
DDE001 Asset Information
CAT-svc:waf

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts

Detection Activities

Related articles

Copyright 2016, Splunk Inc.

UC0086 Detect Multiple Primary Functions


Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more
than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types
Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS010NetworkCommunication-ET01TrafficAppAware

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Enrichment
DDE001 Asset Information
List of accepted administrative
functions

Adoption Phase Industry

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts

Detection Activities

Related articles

Copyright 2016, Splunk Inc.

UC0087 Malware signature not updated by SLA for compliance asset


Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA limits
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS004EndPointAntiMalware-ET02UpdatedSig

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP005 Malicious Code detected on endpoint

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Enrichment
DDE001 Asset Information
CAT-gov

UC0088 User account sharing detection by source device ownership


Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of
unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner, and public or shared.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET02UpdatedSig

PRT02-SecurityVisibilityUserActivity

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
DDE001 Asset Information
CAT-gov

UC0089 Detection of Communication with Algorithmically Generated Domain


Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains,
Alexa TOP 1 M domains and domains with long established communication with the organization.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS002DNS-ET01Query

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Enrichment
DE001AssetInformation
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control domains
DDE010 Alexa TOP 1 million sites

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Indicator value
Metrics Review
Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted
Artifacts
Rule Name - UC0089-S01-V001 Potential DGA interaction

Related articles

Copyright 2016, Splunk Inc.

UC0090 User account cross enclave access


Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more
than one account access management controls have failed and must be remediated
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV6-Misconfiguration

DS003Authentication-ET01Success

PRT02-SecurityVisibilityUserActivity

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
DDE001 Asset Information
net_enclave:value

UC0091 Validate Execution of Vulnerability Scan


Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or
reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV6-Misconfiguration

DS010NetworkCommunication-ET01Traffic

PRT02-SecurityVisibilityUserActivity

DS020HostIntrustionDetection-ET01SigDetected

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
DDE001 Asset Information
CAT-gov
CAT-svc:scanvuln

UC0092 Exception to Approved Flow for Web Applications


Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the
approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "x-forwardedfor" entry is the address of the
WAF
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV6-Misconfiguration

DS010NetworkCommunication-ET01Traffic

PRT02-SecurityVisibilityUserActivity

DS020HostIntrustionDetection-ET01SigDetected

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
DDE001 Asset Information
CAT-gov
CAT-svc:waf
CAT-svc:nlb

UC0093 Previously active account has not accessed enclave/lifecycle


Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a
tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last
access time is more than 90 days from current date.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV2-Access

DS003Authentication-ET01Success

PRT02-SecurityVisibilityPriviledgeUserMonitoring

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
DDE001 Asset Information
CAT-gov

UC0094 Insecure authentication method detected


For each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication
is in use. Alert per authentication technology where a successful event occurs without the required indicators
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV2-Access

DS003Authentication-ET01Success

Enrichment

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response

Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD

Related articles

Copyright 2016, Splunk Inc.

Adoption Phase Industry

none

Adoptable IT Operations Use Cases

How-to article
Provide step-by-step guidance for completing a task.

Add how-to article


A-C

D-M

N-T

U-Z

access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative

data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer

nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng

ucd-access

Copyright 2016, Splunk Inc.

Enterprise Service Availability

How-to article
Provide step-by-step guidance for completing a task.

Add how-to article


A-C

D-M

N-T

U-Z

access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative

data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer

nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng

ucd-access

Copyright 2016, Splunk Inc.

ITOAUC-0001 Enterprise Service Availability Messaging

Copyright 2016, Splunk Inc.

ITOAUC-0002 Enterprise Service Availability Authentication

Copyright 2016, Splunk Inc.

Product Enterprise Security Use Cases


This section describes each correlation search provided by Splunk Enterprise Security 4.1.1

Copyright 2016, Splunk Inc.

UCESS002 Abnormally High Number of Endpoint Changes By User


Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry
modifications.
For the past 24 hours starting on the hour, using all summary data even if the model has changed, generate a count of user and change type
(filesystem, AAA, etc) combinations and compare that count against the previous day and trigger if the change type is above high

Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS009EndPointIntel

DE001AssetInformation

RV3-MaliciousCode

DS009EndPointIntel-ET01ObjectChange

DE002IdentityInformation

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Productized

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED2-Frequent

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-High

SKILLI-PS-SecurtitySpecialist

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review

Artifacts
Correlation Search - Abnormally High Number of Endpoint Changes By User

Copyright 2016, Splunk Inc.

UCESS003 Abnormally High Number of HTTP Method Events By Src


Alerts when a host has an abnormally high number of HTTP requests by http method. For the past 24 hours starting on the hour, using all
summary data even if the model has changed, generate a count of the source of the network traffic and the HTTP method used in the request
(Get, Post, etc) combinations and compare that count against the previous day and trigger if the HTTP Method is above high

Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpoint

RV1-AbuseofAccess

DS005WebClientRequest-ET01Requested

DDE001 Asset Information

RV3-MaliciousCode
RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Productized

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-Customer

Response RP018 Asset or Service under denial of Service attack


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Review website to make sure that everything is functioning properly, also check network status on SIEM for anomalous patterns

Artifacts
Correlation Search - Concurrent Login Attempts Detected

Copyright 2016, Splunk Inc.

UCESS004 Account Deleted


Detects user and computer account deletion. Looking across a realtime window of +/-5 minutes, search for the value delete within the tag
field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last Time seen,
Original Raw Event Data, Results (Vendor specific change, renamed to signature), the associated list of Source IPs, the associated list of
Destination IPs grouped by unique Source User and User.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET05Delete

DDE013 Critical Policy Objects

RV2-Access

DDE016 Critical or Risky Groups

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP013 Change to critical access control detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend account activity per change control process
Metrics Review
1. Review service tickets based on account activity
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS005 Activity from Expired User Identity


Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been
passed). Looking across a realtime window of +/-5 minutes, search for Last Time, Original Raw Event Data, user and a count of times an
expired user was seen. Expired user is based on the end data in the identity_lookup
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS003Authentication-ET01Success

DE002IdentityInformation

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Activity from Expired User Identity

Copyright 2016, Splunk Inc.

UCESS006 Anomalous Audit Trail Activity Detected


Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their
actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of +/-5 minutes, search for
action equaling cleared or stopped and show the following values: Last Time seen, Original Raw Event Data, Destination (where change
occurred), Result (Vendor specific change, renamed to signature) and count of occurences grouped by Destination and Result.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS007AuditTrail-ET01Clear

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV2-Access

DS007AuditTrail-ET02Alter

DDE004 Threat List

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track for signs of malicious behavior for log files and other critical tracking mechanisms
Metrics Review
1. Review for signs of log tampering such as incorrect timestamps, etc.
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS007 Anomalous New Process


Alerts when an anomalous number hosts are detected with a new process.Local Processes tracker contains destination, first and last time
seen and process. If any data is returned, add it to the localprocesses_tracker file. Evaluate the time range and return values where the first
time is between the evaluated time fields. Return a distinct count of destination grouped by process when the count is greater than 9.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode

DS009EndPointIntel-ET01ProcessLaunch

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV4-ScanProbe

DDE004 Threat List


DDE012 Service State by platform
DDE013 Critical Policy Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-General

Response RP011 Unwanted/Unauthorized Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Review and track notable events for new processes on endpoints
Metrics Review
1. Review change control logs and open an investigation if activity is missing
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS008 Anomalous New Service


Alerts when an anomalous number hosts are detected with a new service. Service tracker contains destination, first and last time seen,
service and start_mode (auto, disabled). If any data is returned, add it to the services_tracker file. Evaluate the time range and return values
where the first time is between the evaluated time fields. Return a distinct count of destination grouped by service when the count is greater
than 9.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

Select PRT Values

RV3-MaliciousCode

DS009EndPointIntel

DDE001 Asset Information

RV6-Misconfiguration

DS009EndPointIntel-ET01ServiceChange

DDE004 Threat List


DDE012 Service State by platform

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Undetermined

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend new services on endpoints
Metrics Review
1. Review services list on existing endpoints and determine if new services have been be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS009 Asset Ownership Unspecified


Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the
priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is
greater than 0 and the asset owner is null or the asset owner length is equal to 0 and the asset IP is null or the length of the asset IP is equal
to 0 or the value in the IP field is a single value. Count the assets returned and return if count is greater than 0.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV6-Misconfiguration

DS015ConfigurationManagement-ET01General

DDE001 Asset Information

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Undetermined

AnalystLoad-Moderate

SKILLI-PS-General

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS010 Anomalous New Listening Port


Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or
have had new (and potentially vulnerable) software installed. Listening ports tracker contains destination IP and port, first and last time seen
and transport protocol. If any data is returned, add it to the listeningports_tracker file. Evaluate the time range and return values where the
first time is between the evaluated time fields. Return a distinct count of destination IP grouped by transport and destination port when the
count is greater than 10.

Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode

DS010NetworkCommunication

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-General

Adoption Phase Industry

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend known ports on all systems
Metrics Review
1. Investigate nature of new port and update lists and/or open a new investigation

Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS011 Brute Force Access Behavior Detected


Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking
across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures and count of successes and group by
source (host, IP, name). Return rows where success is greater than 0 and then return values where the failures compared to the previous
hour are.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS003Authentication-ET01Success

DE002IdentityInformation

RV3-MaliciousCode

DS003Authentication-ET02FailureBadFactor

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Low

SKILLI-Customer

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Brute Force Access Behavior Detected

Copyright 2016, Splunk Inc.

UCESS012 Brute Force Access Behavior Detected Over One Day


Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful
brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application, count of failures and count of success and
group by source(host, IP, name). Return rows where success is greater than 0 and then return values where the failures compared to the
previous day are above medium
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS003Authentication-ET01Success

DE002IdentityInformation

RV3-MaliciousCode

DS003Authentication-ET02FailureBadFactor

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Brute Force Access Behavior Detected Over One Day

Copyright 2016, Splunk Inc.

UCESS013 Cleartext Password At Rest Detected


Detects cleartext passwords being stored at rest (such as in the Unix password file). Looking across a realtime window of +/-5 minutes,
search for Last Time, Original Raw Event Data, tag and count grouped by destination(host, IP, name), user and password. Add a pipe
between the tags.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS009EndPointIntel

DDE013 Critical Policy Objects

RV2-Access

DDE016 Critical or Risky Groups

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED9-Undetermined

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track all passwords that are sent in the clear for all endpoints
Metrics Review
1. View all activity for this notable event
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS014 Completely Inactive Account


Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized
access. Access tracker contains destination (host, IP, name), first and last time seen, 2nd to last time seen and user. If any data is returned,
add it to the access_tracker file. Evaluate the difference between now and the last time, divide the result by 86400 seconds (1 day) and
return values that are greater than 90.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

DDE013 Critical Policy Objects

RV2-Access

DDE016 Critical or Risky Groups

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Undetermined

System Load

Analyst Load

Implementation Skill

LOAD-Low

LOAD-Low

SKILLI-Customer

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend account activity
Metrics Review
1. Review policy objects for user lists and determine if new policies should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS015 Concurrent Login Attempts Detected


Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential
misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user and provide
a count for that combination of values that occur within a one second window. Calculate a distinct count of source by application and user.
Take the last two events with the same app and user combination where the source does not match and compute the difference in their
timestamps and return values where the time difference is less than 300 seconds
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityPriviledgeUserMonitoring

RV1-AbuseofAccess

DS003Authentication-ET01Success

RV3-MaliciousCode

DS003Authentication-ET02FailureBadFactor

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Productized

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Concurrent Login Attempts Detected

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DE002IdentityInformation
DDE021 Commercially
maintained Geo IP
Database

UCESS016 Default Account Activity Detected


Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly
targeted by attackers using brute force attack tools. Looking across a realtime window of +/-5 minutes, return lastTime, tag, and count
grouped by destination(host, IP, name), user and application. Place a pipe between each value in the tag field.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

DDE013 Critical Policy Objects

RV2-Access

DDE016 Critical or Risky Groups

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Undetermined

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend all accounts that do not conform to established policies
Metrics Review
1. Review prohibited account list and determine if new (or updated) policies should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS017 Default Account At Rest Detected


Discovers the presence of default accounts even if they are not being used. Default accounts should be disabled in order to prevent an
attacker from using them to gain unauthorized access to remote hosts. Looking across a realtime window of +/-5 minutes, return lastTime,
original Raw Log, tag and count grouped by destination (host, IP, name) and user where the enabled is not 0 or False (case-insensitive) and
status is not degraded and shell program doesn't end with nologin or false and user is not root. Place a pipe between each value in the tag
field.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS009EndPointIntel

DDE013 Critical Policy Objects

RV2-Access

DDE016 Critical or Risky Groups

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Undetermined

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track any default or template accounts and ensure that they are sufficiently copied or changed
Metrics Review
1. All template accounts should not be accessed directly or used, monitor these accounts for access
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS018 Excessive DNS Failures


Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all
summary data even if the model has changed, provide a count where the reply code for DNS is not No Error and group by Source IP. Only
show counts that are more than 100.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS002DNS-ET01QueryResponse

PRT02-SecurityVisibilityUserActivity

RV3-MaliciousCode

Security Continuous Monitoring


(DE.CM)

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control
domains
DDE010 Alexa TOP 1 million sites
DDE019 CIM Corporate Web Domains

Adoption Phase Industry

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
a. Track all occurrences, check for misconfiguration, or possible infection
Metrics Review
a. Review current blacklists and determine if new services are used to possibly create these queries, check SIEM for
additional alerts
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS019 Excessive DNS Queries


Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all
summary data even if the model has changed, provide a count where the message type for DNS is QUERY and group by Source IP. Only
show counts that are more than 100
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS002DNS-ET01QueryRequest

PRT02-SecurityVisibilityUserActivity

RV3-MaliciousCode

Security Continuous Monitoring


(DE.CM)

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control
domains
DDE010 Alexa TOP 1 million sites
DDE019 CIM Corporate Web Domains

Adoption Phase Industry

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track all occurrences, check for misconfiguration, or possible infection
Metrics Review
1. Review current blacklists and determine if new services are used to possibly create these queries, check SIEM for additional
alerts
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS020 Excessive Failed Logins


Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime,
search for failure in the tag field and return values of app and Source IP, tags, distinct user count, distinct destination count and overall count
grouped by app and Source(host, IP, name) where the count is greater than 6 and place a pipe between each value in the tag field
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityPriviledgeUserMonitoring

RV1-AbuseofAccess

DS003Authentication-ET01Success

RV3-MaliciousCode

DS003Authentication-ET02FailureBadFactor

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Undetermined

SKILLI-Customer

Enrichment
DDE001 Asset Information
DDE002 Identity
Information

Adoption Phase Industry

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend excessive login failures from all sources
Metrics Review
1. Correlate to particular network activity such as a bad service account password, and bad password attempts
Artifacts
Correlation Search - Multiple Login Attempts Detected

Copyright 2016, Splunk Inc.

UCESS021 Excessive HTTP Failure Responses


Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago,
using all summary data even if the model has changed, provide a count where status is one of the following (400, 403, 404, 411, 500, 501)
grouped by dest and the count is greater than 50
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpoint

RV1-AbuseofAccess

DS014WebServer-ET01Access

DDE001 Asset Information

RV3-MaliciousCode
RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Socializing

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Low

SKILLI-Customer

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review website to make sure that everything is functioning properly, also check network status on SIEM for anomalous patterns
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS022 Expected Host Not Reporting


Discovers hosts that are longer reporting events but should be submitting log events. This rule is used to monitor hosts that you know should
be providing a constant stream of logs in order to determine why the host has failed to provide log data.Every 15 minutes, execute the
host_eventcount macro and look across the time range of less than 30 days ago and greater than 2 hours ago. The macro returns time
values of min and max and count events seen grouped by host. Get associated asset information for the host as well as identity information
for the asset owner (via macros). Calculate the date difference between now and the lastTime the host was seen and sort. The remainder of
the correlation search evaluates the is_expected value in the asset to be true, the time is formated and the host, last time, is_expected and
day difference is returned when the orig_time equals last time that was calculated in the macro.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpointMalware

RV6-Misconfiguration

DS007AuditTrail

DE001AssetInformation

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Automation

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Expected Host Not Reporting

Copyright 2016, Splunk Inc.

UCESS023 Alerts on access attempts that are improbably based on time and geography.
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful
brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user business unit and group by user, source
(host, IP, name) and time with a time span of 1 second. Generate a distinct count of source by user, and return if count is greater than 1.
Sort the output by time. Execute the macro get_asset based on the source to collects values from the asset list that maps to the source and
perform an IP lookup on the source. Gather latitude, longitude and city and populate from event or asset. Take the last two events with the
same user where the source does not match and calculate the distance, time difference and speed between and return values where the
speed is greater than 500
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS003Authentication-ET01Success

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP010 Contain potentially compromised account


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Geographically Improbable Access Detected

Copyright 2016, Splunk Inc.

Enrichment
DE002IdentityInformation
DDE021 Commercially maintained Geo IP
Database

UCESS024 High Number of Hosts Not Updating Malware Signatures


Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine
why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the time_signature_version
and return results that the day difference between the time_signature_version and the time is greater than 7 days. Return count and the
destination (host, IP, name) when the count is greater than 10
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High Number of Hosts Not Updating Malware Signatures

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS025 High Number Of Infected Hosts


Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed,
return and estimated distinct count of destination (host, IP, name) where nodename is Malware_Attacks where the infected hosts are greater
than 100
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High Number Of Infected Hosts

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS026 High Or Critical Priority Host With Malware Detected


Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of +/-5 minutes, search for
destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination priority and
count grouped by destination (host, IP, name) and signature
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High Or Critical Priority Host With Malware Detected

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS027 High or Critical Priority Individual Logging into Infected Machine


Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed,
search for user over a 60 minute window starting 5 minutes after realtime where user priority (assigned in identity table) is high or critical and
group by destination (host, IP, name). Join these results via an inner join on destination to another
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High or Critical Priority Individual Logging into Infected Machine

Copyright 2016, Splunk Inc.

Enrichment
DE002IdentityInformation

UCESS028 High Process Count


Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most
recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare the two time stamps and
keep the matches. Calculate the distinct count of process by destination and return those that have a count greater than 200.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode

DS009EndPointIntel-ET01ProcessLaunch

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Adoption Phase Industry

Response RP017 Asset Symptomatic of abnormal condition


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend normal process list for asset
Metrics Review
1. Identify new or modified process tree
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS030 High Volume of Traffic from High or Critical Host Observed


Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been
compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate the
sum of the number of outbound bytes transferred where the total numberof bytes transferred is greater than 0 and the source priority (asset
table) is critical or high and group by source of the network traffic and destination (host, IP, name) where the bytes out is greater than 1MB
(10485760 bytes)
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS010NetworkCommunication-ET01Traffic

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High or Critical Priority Individual Logging into Infected Machine

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS031 Host Sending Excessive Email


Alerts when an host not designated as an e-mail server sends excessive e-mail to one or more target hosts.For the past 60 minutes starting 5
minutes after realtime, using all summary data even if the model has changed, calculate the sum of the recipient count, the distinct count of
dest where source category is not an email server or * and group by Source IP over a 1 hour time window. Compare this count to the
recipient by source and return the value if it is above medium or the dest_count compared to destinations by source is above medium
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS001Mail-ET03Send

Enrichment

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Host Sending Excessive Email

Copyright 2016, Splunk Inc.

DE001AssetInformation

UCESS032 Host With A Recurring Malware Infection


Alerts when a host has an infection that has been re-infected remove multiple times over multiple days.For the past 10080 minutes (7 days)
starting 5 minutes after realtime, using all summary data even if the model has changed, return a distinct count of the date to get a day count
and group by destination system that was affected by the malware event (host, IP, name) and signature. Alert when the count is greater than
3
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Host With A Recurring Malware Infection

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS033 Host With High Number Of Listening ports


Alerts when host has a high number of listening services. This may be an indication that the device is running services that are not necessary
(such as a default installation of a server) or is not running a firewall. For the past 24 hours, using all summary data even if the model has
changed, return a distinct count of the transport destination ports and group by destination (host, IP, name). Alert when the count is greater
than 20.
Problem Types Addressed

Risk
Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV4-ScanProbe

DS010NetworkCommunication-ET01Traffic

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

DDE005 Prohibited Network Protocol/Application List


DDE006 Acceptable Network Protocol/Application
List

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Moderate

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and monitor port activity on endpoints
Metrics Review
1. Review inventoried list of port and alert activity for anomalies
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS034 Host With High Number Of Services


Alerts when host has a high number of services. This may be an indication that the device is running services that are not necessary (such as
a default installation of a server). For the past 24 hours, using all summary data even if the model has changed, return a distinct count of the
service and group by destination (host, IP, name). Alert when the count is greater than 100.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV4-ScanProbe

DS009EndPointIntel-ET01ObjectChange

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV6-Misconfiguration

DDE012 Service State by platform


DDE014 Service Account process name/hash

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track services on all endpoints within the organization against a list of known good services.
Metrics Review
1. Review prohibited service list and determine if unauthorized services were added.
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS035 Host With Multiple Infections


Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return
a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater than 1
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Host With Multiple Infections

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS036 Host With Old Infection Or Potential Re-Infection


Alerts when a host with an old infection is discovered (likely a re-infection).For the past 60 minutes starting 5 minutes after realtime, calculate
the max time (lastTime) by signature and destination. Perform a lookup against the malware_tracker and match on destination and
signature. If a match exists, output the time as firstTime. Calculate the difference between the firstTime and lastTime and return values
where the day difference is greater than 30
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Host With Old Infection Or Potential Re-Infection

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS037 Inactive Account Activity Detected


Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an
account that was no longer being used. Execute the inactive_account_usage macro and look across the time range of less than 90 days ago
and greater than 1.25 hours ago. The macro returns time values of firstTime, second2lastTime and lastTime grouped by user. Get
associated identity information for the user (via macros). Calculate the day difference between now and the second2lastTime. The
remainder of the correlation search sets tags to include access, formats the lastTime (now) value and outputs the user,tags, the number of
inactive days and last time when the orig_time equals last time that was calculated in the macro.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

DDE002 Identity Information

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP017 Asset Symptomatic of abnormal condition


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and maintain account activity and flag for customer defined inactivity period.
Metrics Review
1. Review inactive account list on regular basis.
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS038 Insecure Or Cleartext Authentication Detected


Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of
+/-5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name).
Separate tags with pipes.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV2-Access

DS003Authentication-ET01Success

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV4-ScanProbe

DDE002 Identity Information

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED9-Undetermined

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Identify and track accounts that are using insecure authentication.
Metrics Review
1. Review account list and trend the accounts that are using insecure authentication.
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS039 Multiple Primary Functions Detected


The primary_functions_tracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and
asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination
(host, IP, name) where is_primary is equal to true and count is greater than 1.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS010NetworkCommunication-ET01Traffic

DDE001 Asset Information

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtitySpecialist

Response RP017 Asset Symptomatic of abnormal condition


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and count notables generated
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS040 Network Change Detected


Looking across a realtime window of +/-5 minutes, calculate the max time and return time, original raw and count grouped by the device that
reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET04Update

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV4-ScanProbe

DDE003 Public Network attributes


DDE008 Network CIDR Details

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track all occurrences of network changes
Metrics Review
1. Review metrics of network changes on hosts on a regular basis. Review change logs for scheduled events.
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS041 Network Device Rebooted


For the past 1 hour, using all summary data even if the model has changed, provide a count of device restarts grouped by the device that
reported the change dvc (host, IP, name) and time where the time span is 1 second.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibility

RV2-Access

DS015ConfigurationManagement

DDE001 Asset Information

RV3-MaliciousCode

DDE012 Service State by platform

RV4-ScanProbe

DDE013 Critical Policy Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP007 Potentially Unauthorized change detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track for frequency of reboots, trend any patterns and notable events
Metrics Review
1. Check against change control logs and open an investigation if not scheduled for maintenance
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS042 New User Account Created On Multiple Hosts


Useraccounts_tracker returns destination (host, IP, name), user, firstTime, lastTime and is_interactive. Create earliestQual based on 24 hours
ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual and
firstTime is less than or equal to latestQual. Generate a distinct count of those results based on destination (host, IP, name) grouped by user
where the destination count is greater than 3.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET03Create

DDE013 Critical Policy Objects

RV2-Access

DDE016 Critical or Risky Groups

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-Customer

Response RP013 Change to critical access control detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track each account that is created on endpoints
Metrics Review
1. Review change control logs for this event and open an investigation if not present
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS043 Outbreak Detected


Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor the past 24 hours, using all
summary data even if the model has changed, generate a distinct count of the system that was affected by the malware event dest (host, IP,
name) and group by signature and trigger if the count is greater than 10
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS004EndPointAntiMalware-ET01SigDetected

RV3-MaliciousCode

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP005 Malicious Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Outbreak Detected

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation

UCESS044 Personally Identifiable Information Detected


Looking across a realtime window of +/-5 minutes, find integer sequences and lookup against luhn_like_lookup and output fields pii and
piiclean. Lookup iin_issuer in the iin_lookup table based on the pii_clean string and length of the string. Output event id (macro that creates
hash of indexer, time and raw event), original_raw log, host, PII value, IIN Issuer (Visa, masterCard, etc), SHA1 hash of PII value.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

ALL

DDE002 Identity Information

PRT01Compliance-PCI

RV2-Access

PRT04-FFIEC

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Accepted

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Excessive

AnalystLoad-Low

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track all instances of unencrypted PII on endpoints
Metrics Review
1. If PII is unencrypted open an investigation
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS045 Potential Gap in Data


Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the
past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context is like Splunk_ or SAor DA- or equal to SplunkEnterpriseSecuritySuite or SplunkPCIComplianceSuite, and count the values. Return events where count is equal
0.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV6-Misconfiguration

DS006UserActivity-ET06Search

Adoption Phase Customer

Adoption Phase SME

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Potential Gap in Data

Copyright 2016, Splunk Inc.

Enrichment

Adoption Phase Industry

DE002IdentityInformation

UCESS046 Prohibited Process Detected


Looking across a realtime window of +/-5 minutes, run the macro get_interesting_processes and return processes that is_probhibited is set to
true. Run the macros get_event_id and map_notable_fields and add the following fields to the output: orig_event_id (macro creates hash of
indexer, time and raw event), orig_raw, dest, process and note.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS009EndPointIntel-ET01ProcessLaunch

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV3-MaliciousCode

DDE004 Threat List


DDE012 Service State by platform
DDE013 Critical Policy Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Undetermined

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Low

SKILLI-PS-SecurtityEnabled

Response RP011 Unwanted/Unauthorized Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Review and track notable events for prohibited processes on endpoints
Metrics Review
1. Review threat lists and additional notables for endpoints that are affected, open investigation (if necessary)
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS047 Prohibited Service Detected


Looking across a realtime window of +/-5 minutes, run the macro service and return services where is_probhibited is set to true. Run the
macros get_event_id and map_notable_fields and add the following fields to the output: orig_event_id (macro creates hash of indexer, time
and raw event), orig_raw, dest, service and note.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS009EndPointIntel-ET01ObjectChange

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV3-MaliciousCode

DDE004 Threat List


DDE012 Service State by
platform
DDE013 Critical Policy
Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP011 Unwanted/Unauthorized Code detected on endpoint


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Review and track notable events for prohibited service(s) on endpoints
Metrics Review
1. Review threat lists and additional notables for endpoints that are affected, open investigation (if necessary)
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS048 Same Error On Many Servers Detected


For the past 60 minutes starting 5 minutes after realtime, find all events where tag is equal to error and tag is not equal to authentication.
Gather the first raw log file, the distinct count of host and group by sourcetype and punct where the distinct count is greater than 100.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode

ALL

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV4-ScanProbe

DDE004 Threat List

PRT02-SecurityVisibilityZeroDayAttacks

RV5-DenialofService

DDE012 Service State by platform


DDE013 Critical Policy Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Undetermined

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP018 Asset or Service under denial of Service attack


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Review and track notable events for suspicious errors on endpoints
Metrics Review
1. Review error list and determine if additional investigation is necessary
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS049 Short-lived Account Detected


For the past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use
only two events and only return events where the count is greater than 1 and the time range is less than the useraccount_minimal_lifetime
(3600 seconds as defined in macro). Generate a relative time frame in minutes based on time range, generate the orig_event_id, orig_raw,
user, dest, delta, timestr (relative time in minutes)
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS006UserActivity-ET03Create

DDE002 Identity Information

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS006UserActivity-ET05Delete

DDE013 Critical Policy Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP013 Change to critical access control detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend account activity via notable events
Metrics Review
a. Review service tickets for scheduled change, open an investigation (if necessary)
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS050 Should Timesync Host Not Syncing


Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures
that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as
PCI). For the past 30 days, find lastTime, a true/false value of an asset based on if the system should time sync (should_timesync) where the
action equals failure and should_timesync equals true grouped by destination (host, IP, name). Calculate the hour difference between now
and the lastTime and return lastTime, destination, should_timesync and hour difference if the hour difference is greater than 2.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT06-SecureConfigurationMgmtUpdateManagement

RV6-Misconfiguration

DS007AuditTrail-ET03TimeSync

DDE001 Asset Information


DDE012 Service State by platform

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP017 Asset Symptomatic of abnormal condition


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS051 Substantial Increase In Events


Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model
has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS013TicketManagement-ET01

DDE001 Asset Information

PRT06-SecureConfigurationMgmtUpdateManagement

RV3-MaliciousCode

DDE004 Threat List

RV6-Misconfiguration

DDE012 Service State by platform


DDE013 Critical Policy Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP017 Asset Symptomatic of abnormal condition


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS052 Substantial Increase In Port Activity


Alerts when a statistically significant increase in events on a given port is observed. For the past hour, using all summary data even if the
model has changed, generate a count by destination port and compare that count against the previous hour and trigger if the destination port
is extreme.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV1-AbuseofAccess

DS010NetworkCommunication-ET01Traffic

DDE001 Asset Information

PRT02-SecurityVisibilityEndpoint

RV3-MaliciousCode

DDE005 Prohibited Network Protocol/Application


List

RV4-ScanProbe
DDE006 Acceptable Network Protocol/Application
List

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and monitor port activity on endpoints
Metrics Review
1. Review inventoried list of port and alert activity for anomalies, open an investigation (if necessary)
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS053 Threat Activity Detected


For the past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the event_id and return _raw,
orig_source (Saved Search), src, dest and all threat intel data model fields. Depending on the match field, set the risk_object type to system,
user or other and assign the risk_object the value of the threat_match_value (IP, host, name).

Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV1-AbuseofAccess

DS001Mail-ET03Send

RV3-MaliciousCode

DS001Mail-ET02Receive

RV4-ScanProbe

DS002DNS-ET01Query
DS003Authentication-ET01Success
DS005WebProxyRequest-ET01Requested
DS009EndPointIntel-ET01ProcessLaunch
DS010NetworkCommunication-ET01Traffic
DS011MalwareDetonation-ET01Detection

Adoption Phase Customer

Adoption Phase SME

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED2-Frequent

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Threat Activity Detected

Copyright 2016, Splunk Inc.

Adoption Phase Industry

Enrichment
DE001AssetInformation
DE002IdentityInformation

UCESS056 Unapproved Port Activity Detected


Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially
unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking
across a realtime window of +/-5 minutes, return values where destination port is greater than 0 and is_prohibited is not false. Generate a
count grouped by the device that reported the traffic dvc (host, IP, name), layer 4 transport protocol, destination port and is_prohibited. Get
the associated asset values for dvc and the identity information of the dvc owner and write out notable fields.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV3-MaliciousCode

DS010NetworkCommunication-ET01Traffic

DDE001 Asset Information

PRT02-SecurityVisibilityEndpointMalware

RV4-ScanProbe

DDE005 Prohibited Network


Protocol/Application List
DDE013 Critical Policy Objects

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS057 Unroutable Activity Detected


Alerts when activity to or from a host that is unroutable is detected. For the past 60 minutes starting 5 minutes after realtime, return values
from the macro src_dest_tstats that are of action equals allowed. This macro returns sourcetype, count grouped by source (host, IP, name)
and destination (host, IP, name) for the following data models: Network_Traffic, Intrusion_Detection and Web and appends them together.
This list is then compared to the bogon lookup to determine if the destination or source is bogon (not routable or allocated) and that it is not
internal space. Generate an output of the follwing fields: sourcetype, source, destination and bogon_ip.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT06-SecureConfigurationMgmt

RV4-ScanProbe

DS010NetworkCommunication

DDE001 Asset Information

RV5-DenialofService

DDE018 Network zone communication authorization matrix

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS058 Untriaged Notable Events


Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a
status group of New or the owner is unassigned. Return the values time, owner, status, rule name and rule ID.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV6-Misconfiguration

DS013TicketManagement-ET01

DDE001 Asset Information


DDE012 Service State by platform

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Low

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS059 Unusual Volume of Network Activity


Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of
firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, generate a
distinct count by source (host, IP, name) and a count against the Network_Traffic data model. localop requires the rest of the search to run
locally and not on remote peers. Return output if the count against the previous 30 minutes is extreme or the source count against the
previous 30 minutes source count is extreme.
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT02-SecurityVisibility

RV4-ScanProbe

DS010NetworkCommunication-ET01Traffic

DDE003 Public Network


attributes

PRT02-SecurityVisibilityLateralMovement

RV5-DenialofService
DDE008 Network CIDR
Details

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Maturing

APS-Accepted

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Moderate

AnalystLoad-Moderate

SKILLI-Customer

Response RP002 Endpoint generating suspicious network activity


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS060 Vulnerability Scanner Detected (by events)


Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners
generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique event.For the
past 60 minutes starting 5 minutes after realtime, return tag, distinct count of signature grouped by source (host, IP, name) where the distinct
count is greater than 25. Place a pipe between each value in the tag field.
Problem Types Addressed

Risk Addressed

PRT02-SecurityVisibility

Event Data Sources


DS012NetworkIntrusionDetection-ET01SigDetection

RV4-ScanProbe

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Vulnerability Scanner Detected (by events)

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DE002IdentityInformation

UCESS061 Vulnerability Scanner Detected (by targets)


Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets.
Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable
hosts.For the past 60 minutes starting 5 minutes after realtime, return tag, distinct count of destination (host, IP, name) grouped by source
(host, IP, name) where the distinct count is greater than 25. Place a pipe between each value in the tag field.
Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibility

RV4-ScanProbe

DS012NetworkIntrusionDetection-ET01SigDetection

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Productized

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV1 - Low

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Vulnerability Scanner Detected (by targets)

Copyright 2016, Splunk Inc.

Enrichment
DE001AssetInformation
DE002IdentityInformation

UCESS062 Watchlisted Event Observed


Alerts when an event is discovered including text has been identified as important. This rule triggers whenever an event is discovered with the
tag of "watchlist". For the past 5 minutes starting 5 minutes after realtime, find all events that tagged watchlist and are not of sourcetype
stash. Return raw log, event_id, host, source, sourcetype, src (source host, IP, name), dest (destination host, IP, name), device, source user,
and user. Depending if user, src_user, src or dest is not null, make the risk_object the user name or asset address (source or destination
depending). Apply the same logic to the risk_object_type to make this value system or user. If the eventtype is website_watchlist, make the
risk score 50.
Problem Types
Addressed

Risk Addressed

PRT01-Compliance RV3-MaliciousCode

Event Data Sources

Enrichment

Special Case any event with a tag=watchlist is reported. Extreme prejudice


should be used in implementation and ongoing use of this search.

DDE004 Threat List


DDE005 Prohibited Network
Protocol/Application List
DDE006 Acceptable Network
Protocol/Application List

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Rejected

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED9-Undetermined

FIDELITY-Undetermined

System Load

Analyst Load

Implementation Skill

LOAD-High

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response RP001 New web application or network protocol detected


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track the notable events generated for a given watchlist
Metrics Review
1. Review watchlist results, open an investigation (if needed)
Artifacts
TBD

Copyright 2016, Splunk Inc.

UCESS063 Web Uploads to Non-corporate Sites by Users


Alerts on high volume web uploads by a user to non-corporate domains. For the past 60 minutes starting 5 minutes after realtime, sum the
total number of bytes transferred where the HTTP_method is POST or PUT and the domain is not in the corporate web domain lookup
grouped by user. Identify best concept of byte value against web volume for 1 hour going to non-corporate addresses (outputs values such
as extreme, high,medium, etc). Return a risk score based on the best concept value of above values where risk is greater than 0
Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichments Required

PRT02-SecurityVisibilityPriviledgeUserMonitoring

RV1-AbuseofAccess

DS005WebProxyRequest-ET01Requested

DE002IdentityInformation

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Productized

API-Accepted

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response Potential Data Exfiltration


Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD

Copyright 2016, Splunk Inc.

Product Splunk PCI App Security Use Cases


Use case domains reflect the data domain used to support a specific use case. Subject matter expertise will align closely with each individual
domain or a sub domain.

The repository will be segmented into domains aligning with those defined within Splunk Enterprise Security.
Access - Use cases related to the use of access, authorized or unauthorized activity which may identify a threat to the organization.
Endpoint - Use cases related to the use or modification of an endpoint device in such a way that may be a threat to the organization.
Network - Use cases utilizing data from network communications to identify a threat to the organization.
User/Identity - Use cases using information about an asset or identity to assign the priority, risk level, impact, and categorization for the
object to better inform analysts with context when reviewing notable events.

Each use case will contain an information block as follows:


Utilizes Events: Description of the types of events utilized in this use case. For example "authentication" or connection accepted by
firewall
Event Sources: Description of the technology sources such as operating system security, firewall, or anti virus
Enrichment: External data required to complete the assessment of this event.
Severity:
Low - an event with minimal impact, additional risk, or high false positive rate should it go unresolved. Such events would not
be handled by analyst should any higher priority event exist as open status. Often low events provide additional information
when considered in light of higher severity events opened at a latter point.
Medium - an event with low impact, moderate risk, and is more likely to be positive than false positive, Such events are
expected to be reviewed by an analyst prior to closure within the SLA
High - an event with impact, moderate to high risk, low false positive rates. Such events are expected to be handled promptly
during business hours by an analyst prior to closure within the SLA. An analyst must turn over the event if unresolved on shift
change.
Critical - an event with significant impact, risk, very low false positive rate. Such events require immediate attention during or
after hours and management oversight.

How-to article
Provide step-by-step guidance for completing a task.

Add how-to article


A-C

D-M

N-T

U-Z

access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative

data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer

nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng

ucd-access

Copyright 2016, Splunk Inc.

Вам также может понравиться