Categories Top Downloads
Login Register Upload

Splunk Use Case Library 2016-09-29

February 18, 2017 | Author: ryan faircloth | Category: N/A
Share Embed Donate
Report this link


Short Description

Download Splunk Use Case Library 2016-09-29...

Description

Splunk Use Case Repository Sept 29th 2016

Copyright 2016

The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial, contractual and special marketing information, ideas, technical data and concepts originated by the disclosing party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public, not previously available without restriction to the receiving party or others, nor normally furnished to others without compensation, and which the disclosing party desires to protect against unrestricted disclosure or competitive use, and which is furnished pursuant to this document and appropriately identified as being proprietary when furnished. Copyright © 2016 Splunk, Inc. All rights reserved. The Splunk logo is a registered trademark of Splunk. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners.

Version Control SECURITY PROGRAM REVIEW Client Name

None

Client Contact Document Issue No

2.1

Author(s)

Ryan Faircloth

Delivery Date

July 20th 2016

Data Classification

Proprietary

Splunk, Inc. 250 Brannan Street, 2nd Floor San Francisco, CA 94107

+1.415.568.4200(M ain) +1.415.869.3906 (Fax) www.splunk.com

Professional Services/Security Use Case Workshop The use case development workshop is designed to assist the customer in the process of cataloging business drivers and requirements used to guide the customer delivery team assisted by Splunk Consultants in delivery of a solution that will meet the customers needs and budget. Using information gained from the workshop the project team will deliver a prioritized list of data sources for on data boarding and use case adoption for the cyber security operations team.

Preparation Identify essential and beneficial staff per session based on the agenda that follows Secure meeting space Minimize meeting location changes as this is disruptive to progress and contributes to no shows Adequate seating for attendes One, preferable 2 projectors/screens Guest Wifi White boards Splunk will provide a Webex session and use digital whiteboards, and utilize recording unless the customer has objections, this is utilized to review enrich notes as needed to prepare deliverables and is not required if the customer is uncomfortable Collect supporting documentation electronically All applicable internal policies and supporting standards such as Information Resource Classification Information Retention and Destruction Infrastructure logging and configuration Database Logging and Configuration Application Logging and Configuration Inventory of Standards with requirments for logging and monitoring applicable to your business Internal Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA inclusive current draft reports External Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA Identifiy the following project roles and schedule for attendance Project Manager Senior Business Analyst Senior Technical Analyst/Architect Senior Security Analyst Test Lead Executive Sponsor Executive Stakeholders or immediate deputies Compliance Analysts Internal Assors

Typical Agenda 3 days The following agenda can be modified collaboratively if needed, our experience has been that we must allow some blocks of time between sessions and start/end of day to avoid walk aways due to urgent business need arising during the day. Opening Session 9:30-11:00 (all participants) Openings and personal introductions, roles and responsibilities (all) Presentation of methodology for the workshop (splunk) Executive Round Table discus formal and informal project drivers other goals and success criteria. Review audit findings, addressable items, mandated remediations Review prior year penetration test findings Review burdensome existing compliance and reporting activities Working Sessions each session will present a set of use cases to the team for joint evaluation and prioritization based on the criteria developed in the opening session. Each session requires a representative with relevant experience in the domain and empowerment to set priority within the bounds given. A deputy for each executive stakeholder should attend working sessions additional participants are welcome. Working Session #1 D1 11:00 13:00 (with 1 hour lunch) Review out of box use cases for Enterprise Security Identify and catalog required data, enrichment and applicable use cases Working Session #2 D1 13:00 - 16:00 Review Professional Services/Customer developed Security Use cases Identify and catalog required data, enrichment and applicable use cases Working Session #3 D2 9:30 - 12:00 Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise endpoint estate Working Session #4 D2 13:00 - 15:00 Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise network estate Working Session #5 D3 9:30 - 12:00

Review tabled items from prior sessions, interview stake holders identified in prior sessions but not planed Review Session 14:00 - 16:00 Review items captured Resort priority based on latter learning

1. Value Narrative and Use Case Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Adoption Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 Motivating Problem Type View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1 PRT01-Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.1 PRT01Compliance-PCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.2 PRT02Compliance-NercCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.3 PRT03Compliance-NIST Cyber Security Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.1.4 PRT04-FFIEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2 PRT02-SecurityVisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.1 PRT02-IdentifyPatientZero . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.2 PRT02-SecurityVisibilityEndpointMalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.3 PRT02-SecurityVisibilityExfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.4 PRT02-SecurityVisibilityLateralMovement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.5 PRT02-SecurityVisibilityPhishingAttack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.6 PRT02-SecurityVisibilityPriviledgeUserMonitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.7 PRT02-SecurityVisibilityUserActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.8 PRT02-SecurityVisibilityZeroDayAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.2.9 PRT02-SecurityVisiblityWebbait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3 PRT03-PeerAdoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.1 PRT03-PeerAdoption-Phase1-Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.2 PRT03-PeerAdoption-Phase2-Maturing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.3 PRT03-PeerAdoption-Phase3-Mature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.3.4 PRT03-PeerAdoption-Phase4-Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.4 PRT04-ProcessEffectivness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.4.1 PRT04-ProcessEffectivness-HuntPaths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5 PRT05-Tactical Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5.1 PRT05-TacticalThreat-InsiderThreat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5.2 PRT05-TacticalThreat-Ransomeware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.5.3 PRT05-TacticalThreat-SpearphishingCampaign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.6 PRT06-SecureConfigurationMgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.6.1 PRT06-SecureConfigurationMgmtUpdateManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.6.2 PRT06-SecureConfigurationMgmtVulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.7 PRT07-SpecialRequests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.7.1 PRT07-SpecialRequests-Creative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.8 PRT08-ProductAdoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1.8.1 PRT08-ProductAdoption-ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2 Motivating Risk View Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.1 RV1-AbuseofAccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.2 RV2-Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.3 RV3-MaliciousCode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.4 RV4-ScanProbe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.5 RV5-DenialofService . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2.6 RV6-Misconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3 Supporting Data View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.1 DS001MAIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.2 DS002DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.3 DS003Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.4 DS004EndPointAntiMalware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.5 DS005WebProxyRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.6 DS006UserActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.7 DS007AuditTrail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.8 DS008HRMasterData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.9 DS009EndPointIntel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.10 DS010NetworkCommunication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.11 DS011MalwareDetonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.12 DS012NetworkIntrusionDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.13 DS013TicketManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.14 DS014WebServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.15 DS015ConfigurationManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.16 DS016DataLossPrevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.17 DS017PhysicalSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.18 DS018VulnerabilityDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.19 DS019PatchManagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.20 DS020HostIntrustionDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.21 DS021Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.22 DS022Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.23 DS023CrashReporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3.24 DS024ApplicationServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4 Supporting Event Type View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.1 DS001Mail-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.2 DS001Mail-ET02Receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.3 DS001Mail-ET03Send . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5 11 12 14 17 23 27 34 35 36 37 39 40 41 42 43 45 46 47 48 50 57 59 61 62 63 64 66 69 70 71 72 73 74 75 76 89 90 93 95 98 100 101 103 105 107 110 120 124 127 130 132 134 137 142 147 149 151 153 155 156 157 158 159 161 162 163 164 165 166 167 168

1.1.4.4 DS002DNS-ET01Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.4.1 DS002DNS-ET01QueryRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.4.2 DS002DNS-ET01QueryResponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.5 DS003Authentication-ET01Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6 DS003Authentication-ET02Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6.1 DS003Authentication-ET02FailureBadFactor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6.2 DS003Authentication-ET02FailureError . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.6.3 DS003Authentication-ET02FailureUnknownAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.7 DS004EndPointAntiMalware-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.8 DS004EndPointAntiMalware-ET02UpdatedSig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.9 DS004EndPointAntiMalware-ET03UpdatedEng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.10 DS005WebProxyRequest-ET01Requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.10.1 DS005WebProxyRequest-ET01RequestedWebAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.11 DS005WebProxyRequest-ET02Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.12 DS006UserActivity-ET01List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.13 DS006UserActivity-ET02Read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.14 DS006UserActivity-ET03Create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.15 DS006UserActivity-ET04Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.16 DS006UserActivity-ET05Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.17 DS006UserActivity-ET06Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.18 DS006UserActivity-ET07ExecuteAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.19 DS007AuditTrail-ET01Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.20 DS007AuditTrail-ET02Alter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.21 DS007AuditTrail-ET03TimeSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.22 DS008HRMasterData-ET01Joined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.23 DS008HRMasterData-ET02SeperationNotice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.24 DS008HRMasterData-ET03SeperationImmediate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.25 DS009EndPointIntel-ET01ObjectChange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.26 DS009EndPointIntel-ET01ProcessLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.27 DS010NetworkCommunication-ET01Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.27.1 DS010NetworkCommunication-ET01TrafficAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.28 DS010NetworkCommunication-ET02State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.29 DS011MalwareDetonation-ET01Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.30 DS012NetworkIntrusionDetection-ET01SigDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.31 DS013TicketManagement-ET01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.32 DS014WebServer-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.33 DS015ConfigurationManagement-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.34 DS016DataLossPrevention-ET01Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.35 DS017PhysicalSecurity-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.36 DS018VulnerabilityDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.37 DS019PatchManagement-Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.38 DS019PatchManagement-Eligable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.39 DS019PatchManagement-Failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.40 DS020HostIntrustionDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.41 DS021Telephony-ET01CDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.42 DS022Performance-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.43 DS023CrashReporting-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.4.44 DS024ApplicationServer-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5 Technology Provider View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.1 PT001-Microsoft-Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2 PT002-Splunk-Stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2.1 PT002-Splunk-Stream-DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2.2 PT002-Splunk-Stream-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.2.3 PT002-Splunk-Stream-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.3 PT003-ExtraHop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.3.1 PT003-ExtraHop-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.3.2 PT003-ExtraHop-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.4 PT004-McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.5 PT005-Microsoft-Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.6 PT006-PaloAlto Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.7 PT008-Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.8 PT009-SourceFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.9 PT010-Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.10 PT011-Bluecoat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.11 PT012-Splunk-InternalLogging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.12 PT013-ISCBIND-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.13 PT014-PhysicalAccessControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.14 PT015-Linux-Deb/RH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.15 PT016-Cisco-ASA/PIX/FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.5.16 PT017-Trend-TippingPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.6 Enrichment Data View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.6.1 DE001AssetInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169 171 172 173 176 177 178 179 180 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 205 207 208 212 214 216 218 219 220 221 222 223 224 225 227 228 229 230 231 232 234 235 236 237 238 239 240 241 242 244 245 246 247 248 249 250 251 252 253 255 256 257

1.1.6.2 DE002IdentityInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 1.2 Adoption Narratives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 1.2.1 Adoptable Compliance and Security Narratives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 1.2.1.1 UC0001 Detection of new/prohibited web application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 1.2.1.2 UC0002 Detection of prohibited protocol (application) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 1.2.1.3 UC0003 Server generating email outside of approved usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 1.2.1.4 UC0004 Excessive number of emails sent from internal user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 1.2.1.5 UC0005 System modification to insecure state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 1.2.1.6 UC0006 Windows security event log purged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 1.2.1.7 UC0007 Account logon successful method outside of policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 1.2.1.8 UC0008 Activity on previously inactive account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 1.2.1.9 UC0009 Authenticated communication from a risky source network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 1.2.1.10 UC0010 Detect unauthorized use of remote access technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 1.2.1.11 UC0011 Improbable distance between logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 1.2.1.12 UC0012 Increase risk score of employees once adverse seperation is identified or anticipated . . . . . . . . . 276 1.2.1.13 UC0013 Monitor change for high value groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 1.2.1.14 UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted . . 278 1.2.1.15 UC0015 Privileged user accessing more than expected number of machines in period . . . . . . . . . . . . . . . 279 1.2.1.16 UC0016 Successfully authenticated computer accounts accessing network resources . . . . . . . . . . . . . . . . 280 1.2.1.17 UC0017 Unauthorized access or risky use of NHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 1.2.1.18 UC0018 Unauthorized access SSO brute force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 1.2.1.19 UC0019 User authenticated to routine business systems while on extended absense . . . . . . . . . . . . . . . . 283 1.2.1.20 UC0020 Attempted communication through external firewall not explicitly granted . . . . . . . . . . . . . . . . . . . 284 1.2.1.21 UC0021 Communication outbound to regions without business relationship . . . . . . . . . . . . . . . . . . . . . . . . 285 1.2.1.22 UC0022 Endpoint communicating with an excessive number of unique hosts . . . . . . . . . . . . . . . . . . . . . . . 286 1.2.1.23 UC0023 Endpoint communicating with an excessive number of unique ports . . . . . . . . . . . . . . . . . . . . . . . 287 1.2.1.24 UC0024 Endpoint communicating with external service identified on a threat list. . . . . . . . . . . . . . . . . . . . . 288 1.2.1.25 UC0025 Endpoint Multiple devices in 48 hours in the same site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 1.2.1.26 UC0026 Endpoint Multiple devices in 48 hours in the same subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 1.2.1.27 UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit . . . . . . . . 291 1.2.1.28 UC0028 Endpoint Multiple infections over short time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 1.2.1.29 UC0029 Endpoint new malware detected by signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 1.2.1.30 UC0030 Endpoint uncleaned malware detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 1.2.1.31 UC0031 Non human account starting processes not associated with the purpose of the account . . . . . . . 297 1.2.1.32 UC0032 Brute force authentication attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 1.2.1.33 UC0033 Brute force authentication attempt distributed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 1.2.1.34 UC0034 Brute force successful authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 1.2.1.35 UC0035 Compromised account access testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 1.2.1.36 UC0036 Compromised account access testing (Critical/Sensitive Resource) . . . . . . . . . . . . . . . . . . . . . . . 302 1.2.1.37 UC0037 Network Intrusion External - New Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 1.2.1.38 UC0038 Excessive use of Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 1.2.1.39 UC0039 Use of Shared Secret for access to critical or sensitive system . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 1.2.1.40 UC0040 Use of Shared Secret for or by automated process with risky attributes . . . . . . . . . . . . . . . . . . . . 306 1.2.1.41 UC0041 SSH v1 detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 1.2.1.42 UC0042 SSH Authentication using unknown key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 1.2.1.43 UC0043 Direct Authentication to NHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 1.2.1.44 UC0044 Network authentication using password auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 1.2.1.45 UC0045 Local authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 1.2.1.46 UC0046 Endpoint failure to sync time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 1.2.1.47 UC0047 Communication with newly seen domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 1.2.1.48 UC0049 Detection of DNS Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 1.2.1.49 UC0051 Excessive physical access failures to CIP assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 1.2.1.50 UC0052 Non-CIP user attempts to access CIP asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 1.2.1.51 UC0065 Malware detected compliance asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 1.2.1.52 UC0071 Improbably short time between Remote Authentications with IP change . . . . . . . . . . . . . . . . . . . . 322 1.2.1.53 UC0072 Detection of unauthorized using DNS resolution for WPAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 1.2.1.54 UC0073 Endpoint detected malware infection from url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 1.2.1.55 UC0074 Network Intrusion Internal Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 1.2.1.56 UC0075 Network Malware Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 1.2.1.57 UC0076 Excessive DNS Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 1.2.1.58 UC0077 Detection Risky Referral Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 1.2.1.59 UC0079 Use of accountable privileged identity to access new or rare sensitive resource . . . . . . . . . . . . . . 331 1.2.1.60 UC0080 Trusted Individual exceeds authorization in observation of other users . . . . . . . . . . . . . . . . . . . . . 333 1.2.1.61 UC0081 Communication with unestablished domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 1.2.1.62 UC0082 Communication with enclave by default rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 1.2.1.63 UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 1.2.1.64 UC0084 Monitor Execution of Triage Activtity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 1.2.1.65 UC0085 Alert per host where web application logs indicate a source IP not classified as WAF . . . . . . . . . 338 1.2.1.66 UC0086 Detect Multiple Primary Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 1.2.1.67 UC0087 Malware signature not updated by SLA for compliance asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 1.2.1.68 UC0088 User account sharing detection by source device ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

1.2.1.69 UC0089 Detection of Communication with Algorithmically Generated Domain . . . . . . . . . . . . . . . . . . . . . . 1.2.1.70 UC0090 User account cross enclave access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.71 UC0091 Validate Execution of Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.72 UC0092 Exception to Approved Flow for Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.73 UC0093 Previously active account has not accessed enclave/lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1.74 UC0094 Insecure authentication method detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Adoptable IT Operations Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1 Enterprise Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1.1 ITOAUC-0001 Enterprise Service Availability Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1.2 ITOAUC-0002 Enterprise Service Availability Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3 Product Enterprise Security Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.1 UCESS002 Abnormally High Number of Endpoint Changes By User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.2 UCESS003 Abnormally High Number of HTTP Method Events By Src . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.3 UCESS004 Account Deleted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.4 UCESS005 Activity from Expired User Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.5 UCESS006 Anomalous Audit Trail Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.6 UCESS007 Anomalous New Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.7 UCESS008 Anomalous New Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.8 UCESS009 Asset Ownership Unspecified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.9 UCESS010 Anomalous New Listening Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.10 UCESS011 Brute Force Access Behavior Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.11 UCESS012 Brute Force Access Behavior Detected Over One Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.12 UCESS013 Cleartext Password At Rest Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.13 UCESS014 Completely Inactive Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.14 UCESS015 Concurrent Login Attempts Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.15 UCESS016 Default Account Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.16 UCESS017 Default Account At Rest Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.17 UCESS018 Excessive DNS Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.18 UCESS019 Excessive DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.19 UCESS020 Excessive Failed Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.20 UCESS021 Excessive HTTP Failure Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.21 UCESS022 Expected Host Not Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.22 UCESS023 Alerts on access attempts that are improbably based on time and geography. . . . . . . . . . . . . 1.2.3.23 UCESS024 High Number of Hosts Not Updating Malware Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.24 UCESS025 High Number Of Infected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.25 UCESS026 High Or Critical Priority Host With Malware Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.26 UCESS027 High or Critical Priority Individual Logging into Infected Machine . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.27 UCESS028 High Process Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.28 UCESS030 High Volume of Traffic from High or Critical Host Observed . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.29 UCESS031 Host Sending Excessive Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.30 UCESS032 Host With A Recurring Malware Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.31 UCESS033 Host With High Number Of Listening ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.32 UCESS034 Host With High Number Of Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.33 UCESS035 Host With Multiple Infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.34 UCESS036 Host With Old Infection Or Potential Re-Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.35 UCESS037 Inactive Account Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.36 UCESS038 Insecure Or Cleartext Authentication Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.37 UCESS039 Multiple Primary Functions Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.38 UCESS040 Network Change Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.39 UCESS041 Network Device Rebooted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.40 UCESS042 New User Account Created On Multiple Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.41 UCESS043 Outbreak Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.42 UCESS044 Personally Identifiable Information Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.43 UCESS045 Potential Gap in Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.44 UCESS046 Prohibited Process Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.45 UCESS047 Prohibited Service Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.46 UCESS048 Same Error On Many Servers Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.47 UCESS049 Short-lived Account Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.48 UCESS050 Should Timesync Host Not Syncing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.49 UCESS051 Substantial Increase In Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.50 UCESS052 Substantial Increase In Port Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.51 UCESS053 Threat Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.52 UCESS056 Unapproved Port Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.53 UCESS057 Unroutable Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.54 UCESS058 Untriaged Notable Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.55 UCESS059 Unusual Volume of Network Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.56 UCESS060 Vulnerability Scanner Detected (by events) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.57 UCESS061 Vulnerability Scanner Detected (by targets) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.58 UCESS062 Watchlisted Event Observed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3.59 UCESS063 Web Uploads to Non-corporate Sites by Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.4 Product Splunk PCI App Security Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412

Value Narrative and Use Case Repository Purpose A narrative defining a business impacting problem and a logical solution are the essential elements of each use case in the repository. Each narrative is cataloged using a number of fields allowing search ability within the repository. The fields themselves allow the consuming user to define a rubric for the problem type being addressed to arrive at a number of valid narratives which can be proposed to address the problem at hand.

Introduction

Target Audience The repository has a number of well define audience targets each as the repository evolves each group should be better served. Account Team - Utilizing key terms from customer dialog identify value proposition based on customer experiences Sales Engineering - Cross reference Core, Premium, Third party, and services solutions to support customer objectives Professional Services Managers - Better estimate project scope utilizing objective based planning with the ability to plan schedule based on prior experiences Professional Services Consultant - Better understand what was agreed to and implementation requirements

Scope Presently the scope of the repository if focused on addressing motivating problems experienced by leaders in the Information Security and Compliance markets.

How to Navigate Reactive Use of the repository allows the user to work along side the customer, typically analysts, managers, and architects, to demonstrate value which is currently being realized or can be realized based on data sources. Careful consideration should be made in how the narratives are presented. The amount of information can be overwhelming. Using the left hand navigation menu or a short cut below begin with one of the following "views" Supporting Data View - Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success. Technology Provider View - Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting technology implementations the user can utilize this view to determine what use cases may be possible in a customer environment.

Proactive Use of the repository allows the user to work along side the customer, typically executive leaders and senior leaders to identify the opportunities within the organization where the greatest value gains can be realized for the smallest opportunity costs. When used in this way the Account team can being documenting the motivating problems, ideal solution narratives (use cases), and perceived value early in the relationship. These artifacts can easily be used by the account team, customer success, and professional services to assist the customer in staying on track to value delivery and recognition of product value. This approach is summarized as objective lead solutions development. Using the left hand navigation menu or a short cut below begin with one of the following "views" Motivating Problem Type View - Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural

Copyright © 2016, Splunk Inc.

missions or objectives with charter and support from all involved. Motivating Risk View Perspective - Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes.

How to read the use case narrative The use case narrative is designed using the Rosetta Stone metaphor, it is intended that users may approach from a number of perspective and engage in dialog with users of another perspective.

Motivation and Data The Motivation, Data source and Enrichment requirements connect the narrative to the customer motivation and supporting data requirements for success.

Motivating Problem Type View Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural missions or objectives with charter and support from all involved. Motivating Risk View Perspective Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes. Supporting Data View Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success. Data Definition - Tracker Data Definitions for tracking are dynamic lists created by search processes used to enrich latter searches as search time lookups. Data Definition - Enrichment Dynamic external or static content utilized at search time to provide critical contextual information for events.

Adoption The first section of each use case contains a brief descriptive narrative element, followed by adoption phase descriptors. Three types of adoption phase descriptors are used:

Copyright © 2016, Splunk Inc.

Adoption Phase SME Adoption Phase SME represents the current status of the narrative in the development life cycle. This attribute will assist the user and customer in determining the timing of use case implementation. APS-Accepted — The third stage of development "Accepted" indicates the RFC period has completed and the

narrative is awaiting implementation or pilot. APS-Obsolete — Used when a narrative concept is replaced by one or more new narratives delivering higher value or when for external reasons the narrative is no longer relevant to a meaningful number of customers. APS-Pilot — The fifth state of development indicates one or more customers is testing the narrative concept. Additional knowledge gained in the pilot may prompt a return to RFC or permit advancement to the next stage. APS-POC — The forth stage "Proof of Concept" allows for testing a narrative using demonstration data or partial implementation in a live environment before adoption as a pilot APS-Productized — The third stage of development "Productized" indicates the RFC period has completed and the narrative is awaiting implementation or pilot. APS-Proposed — Proposed narrative not yet tested in the field APS-ProposedField — A proposed narrative based on solutions developed in the field. Reserved for "live" narratives. APS-Rejected — At any point in the development live cycle a narrative may be rejected. Future developments in data sources, enrichment, technology, or the concept may permit a rejected narrative to return to the accepted phase. APS-Release — The final stage adoption is release, in this phase the narrative is considered complete. Revisions may occur in the narrative or implementation within the boundaries of the original stated objective. APS-RFC — The second phase in narrative development Request for Comments, allows interested parties to provide feedback to enhance the clarity of the narrative, including goals, data sources, enrichment and addressed problems.

Adoption Phase Customer The adoption phase of the customer describes the appropriate timing for this narrative in the continuum of the customer journey. APC-Edge — An edge use case is adopted by a customer for reasons which may be described in the

narrative. These reasons typically motivate customers in specific circumstances to adopt a use case narrative though we may not expect adoption by other customers in similar verticals or maturity stages. APC-Essential — An essential use case narrative when filtered by a Motivating problem describes a solution implemented almost by default. These use cases have qualities such as easy implementation, immediate high value return, or compliance satisfaction as justification for early adoption. APC-Mature — A Mature use case narrative when filtered by a Motivating problem describes a solution used to expand value from existing data sources or to justify the addition of data sources. APC-Maturing — A Maturing use case narrative when filtered by a Motivating problem describes a solution which will present a high value to the customer; however, customer maturity, implementation requirements, data sources, or complexity would likely cause delays. APC-Superceded — A Superceded use case narrative has been replaced with one or more improved narratives. The excerpt of the Superceded narrative should be updated to include a direct link to the targets. APC-Undetermined — Adoption phase has yet to be assigned

Copyright © 2016, Splunk Inc.

Adoption Phase Industry The adoption phase based on the industry perspective allows the user to estimate how widely known or how well the narrative could be expected with an audience reasonable well versed in industry trends. This attribute does not speak to deployment of solutions similar to the narrative and is not scientific. API-Accepted — Narratives described as accepted generally have recognized merit and value within the

industry. These narratives have not yet been widely adopted and represent an opportunity to provide value not presently obtained from current solutions within the organization. API-Dated — Narratives described as dated will have little emotional appeal and potentially no longer provide value when implemented. For customers with legacy needs it may be appropriate to recommend some use cases from this category. API-Distinctive — Narratives described as distinctive represent utilization of unique capabilities of the Splunk platform. While it may be possible to implement these narratives outside of the usage of Splunk factors such as specialized skill or complexity make implementation impractical. API-Expected — Narratives described as expected could also be described as must and should do. Adequate adoption in the industry allows the narrative to self justify implementation with little convincing of stakeholders required. API-Known — Narratives described as known would have recognition in the industry. These narratives may still be controversial but have been presented adequately as to not be considered foreign concepts. API-Socializing — Narratives described as socializing in the industry are currently being presented at conferences, spoken about in blogs or other venues and have not yet made an impression of value with the industry community.

Qualification The second section of each use case contains attributes intended to assist the user and customer in evaluating the use case in consideration of the customer environment, skill sets available and work load generated.

Severity Severity of any notable event generated (automatically or manually) as a result of discoveries made utilizing this use case. SV1 - Low — Low severity issues will frequently be trumped by higher priority issues and external work load. In

most organizations low priority issues frequently aged out without review. SV2 - Medium — Medium severity items must be addressed within the organizations service level agreement, however such events may not be an organizational priority. For example, "it will get dealt with, but I may go to lunch or an unrelated meeting before I actually address it." SV3 - High — High severity notable events will interrupt work for immediate attention. Evaluation of a high event may result in a formal incident and or escalation. For example, "I will skip meetings and lunch and other interruptions during the workday to deal with this; however, while I will stay late, I will not come in during the night or skip my child's recital because of it." SV4 - Critical — Critical severity items require immediate and constant attention until resolved. For example: "I will work nights and weekends and Christmas morning if necessary to resolve this."

Rate of Detection Rate of Detection is a non scientific estimate of the number of occurrences for a specified event. RATED0-Rare — Rare events will occur less than once per day on average. RATED1-Common — Common events may occur a few times per day in a typical environment. It is generally

expected that common events will not overwhelm the operations team. RATED2-Frequent — Frequent Events are expected to occur often in a typical event, this type of event may overwhelm a operations team without careful tuning and mitigations. RATED9-Undetermined — Adequate information has not yet been presented to determine this value

Copyright © 2016, Splunk Inc.

FIDELITY The fidelity of a narrative describes the ratio of signal (valid/positive) to noise (invalid/false positive) anticipated based on field experience. FIDELITY-High — This indicates a relatively high signal to noise ratio, and therefore a lower likelihood of false

positives, and it should not require additional searches to validate it. FIDELITY-Low — This indicates a relatively low signal to noise ratio, and therefore a higher likelihood of false positives. Confidence in the output can be increased through other means (i.e. cross-correlation and/or subsequent searches). FIDELITY-Moderate — This indicates an unpredictable signal to noise ratio with a bias towards signal, and therefore a higher likelihood of false positives than high. Confidence in the output can be increased through other means (i.e. cross-correlation and/or subsequent searches). FIDELITY-Undetermined — Adequate information has not yet been presented to determine this value

System Load System load estimates the noticeable impact of the narrative on system performance. LOAD-Excessive — Excessive impact to the system performance. Careful consideration should be made before

adoption of this use case such as limiting the scope to essential systems or users. LOAD-High — High impact to the system performance. Narratives are expected to require a noticeable amount of time to execute. LOAD-Low — Low estimated impact to the system performance. LOAD-Moderate — Moderate estimated impact to the system performance, unlikely to create a perceptible impact for interactive users, may contribute to the latency of scheduled searches. LOAD-Undetermined — Adequate information has not yet been presented to determine this value

Analyst Load Relative level of load or work effort involved in resolution of the notable event AnalystLoad-Automation — Requires no outside information for triage and can be automated to resolution in

many environments. When automation is not available these narratives are considered low. AnalystLoad-High — Requires a large amount of time/effort to triage the notable event. AnalystLoad-Low — Requires a small amount of time/effort to triage the notable event. AnalystLoad-Moderate — Requires a Moderate amount of time/effort to triage the notable event, triage is seldom expected to extend beyond the current shift AnalystLoad-Undetermined — Adequate information has not yet been presented to determine this value

Implementation Skill Relative level of skill necessary to implement the use case. SKILLI-Customer SKILLI-PS-General SKILLI-PS-SecurtityEnabled SKILLI-PS-SecurtitySpecialist SKILLI-Undetermined — Adequate information has not yet been presented to determine this value

Copyright © 2016, Splunk Inc.

Use Case Domains Use case domains reflect the data domain used to support a specific use case. Subject matter expertise will align closely with each individual domain or a sub domain. The repository will be segmented into domains aligning with those defined within Splunk Enterprise Security. Use Case Domain - Access — Use cases related to the use of access, authorized or unauthorized activity which

may identify a threat to the organization. Use Case Domain - Endpoint — Use cases related to the use or modification of an endpoint device in such a way that may be a threat to the organization. Use Case Domain - Identity — Use cases using information about an asset or identity to assign the priority, risk level, impact, and categorization for the object to better inform analysts with context when reviewing notable events. Use Case Domain - Network — Use cases utilizing data from network communications to identify a threat to the organization.

Measurement Each narrative describes appropriate key performance indicators and recommends an appropriate review cadence. Each implementing customer should utilize the metrics to monitor the effectiveness of each narrative in light of the organizations operational objectives.

Artifacts Each narrative describes the components of an implemented solution or provides details on the content packages for implementation.

Copyright © 2016, Splunk Inc.

Adoption Motivations Adoption motivations are an attempt to group together the impetus which drives a potential customer to seek out and/or be open to considering our solution. Here are a few example motivations: New functionality required by mandate (compliance requirement, executive directive, etc.) New functionality requested due to one or more pain points have been identified that need to be alleviated Existing functionality parity required due to a forced replacement (i.e. the existing system is EOL and its functionality must be replaced)

Copyright © 2016, Splunk Inc.

Motivating Problem Type View Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural missions or objectives with charter and support from all involved.

Found 10 search result(s) for title:PRT*.

PRT03-PeerAdoption-Phase2-Maturing (Narrative and Use Case Center) Use case narratives adopted during the second deployment phase of a security operations, monitoring, and response program. Supporting Use Cases Sep 23, 2016

PRT03-PeerAdoption-Phase1-Essentials (Narrative and Use Case Center) Use case narratives adopted during the initial deployment phase of , monitoring, and response program. Supporting Use Cases Sep 23, 2016

PRT04-ProcessEffectivness-HuntPaths (Narrative and Use Case Center) Utilizing searches and automated prompts the analyst will investigate selected events that are considered low fidelity to identify using analytic process potential security weakness or previously unknown threats Jul 20, 2016

PRT08-ProductAdoption (Narrative and Use Case Center) Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and grouped by Supporting Data Source to assist the customer and consultant in the selection of use cases for implementation based on the likely readiness of the customer Aug 14, 2016

PRT08-ProductAdoption-ES (Narrative and Use Case Center) Aug 14, 2016

PRT08-ProductAdoption-ES-Maturing (Narrative and Use Case Center) DS010NetworkCommunication Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network ... Aug 14, 2016

PRT08-ProductAdoption-ES-Mature (Narrative and Use Case Center) DS010NetworkCommunication Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network ... Aug 14, 2016

PRT08-ProductAdoption-ES-Essentials (Narrative and Use Case Center) DS010NetworkCommunication Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network ... Aug 14, 2016

PRT04-ProcessEffectivness (Narrative and Use Case Center) High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. Supporting Use Cases Essentials Maturing Apr 07, 2016

PRT03-PeerAdoption (Narrative and Use Case Center) Pressure to emulate similar peers based on the objective of security via minimum accepted industry norms.

Copyright © 2016, Splunk Inc.

This view will assist the user in determine which use cases should be considered in during the adoption phase Apr 07, 2016 A-C

D-M

N-T

U-Z

access asa cim-authentication cim-network-communication cim-network-session cisco creative

data-definition data-source data-source-event ha kb-detect kb-detect-network kb-how-to-article kb-troubleshooting-article loadbalancer

nlb provider-type prt05-tacticalthreat-ransomeware response risk-abuse sev-critical superceded syslog syslog-ng

ucd-access

Copyright © 2016, Splunk Inc.

PRT01-Compliance High level compliance problems regardless of specific regulation or standard applied tend may be addressed with very similar use case narratives. Within the compliance problem type, individual common regulations will be addressed.

Supporting Use Cases Essentials Click here to expand... Found 8 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT01-Compliance".

UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016

UC0006 Windows security event log purged (Narrative and Use Case Center) Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ... Apr 08, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center) Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) ... Contributing Events Search datamodel Malware MalwareAttacks search search MalwareAttacks.dest="$dest$" Compliance YES Container App DAESSSecKitEndpointProtection Related articles Related articles appear here ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)

Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) ... IDSAttacks.category,IDSAttacks.signature `dropdmobjectname("IDSAttacks")` Note alternative implementation with XS should be considered Compliance YES Container App SecKitDAESSNetworkProtection https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to 5m@m ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

UC0075 Network Malware Detection (Narrative and Use Case Center) ... src dvcip dest product signature severity impact extref `getasset(src)` Compliance YES Container App SecKitDAESSNetworkProtection https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to now Cron ... Apr 25, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT01-Compliance".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016

Copyright © 2016, Splunk Inc.

UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016

Copyright © 2016, Splunk Inc.

PRT01Compliance-PCI Guidance for implementation of logging and monitoring for business as usual compliance with PCI 3.2

Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement

Guidance

1.1.1

In support of testing procedure 1.1.1b maintain online and searchable logs for all change activity. In support of testing procedure 1.1.1b maintain online and searchable records for all change activity

1.1.4

In support of testing procedure 1.1.4.c maintain online and searchable logs for all DS010NetworkCommunication-ET01Traff ic from any dvc designated as cardholder, border, or internet.

1.1.6

In support of 1.1.6.a build upon the work effort invested in 1.1.4 Implement the following monitoring controls: UC0083 Communication from or to an enclave network permitted by previously unknown or modified firewall rule In support of 1.1.6.c build upon work effort invested in 1.1.4 Implement the following monitoring controls: UC0082 Communication with enclave by default rule

1.2.1

In support of 1.2.1.c implement the following monitoring controls to ensure continual compliance UC0084 Monitor Execution of Triage Activtity

1.2.3

In support of 1.2.3b build upon the work effort of 1.1.6 ensure consideration in existing process to consider the wifi network as an enclave

1.3.1

In support of 1.3.1 build upon the work effort of 1.1.5 UC0085 Alert per host where web application logs indicate a source IP not classified as WAF

1.4

In support of 1.4.b Ensure data collection for DS010NetworkCommunication-ET02State from all devices in scope

2.1

In support of 2.1.a Ensure data collection for DS003Authentication-ET01Success from all in scope systems. Ensure all PIM systems are correctly identified in DE001AssetInformation and ensure all default accounts have been correctly listed in DE0 02IdentityInformation prior to implementation of UC0007 Account logon successful method outside of policy

2.2.1

In support of 2.2.1.a Ensure data collection for dynamic primary function identification is in place to support the complete definition of DE001AssetInformation UC0086 Detect Multiple Primary Functions

2.2.5

In support of 2.2.4.c Ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place prior to implementation of RP001 New web application or network protocol detected

2.4

Implement a reliable dynamic asset identification solution DE001AssetInformation with the following attributes Appropriate Values for pci_domain by cidr All hosts within the CDE are identified with static IP address All firewalls and interfaces containing the CDE are identified Collect data from the following sources DS010NetworkCommunication-ET01Traffic DS003Authentication-ET01Success (Machine account) DS015ConfigurationManagement-ET01General

3.1

Implement clear logging and collection for each application component responsible for deletion of online CHD. Generate a customer specific use case for the absence of successful reports in the job execution window

3.2

Implement data collection for customer specific data identification system Implement custom use case for new location for PCI information Respond by verification that authentication data is not recorded

Copyright © 2016, Splunk Inc.

3.4.1

If disk/share encryption is used implement data collection for the specific provider supporting the following data types DS003Authentication-ET01Success DS006UserActivity-ET02Read DS006UserActivity-ET06Search

3.5.1

Implement customer specific use case alerting when a key is read, imported or assigned to a specific encrypted resource review for review by the key administrator

3.5.2

Implement customer specific use case alerting when a key is accessed by a human manually review the access with the key administrator

4.1

In support of 4.1.c ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place for all CDE network segments and implement RP001 New web application or network protocol detected

4.2

In support of 4.2.a ensure data collection for DS016DataLossPrevention-ET01Violation is in place and implement customer specific use case for alerting on actual or attempted transmission of CHD via email chat FTP or removable media

5.1

In support of 5.1 ensure data collection for DS004EndPointAntiMalware-ET02UpdatedSig is in place and ensure requires_antivirus is set for all applicable records in DE001AssetInformation implement the following use cases.

5.2

In support of 5.2.b 5.2.c and 5.2.d implement the following use cases UCESS024 High Number of Hosts Not Updating Malware Signatures UC0087 Malware signature not updated by SLA for compliance asset

6.4.1

In support of 6.4.1.b define an enclave for each CDE/lifecycle such that production and non production systems can be identified UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule

6.4.2

In support of 6.4.2 define an enclave for each CDE/lifecycle such that production and non production systems can be identified UC0090 User account cross enclave access

6.4.3

In support of 6.4.3 identify ranges or fixed sets of PAN ranges that may be utilized in the non production life cycle and create a set of periodic scripts to asses that no data exists outside of the fixed range. Log the results for compliance reporting.

6.4.4

While not conclusive for all environments the implementation of control 6.4.3 may assist in ongoing evidence of compliance.

6.4.5.x

Not applicable to the logging and monitoring processes

6.4.6

Not applicable to the logging and monitoring processes

6.5.x

6.6

Capture and retain logs from automated software installation and testing processes to provide evidence of for compliance to the execution of testing against common weaknesses. Capture and retain applicable logs from defect tracking systems to evidence that issues were reported and reviewed without modification prior to release of software to production Using an external vulnerability scanner not granted unfiltered access scan the public facing networks UCESS010 Anomalous New Listening Port UC0091 Validate Execution of Vulnerability Scan Periodically validate the implementation of the load balancer and web application firewall. UC0092 Exception to Approved Flow for Web Applications

6.7

Not applicable to the logging and monitoring processes

7.x

Not applicable to the logging and monitoring processes

8.1

In support of this section all authentication success and failure events must be captured for all components of the application infrastructure.

8.1.1

In support of continued monitoring of compliance with 8.1.1 implement the following use cases: UC0039 Use of Shared Secret for access to critical or sensitive system UC0088 User account sharing detection by source device ownership

8.1.2

Not applicable to the logging and monitoring processes

Copyright © 2016, Splunk Inc.

8.1.3

Support continued compliance and verification through implementation of the following use case UCESS005 Activity from Expired User Identity

8.1.4

Support continued compliance and verification through implementation of the following use case UC0008 Activity on previously inactive account UC0093 Previously active account has not accessed enclave/lifecycle

8.1.5

Not applicable to the logging and monitoring processes

8.1.6

Not applicable to the logging and monitoring processes

8.1.7

Not applicable to the logging and monitoring processes

8.1.8

Not applicable to the logging and monitoring processes

8.2

Implement an appropriate site specific compliance report to identify that all successful logins to a production enclave use one of the approved authentication factors for that enclave/component.

8.2.1

Support continued compliance and verification through implementation of the following use case UC0094 Insecure authentication method detected

8.2.2

Not applicable to the logging and monitoring processes

8.2.3

Not applicable to the logging and monitoring processes

8.2.4

Not applicable to the logging and monitoring processes

8.2.5

Not applicable to the logging and monitoring processes

8.2.6

Not applicable to the logging and monitoring processes

8.3.x

Support continued compliance and verification through implementation of the following use case UC0007 Account logon successful method outside of policy

8.4

Support continued compliance and verification through implementation of the following use case

8.5

Support continued compliance and verification through implementation of the following use case UC0039 Use of Shared Secret for access to critical or sensitive system UC0040 Use of Shared Secret for or by automated process with risky attributes

8.6

Not applicable to the logging and monitoring processes

8.7

Not applicable to the logging and monitoring processes

8.8

Not applicable to the logging and monitoring processes

9.1

Support continued compliance and verification through implementation of the following use case UC0045 Local authentication server Review resulting events in consideration of approved physical access activity, change, incident, problem and virtual remote console logs such as virtual infrastructure and KVM.

9.1.1

See 9.1

9.1.2

Not applicable to the logging and monitoring processes

9.1.3

Not applicable to the logging and monitoring processes

9.2

Not applicable to the logging and monitoring processes

9.3

Not applicable to the logging and monitoring processes

9.4

Not applicable to the logging and monitoring processes

9.5

Not applicable to the logging and monitoring processes

9.6

Not applicable to the logging and monitoring processes

9.7

Not applicable to the logging and monitoring processes

9.8

Not applicable to the logging and monitoring processes

Copyright © 2016, Splunk Inc.

9.9

Not applicable to the logging and monitoring processes

10.1

Implement collection and retention of the following log sources DS003Authentication DS003Authentication-ET01Success DS003Authentication-ET02Failure

10.2

See below

10.2.1

Implement collection and retention of the following log sources DS006UserActivity-ET02Read

10.2.2

Implement collection and retention of the following log sources DS006UserActivity-ET04Update DS007AuditTrail DS009EndPointIntel DS009EndPointIntel-ET01ProcessLaunch DS009EndPointIntel-ET01ObjectChange DS020HostIntrustionDetection-ET01SigDetected

10.2.3

Implement collection and retention of the following log sources DS007AuditTrail-ET01Clear

10.2.4

Implement collection and retention of the following log sources DS003Authentication-ET02Failure

10.2.5

Implement collection and retention of the following log sources as applied to authentication mechanisms such as directory servers, two factor authentication systems, single sign on systems, and local authentication controls DS006UserActivity-ET03Create DS006UserActivity-ET04Update DS006UserActivity-ET05Delete

10.2.6

Implement collection and retention of the following log sources as applied to the service and configuration utilized in auditing DS006UserActivity-ET04Update Note include service start, stop, and alter for configuration controlling the audit process such as syslog, group policy, windows registry, and database triggers DS007AuditTrail-ET01Clear DS007AuditTrail-ET02Alter

10.2.7

Implement collection and retention of the following log sources as applied to the service and configuration utilized in auditing

10.3

Verify compliance of data sources identified with minimum requirements of the objective

10.4

Implement collection and retention of the following log sources DS007AuditTrail-ET03TimeSync Implement the following use case UC0046 Endpoint failure to sync time

10.5 10.5.1

Implement streaming collection of all log sources. Avoid batch collection activities and build adequate defensive and detective controls to ensure audit processes are not tampered with when batch collection is in use. Implement access controls as is appropriate to limit access to audit trail data in Splunk Implement routine trim of original audit trails such that no audit data is retained on source systems beyond a reasonable amount allowing recovery in the event of streaming collection failure

10.5.2

Implement index integrity features in Splunk

10.5.3

Implement Splunk Archiver function with a write only external service such as Amazon S3 to ensure data is archived to a system under separate control.

Copyright © 2016, Splunk Inc.

10.5.4

Implementation of log collection for all web application server infrastructure logs especially the following: DS002DNS-ET01QueryResponse DS003Authentication-ET01Success DS003Authentication-ET02Failure DS004EndPointAntiMalware-ET01SigDetected DS004EndPointAntiMalware-ET03UpdatedEng DS005WebProxyRequest-ET01Requested DS006UserActivity DS007AuditTrail DS009EndPointIntel-ET01ProcessLaunch DS010NetworkCommunication-ET01Traffic DS014WebServer-ET01Access DS015ConfigurationManagement-ET01General DS018VulnerabilityDetection DS019PatchManagement DS020HostIntrustionDetection-ET01SigDetected

10.5.5

Implementation of log collection for all web application server infrastructure logs especially the following: DS020HostIntrustionDetection-ET01SigDetected

10.6.1

Implementation of a robust set of correlation search to monitor each security technology in the enterprise Management should daily review the PCI dashboards to ensure that notable events have been triaged and are being resolve in accordance with the company policy

10.6.2

Expansion of monitoring beyond the immediate PCI scope to ensure attackers are kept more than one degree away from all PCI systems. Management should daily review critical dashboards such as and act on trends highlighted Enterprise Security Security Posture Incident Review

10.6.3

Notable events determined to indicate suspicious activities should be identified as formal incident and handled in according to industry accepted practices.

10.7

Ensure all in scope event data is retained online and searchable for at minimum of 3 months. Ensure adequate search hardware is available or can be provisions (cloud) to recall and search data up to 1 full year OR ensure at least 1 full year for all data sources is available. Ensure that log infrastructure can not be subject to denial of service attach by external actors by identification of points where external actors can generate sufficient log traffic to cause early purge or failure of logging infrastructure. Identify methods of mitigating this risk.

10.8

Identify methods of detecting and alerting failure of critical control systems to produce events

10.9

Not applicable to the logging and monitoring processes

11.1

Not applicable to the logging and monitoring processes

11.2

Collect and retain vulnerability scan data DS018VulnerabilityDetection-ET01SigDetected

11.3

Not applicable to the logging and monitoring processes

11.4

Implement the following use cases UC0074 Network Intrusion Internal Network

11.5

Implement collection of the following data sources, identify appropriate technology specific use cases for the environment. DS009EndPointIntel DS020HostIntrustionDetection-ET01SigDetected

11.6

Not applicable to the logging and monitoring processes

12

Not applicable to the logging and monitoring processes except as noted

12.5

Adopt a formal methodology align with enterprise risk assessment to identify risk and detective controls to be implemented and monitored by appropriate sensor/detection technology with correlation in a single security event and information management system

Copyright © 2016, Splunk Inc.

Supporting Documentation PCI Data Security Standard (PCI-DSS)

Version 3.2 Apr 2016 - PCI_DSS_v3-2.pdf

Copyright © 2016, Splunk Inc.

PRT02Compliance-NercCIP Currently, there are 16 critical infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have significant implications nationwide, with potential impacts to national economic security, public heath or safety, etc.

NERC CIP Requirements Standard

Requirement

Details

Guidance

CIP-002-3

R2

Critical Asset Identification:

Enrichment:

The responsible entity shall develop a list of its identified critical assets determined through an annual application of the risk-based assessment methodology as required by this standard. List shall be reviewed and updated annually, at minimum. Assets to be considered should include the following:

DDE001 Asset Information

Cyber Security: Critical Cyber Asset Identification

Control centers and backup control centers performing critical functions as described within CIP standards Transmission substations that support the reliable operation of the BES (Bulk Electris System) Generation resources that support the reliable operation of the BES Systems and facilities critical to system restoration, including blackstart generators and substations in the electrical path of transmission lines used for initial system restoration Systems and facilities critical to automatic load shedding under a common control system capable of shedding 300MW or more Special protection systems that support reliable operation of the BES Any additional assets that support reliable operation of the BES CIP-003-3

R5.1

Cyber Security: Security Management Controls

Note: pci_domain field not applicable to CIP assets Use Cases: UC0010 Asset Ownership Unspecified

Access Control:

Enrichment:

The responsible entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.

DDE002 Identity Information

Personnel shall be identified by name, title, and the information for which the are responsible for authorizing access The list of personnel responsible for authorizing access to protected information shall be verified at least annually

In addition to CIP authorized individuals, CIP authorizing personnel should be identified in identity list. Information they are responsible for can be specified in bunit field Use Cases: UC0052 Non-CIP user attempted to access CIP asset UC0013 Monitor change for high value groups

CIP005-3a

R2

Cyber Security: Electronic Security Perimeter

Electronic Access Controls:

Enrichment:

The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).

DDE002 Asset Information All assets that define the Electronic Security Perimeter (ESP) to be defined in asset list Use Cases: Prohibited Service Detected Unapproved Port Activity Detected UC0007 Anomalous New Process UC0008 Anomalous New Listening Port

Copyright © 2016, Splunk Inc.

CIP005-3a

R3

Cyber Security: Electronic Security Perimeter

Monitoring Electronic Access:

Use Cases:

The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.

Default Account Activity Detected UC0010 Detect unauthorized use of remote access technologies UC0032 Brute force authentication attempt UC0033 Brute force authentication attempt distributed UC0034 Brute force successful authentication

CIP006-3c

R.1.3

Physical Security of Critical Cyber Assets

Physical Security Perimeter:

Enrichment:

Process, tools, procedures to monitor access to physical security perimeter.

Physical Security access logs (lenel, etc) Use Cases: See ESP access control use cases above

CIP007-3a

R2

Cyber Security: System Security Management

Ports and Services:

Enrichment:

The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled.

Interesting Ports Lookup Interesting Services Lookup Interesting Processes Lookup Use Cases: UC0007 Anomalous New Listening Port UC0008 Anomalous New Process UCXXXX Unapproved Port Activity Detected UCXXXX Anomalous New Service

CIP007-3a

R3

Cyber Security: System Security Management

Copyright © 2016, Splunk Inc.

Security Patch Management:

Enrichment:

The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-3 Requirement R6, shall establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s).

DDE001 Asset Information Use Cases: ES Vulnerability Center UCXXXX CIP asset with unpatched RCE (remote code execution) or critical vulnerability

CIP007-3a

R4

Cyber Security: System Security Management

Malicious Software Prevention:

Enrichment:

The Responsible Entity shall use anti-virus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).

DDE001 Asset Information Use Cases: ES Malware Center UCESS024 High Number of Hosts Not Updating Malware Signatures UCESS053 Threat Activity Detected UCESS025 High Number Of Infected Hosts UCESS026 High Or Critical Priority Host With Malware Detected UCESS027 High or Critical Priority Individual Logging into Infected Machine UCESS032 Host With A Recurring Malware Infection UCESS035 Host With Multiple Infections UCESS036 Host With Old Infection Or Potential Re-Infection UCESS043 Outbreak Detected

CIP007-3a

R5

Cyber Security: System Security Management

Account Management:

Enrichment:

The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.

DDE001 Asset Information DDE002 Identity Information Use Cases: ES Access Center

UC0053 Successful access to CIP asset outside of baseline activity UC0054 Successful authentication to CIP asset by non-CIP user UC0034 Brute force successful authentication

Copyright © 2016, Splunk Inc.

Supporting Documents CIP

Copyright © 2016, Splunk Inc.

PRT03Compliance-NIST Cyber Security Framework Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure.

Risk Management Strategy (ID.RM) Data Security (PR.DS) Access Control (PR.AC) Protective Technology (PR.PT) Security Continuous Monitoring (DE.CM) Anomalies and Events (DE.AE)

Copyright © 2016, Splunk Inc.

Access Control (PR.AC) NIST Cybersecurity Framework Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users PR.AC-2: Physical access to assets is managed and protected PR.AC-3: Remote access is managed PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate Supporting security use cases 1. UC0051 Excessive physical access failures to CIP assets 2. UC0052 Non-CIP user attempts to access CIP asset 3. Abnormal successful access to CIP asset (time of day, volume of activity, remote, etc) 4. User with non-CIP job function successfully accessed CIP asset (transferred, access not properly removed)

Required data sources - some or all of the following: Firewall allows and blocks Intrusion events Malware detections Change logs Authentication events

Copyright © 2016, Splunk Inc.

Anomalies and Events (DE.AE)

Copyright © 2016, Splunk Inc.

Data Security (PR.DS) NIST Cybersecurity Framework Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition PR.DS-4: Adequate capacity to ensure availability is maintained PR.DS-5: Protections against data leaks are implemented PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity PR.DS-7: The development and testing environment(s) are separate from the production environment Supporting security use cases 1. 2. 3. 4.

UCXXXX Abnormal volume of access to CIP data (unstructured and structured data stores) UCXXXX ARP poisoning detected UCXXXX Abnormal volume of email from internal user (by bytes) UCXXXX Abnormal amount of email from internal user (by volume)

Required data sources - some or all of the following:

Copyright © 2016, Splunk Inc.

Protective Technology (PR.PT)

Copyright © 2016, Splunk Inc.

Risk Management Strategy (ID.RM) NIST Cybersecurity Framework - Risk Management Strategy Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders ID.RM-2: Organizational risk tolerance is determined and clearly expressed ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis Supporting security use cases 1. UCXXXX Asset exceeds risk threshold CIP asset exceeds risk threshold (based on vulnerabilities, scanning attempts, etc) - risk factors determined by system owner

Required data sources - some or all of the following: Firewall allows and blocks Intrusion events Malware detections Change logs Authentication events

Copyright © 2016, Splunk Inc.

Security Continuous Monitoring (DE.CM)

Copyright © 2016, Splunk Inc.

PRT04-FFIEC Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)- related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.Underlying Models for IT Security, NIST, SP800-33, p. 2. Availability-The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems. Scope of monitoring must include all infrastructure involved in banking services in the modern environment Network Infrastructure operational and change for routers switches firewalls and active protection devices Network Communication Network Intrusion Detection Network Load Balancers and Global Load Balancers Application Firewalls Operating System Authentication and Change Audit for server and client operating systems. Network Authentication (local and virtual) Database Server Middleware Application Server Central Authentication and Authorization Use of Distributed Authentication (web SSO, SAML, Kerberos) Two Factor Authentication DNS Request Logs Honeypots Null Routes and Sink Holes email communication logs Integrity of Data or Systems-System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability. Host Intrusion Detection Antimalware Vulnerability Detection (Active and Passive) IOC detection (scan and result) Entitlement and Access Management Infrastructure Management activity and change Confidentiality of Data or Systems-Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use. Entitlement and Access Management Data Loss Prevention Accountability-Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports nonrepudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records. Logs must be centralized in a secure and reliable manor including such features as log integrity checking, real time collection, and long term storage Assurance-Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions. Operating System Hardening System Compliance Scan and Result Application System Hardening System Compliance Scan and Result Automated Application Penetration Testing Scan and Result Vulnerability Scan and Rsult

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibility High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. PRT02-IdentifyPatientZero PRT02-SecurityVisibilityEndpointMalware PRT02-SecurityVisibilityExfiltration PRT02-SecurityVisibilityLateralMovement PRT02-SecurityVisibilityPhishingAttack PRT02-SecurityVisibilityPriviledgeUserMonitoring PRT02-SecurityVisibilityUserActivity PRT02-SecurityVisibilityZeroDayAttacks PRT02-SecurityVisiblityWebbait

Supporting Use Cases Essentials Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibility".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT02-IdentifyPatientZero In response to incursions identification of patient zero is a critical step. Information gathered in this identification activity can inform the organization as to the methods of the attackers and assist in the preparation of improved defenses.

Supporting Data Types DS002DNS DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonation-ET01Detection DS017PhysicalSecurity-ET01Access

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityPriviledge".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityPriviledge".

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibilityEndpointMalware High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS002DNS DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityEndpoint".

Maturing

Click here to expand... Found 8 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityEndpoint".

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center) Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look across the time range of less than 90 days ago and greater ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw event ... Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibilityExfiltration High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS001MAIL DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS007AuditTrail DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS014WebServer-ET01Access

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityExfiltration".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityExfiltration".

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibilityLateralMovement Indication of movement within an organizations network following the compromise of an initial endpoint.

Supporting Data Types DS003Authentication DS006UserActivity DS009EndPointIntel DS010NetworkCommunication DS012NetworkIntrusionDetection-ET01SigDetection

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityLateralMovement".

Maturing

Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityLateralMovement".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibilityPhishingAttack High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS001MAIL DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityExfiltration".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityExfiltration".

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibilityPriviledgeUserMonitoring Users with privileged access to systems or information critical to the business should be monitored with greater scrutiny than users not similarly entrusted.

Supporting Data Types DS003Authentication DS006UserActivity DS008HRMasterData DS009EndPointIntel DS017PhysicalSecurity-ET01Access

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityPriviledge".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityPriviledge".

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibilityUserActivity High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Use Cases Essentials

Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityUserActivity".

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016

Maturing

Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityUserActivity".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the

Copyright © 2016, Splunk Inc.

owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is attempting ... Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center) Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)

Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisibilityZeroDayAttacks High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS001MAIL DS002DNS DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonation-ET01Detection DS012NetworkIntrusionDetection-ET01SigDetection DS014WebServer-ET01Access

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityZeroDayAttacks".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityZeroDayAttacks".

Copyright © 2016, Splunk Inc.

PRT02-SecurityVisiblityWebbait Similar to Phishing attacks using baited web content such as compromised advertising systems and watering hole web sites

Supporting Data Sources DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication DS016DataLossPrevention-ET01Violation

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibilityExfiltration".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibilityExfiltration".

Copyright © 2016, Splunk Inc.

PRT03-PeerAdoption Pressure to emulate similar peers based on the objective of security via minimum accepted industry norms. This view will assist the user in determine which use cases should be considered in during the adoption phase PRT03-PeerAdoption-Phase1-Essentials PRT03-PeerAdoption-Phase2-Maturing PRT03-PeerAdoption-Phase3-Mature PRT03-PeerAdoption-Phase4-Edge

Copyright © 2016, Splunk Inc.

PRT03-PeerAdoption-Phase1-Essentials

Use case narratives adopted during the initial deployment phase of , monitoring, and response program.

Supporting Use Cases Found 12 search result(s) for title:UC0* contentBody:"APC-Essentials".

UC0006 Windows security event log purged (Narrative and Use Case Center) Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ... Apr 08, 2016

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center) prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware ... Apr 08, 2016

UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center) External IDS devices reporting an attack using a signature not previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ... Apr 08, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center) Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center) Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ... Apr 19, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE007 Signature Special Processing List ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0075 Network Malware Detection (Narrative and Use Case Center) Internal malware detection system such as fire eye devices reporting an attack. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS011MalwareDetonationET01Detection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption ... Apr 25, 2016

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center) When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. Problem Types Addressed Risk ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

PRT03-PeerAdoption-Phase2-Maturing Use case narratives adopted during the second deployment phase of a security operations, monitoring, and response program.

Supporting Use Cases Found 57 search result(s) for title:UC0* contentBody:"APC-Maturing".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center) Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. Problem Types Addressed ... Apr 08, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the

Copyright © 2016, Splunk Inc.

owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center) Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last ... Jun 24, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is attempting ... Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center) Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode

Copyright © 2016, Splunk Inc.

RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center) Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center) Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center) Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center) public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ... Apr 11, 2016

UC0044 Network authentication using password auth (Narrative and Use Case Center) Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of network authentication utilizing password. Problem Types Addressed ... Apr 11, 2016

UC0032 Brute force authentication attempt (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ... Apr 08, 2016

UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer is a workstation or terminal server Problem Types Addressed Risk ... Apr 08, 2016

UC0013 Monitor change for high value groups (Narrative and Use Case Center) Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity category reductioninforce ... Apr 08, 2016

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center) prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use. Problem Types ... Apr 08, 2016

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ e and Use Case Center)

human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk Addressed Event ... Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case Center)

user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success ... Apr 08, 2016

UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center) Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

UC0008 Activity on previously inactive account (Narrative and Use Case Center) Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success DE002IdentityInformation Adoption ... Apr 08, 2016

Copyright © 2016, Splunk Inc.

UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center) Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

UC0047 Communication with newly seen domain (Narrative and Use Case Center) Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky ... Jul 20, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center) Single IP address attempting authentication of more than two valid users within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against an approved SSO System. Problem Types Addressed ... Apr 08, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center) Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ... Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center) Internet facing authentication system has allowed authenticated access from a risky source network. Always Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications consider the following sources risky Dial ... Apr 08, 2016

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center) logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of the logon to determine if the account is authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a network or batch ... Jun 24, 2016 Labels: creative

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center) Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0005 System modification to insecure state (Narrative and Use Case Center) Authorized or unauthorized users may attempt to modify the system such that hardened configuration policies are removed or security monitoring tools are disabled. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess RV6Misconfiguration DS TBD ... Apr 08, 2016

Copyright © 2016, Splunk Inc.

UC0021 Communication outbound to regions without business relationship (Narrative and Use Case Center) Outbound communication with servers hosted in regions where the organization does not expect to have employees, customers, or suppliers. Exclude authorized DNS servers communicating on a standard DNS port Exclude destination DNS servers on the ICANN root list Exclude authorized ... Apr 08, 2016

UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case Center)

Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ... Apr 08, 2016

UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case Center)

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ... Apr 08, 2016

UC0034 Brute force successful authentication (Narrative and Use Case Center) source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use case successfully logins after failing once from the same source address. Problem Types Addressed Risk Addressed Event Data ... Apr 27, 2016

UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center) employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful authentications to a remote access solution in a short period of time indicates a likely compromise of credentials. The short period of time value ... Apr 25, 2016

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center) Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ... Apr 08, 2016

UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case Center)

Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access ... Apr 08, 2016

UC0011 Improbable distance between logins (Narrative and Use Case Center) Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful connections. Detect where: Total distance is greater than ... Apr 08, 2016

UC0035 Compromised account access testing (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use

Copyright © 2016, Splunk Inc.

the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center) endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center) Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

PRT03-PeerAdoption-Phase3-Mature Use case narratives adopted during the third deployment phase of a security operations, monitoring, and response program.

Supporting Use Cases Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Mature".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center) Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain is not in the corporate web domain lookup ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT03-PeerAdoption-Phase4-Edge Use case narratives adopted based on specific circumstances in the organization. Specific capabilities and complexities will dictate the appropriate time for adoption of these narratives.

Supporting Use Cases Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Edge".

UC0065 Malware detected compliance asset (Narrative and Use Case Center) Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even when automatic clean has occurred Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE001 ... Aug 29, 2016

UCESS013 Cleartext Password At Rest Detected (Narrative and Use Case Center) Detects cleartext passwords being stored at rest (such as in the Unix password file). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, tag and count grouped by destination(host, IP, name), user ... Aug 14, 2016

UCESS041 Network Device Rebooted (Narrative and Use Case Center) past 1 hour, using all summary data even if the model has changed, provide a count of device restarts grouped by the device that reported the change dvc (host, IP, name) and time where the time span is 1 second. Problem ... Aug 14, 2016

UCESS044 Personally Identifiable Information Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, find integer sequences and lookup against luhnlikelookup and output fields pii and piiclean. Lookup iinissuer in the iinlookup table based on the piiclean string and length of the string. Output event id (macro that creates ... Aug 14, 2016

UCESS052 Substantial Increase In Port Activity (Narrative and Use Case Center) Alerts when a statistically significant increase in events on a given port is observed. For the past hour, using all summary data even if the model has changed, generate a count by destination port and compare that count against the previous hour and trigger if the destination ... Aug 14, 2016

UCESS002 Abnormally High Number of Endpoint Changes By User (Narrative and Use Case Center) Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications. For the past 24 hours starting on the hour, using all summary data even if the model has changed, generate a count ... Aug 14, 2016

UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center) Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ... Apr 28, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0051 Excessive physical access failures to CIP assets (Narrative and Use Case Center) user with continuous physical access failures could be someone searching for a physical vulnerability within the organization. When this occurs in an area that is protecting CIP assets, it is something that should be followed up on immediately. Problem Types Addressed Risk Addressed Event Data ... Apr 27, 2016

Copyright © 2016, Splunk Inc.

UCESS003 Abnormally High Number of HTTP Method Events By Src (Narrative and Use Case Center) Alerts when a host has an abnormally high number of HTTP requests by http method. For the past 24 hours starting on the hour, using all summary data even if the model has changed, generate a count of the source of the network traffic and the HTTP ... Jul 22, 2016

UCESS010 Anomalous New Listening Port (Narrative and Use Case Center) Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or have had new (and potentially vulnerable) software installed. Listening ports tracker contains destination IP and port ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT04-ProcessEffectivness High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. PRT04-ProcessEffectivness-HuntPaths

Supporting Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT04-ProcessEffectivness".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT04-ProcessEffectivness".

UC0047 Communication with newly seen domain (Narrative and Use Case Center) Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky ... Jul 20, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

PRT04-ProcessEffectivness-HuntPaths Utilizing searches and automated prompts the analyst will investigate selected events that are considered low fidelity to identify using analytic process potential security weakness or previously unknown threats.

Copyright © 2016, Splunk Inc.

PRT05-Tactical Threat In the constantly evolving threat landscape organizations often must set aside strategic plans and react to specific threats. Tactical threat motivations support the urgent on boarding of missing critical data sources. PRT05-TacticalThreat-InsiderThreat PRT05-TacticalThreat-Ransomeware PRT05-TacticalThreat-SpearphishingCampaign

Copyright © 2016, Splunk Inc.

PRT05-TacticalThreat-InsiderThreat Insiders, defined as employees, contractors, partners, or anyone else with AUTHORIZED internal access often have the knowledge and access necessary to allow them to bypass security measures to critical systems through legitimate means. The nature of the insider threat is different from external threats, and therefore require a different strategy for preventing and addressing them. The following use cases and data sources are helpful in detecting and mitigating potential insider threat activity.

Domain

Supporting Use Case

Description

Enrichment

Data Sources

Status

Data Exfiltration

UCESS031 Host Sending Excessive Email

Detects where a host that is not categorized as an email server is sending an excessive amount of email. Tune or create variant of this CS to search only for excessive email to non-corporate domains by user

DDE001 Asset Information

DS001Mail-ET03Send

Adoptable: ES Product UC

Notable event is triggered when a single internal user sends more than 20 emails to a single non-corporate email address over a 60 minute period. Extreme Search should be used to set dynamic threshold when available.

DDE001 Asset Information

DS001Mail-ET03Send

Draft Narrative

Detects when a user attempts to access an excessive number of unique file or directory objects.

DDE002 Identity Information

Windows Security Logs

Draft Narrative

Auditing: File/Directory Object Access

(EventCodes 4656, 4663)

Data Exfiltration

Data Exfiltration

UC0090 High Volume of Email to Non-Corporate Email Address

UC0091 Excessive Unique File Object Access

DDE023 CIM Corporate Email Domains

DDE002 Identity Information DDE023 CIM Corporate Email Domains

Malicious Insider

UCESS060 Vulnerability Scanner Detected (by events)

Detects IDS/IPS signatures from a single source to a destination where the distinct signature count is greater than 25. Tune or create variant of this CS to search only for internally sourced events

DDE001 Asset Information

IDS/IPS

Adoptable: ES Product UC

Malicious Insider

UCESS061 Vulnerability Scanner Detected (by targets)

Detect IDS/IPS signatures from a single source to 25 or more distinct destinations. Tune or create variant of this CS to search only for internally sourced events

DDE001 Asset Information

IDS/IPS

Adoptable: ES Product UC

Unauthorized Access

UCESS011 Brute Force Access Behavior Detected

Excessive failed access attempts followed by successful authentication. Datamodel acceleration should be used for this UC whenever possible.

DDE001 Asset Information

Authentication

Adoptable: ES Product UC

Detects successful login activity outside of normal work hours. Thresholds and work hours should be defined within CS as per customer requirements

DDE001 Asset Information

Authentication

In Development

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours.For example:

DDE001 Asset Information

Authentication

Adoptable Narrative Custom

Web

In Development

Unauthorized Access

Unauthorized Access

UCXXXX Excessive Logins Outside of Company Work Hours (by user)

UC0015 Privileged user accessing more than expected number of machines in period

DDE002 Identity Information

DDE002 Identity Information

DDE002 Identity Information

More than 5 new targets More than 3 failures In the last 4 hours Potential Threat (various categories)

UCXXXX Excessive Watchlisted Website Activity by User

Copyright © 2016, Splunk Inc.

Searches for users visiting an excessive number of watchlisted sites. Threshold and site categories should be defined as per customer requirements. Designed to highlight possible job seekers, employees prone to violence, radicalists, etc.

DDE002 Identity Information Watchlisted Sites

Potential Threat (various categories)

UCXXXX Insider Threat Detected - High Probability

Copyright © 2016, Splunk Inc.

Takes into account all "insider threat content pack" rules. Flags on single user triggering multiple events (threshold to be defined) within a predefined time period, as defined by customer

DDE002 Identity Information Insider Threat "Content Pack"

Insider Threat Content Pack Correlation Rules

In Development

PRT05-TacticalThreat-Ransomeware Ransomware includes multiple broad categories including denial of service by encryption and extortion by data ex filtration. The following collection of data sources and use cases highlight strategies found useful in mitigation of this threat.

DS001MAIL

Found 1 search result(s) for contentBody:DS001* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

DS002DNS

Found 5 search result(s) for contentBody:DS002* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)

Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center) endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center) Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

DS004EndPointAntiMalware

Copyright © 2016, Splunk Inc.

Found 8 search result(s) for contentBody:DS004* title:UC* PRT05-TacticalThreat-Ransomeware.

UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center) Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ... Apr 28, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center) Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center) Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE007 Signature Special Processing List ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center) Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center) When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. Problem Types Addressed Risk ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ...

Copyright © 2016, Splunk Inc.

Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware DS005WebProxyRequest Found 3 search result(s) for contentBody:DS005* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0047 Communication with newly seen domain (Narrative and Use Case Center) Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky ... Jul 20, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware DS010NetworkCommunication Found 2 search result(s) for contentBody:DS010* title:UC* PRT05-TacticalThreat-Ransomeware.

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware DS012NetworkIntrusionDetection-ET01SigDetection Found 1 search result(s) for contentBody:DS012* title:UC* PRT05-TacticalThreat-Ransomeware.

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

PRT05-TacticalThreat-SpearphishingCampaign

Copyright © 2016, Splunk Inc.

PRT06-SecureConfigurationMgmt High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. PRT06-SecureConfigurationMgmtUpdateManagement PRT06-SecureConfigurationMgmtVulnerability

Supporting Use Cases Essentials Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibility".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT06-SecureConfigurationMgmtUpdateManagement High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS019PatchManagement

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Copyright © 2016, Splunk Inc.

PRT06-SecureConfigurationMgmtVulnerability High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud.

Supporting Data Sources DS018VulnerabilityDetection

Supporting Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT06-SecureConfigurationMgmtVulnerability".

Copyright © 2016, Splunk Inc.

PRT07-SpecialRequests A set of curated use case collections based on specific field requests PRT07-SpecialRequests-Creative

Supporting Use Cases Essentials Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"PRT02-SecurityVisibility".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT07-SpecialRequests-Creative A set of curated use case collections based on specific field requests

Supporting Use Cases Click here to expand... Found 3 search result(s) for title:UC0* labelText:creative.

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center) logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of the logon to determine if the account is authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a network or batch ... Jun 24, 2016 Labels: creative

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative

Copyright © 2016, Splunk Inc.

PRT08-ProductAdoption Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and grouped by Supporting Data Source to assist the customer and consultant in the selection of use cases for implementation based on the likely readiness of the customer. PRT08-ProductAdoption-ES PRT08-ProductAdoption-ES-Essentials PRT08-ProductAdoption-ES-Mature PRT08-ProductAdoption-ES-Maturing

Copyright © 2016, Splunk Inc.

PRT08-ProductAdoption-ES

Copyright © 2016, Splunk Inc.

PRT08-ProductAdoption-ES-Essentials

DS010NetworkCommunication

Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network from third party network peers that are not part of the public internet should be included.

Found 2 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*" contentBody:"APC-Essential". UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016

DS004EndPointAntiMalware

Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting database. Events including, detected, definition update and scheduled scan execution should be indexed.

Found 8 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*" contentBody:"APC-Essential". UCESS035 Host With Multiple Infections (Narrative and Use Case Center) Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ... Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center) Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is MalwareAttacks ... Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center) Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination ... Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center) Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority ... Aug 14, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center) Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor

Copyright © 2016, Splunk Inc.

the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware ... Apr 26, 2016

UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the timesignatureversion and return results that the day difference between ... Apr 26, 2016

UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center) Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5 minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against the malwaretracker and match on destination and signature. If a match ... Apr 26, 2016

UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center) Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past 10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ... Apr 26, 2016

DS005WebProxyRequest

Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.

Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*" contentBody:"APC-Essential".

DS002DNS

Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.

Found 1 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Essential". UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

DS003Authentication

Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.

Found 4 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Essential". UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful

Copyright © 2016, Splunk Inc.

brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center) Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, user ... Aug 14, 2016

DS001MAIL

Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall communication logs where destination port is 25.

Found 2 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Essential". UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS031 Host Sending Excessive Email (Narrative and Use Case Center) Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate ... May 02, 2016

DS007AuditTrail

Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.

Found 1 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Essential". UCESS022 Expected Host Not Reporting (Narrative and Use Case Center) ... Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV6Misconfiguration DS007AuditTrail DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase Industry ... Aug 14, 2016

DS012NetworkIntrusionDetection-ET01SigDetection

Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall based on destination port.

Found 2 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*" contentBody:"APC-Essential". UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

DS014WebServer-ET01Access

Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user account, (actual) source ip, reverse proxy ip, site, url, and port.

Found 0 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Essential".

DS006UserActivity

User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems inscope for logging and monitoring within this phase.

Found 1 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Essential". UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016

Copyright © 2016, Splunk Inc.

PRT08-ProductAdoption-ES-Maturing

DS010NetworkCommunication

Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network from third party network peers that are not part of the public internet should be included.

Found 3 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*" contentBody:"APC-Maturing". UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016

DS004EndPointAntiMalware

Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting database. Events including, detected, definition update and scheduled scan execution should be indexed.

Found 0 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*" contentBody:"APC-Maturing".

DS005WebProxyRequest

Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.

Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*" contentBody:"APC-Maturing".

DS002DNS

Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.

Found 2 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Maturing". UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

UCESS018 Excessive DNS Failures (Narrative and Use Case Center) Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ... Aug 14, 2016

DS003Authentication

Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.

Found 7 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Maturing". UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center) Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user ... Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center) Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time seen, 2nd to last time seen and user ... Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center) Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look across the time range of less than 90 days ago and greater ... Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user ... Aug 14, 2016

DS001MAIL

Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall communication logs where destination port is 25.

Copyright © 2016, Splunk Inc.

Found 0 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Maturing".

DS007AuditTrail

Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.

Found 2 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Maturing". UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center) Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). For the past 30 days ... Aug 14, 2016

DS012NetworkIntrusionDetection-ET01SigDetection

Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall based on destination port.

Found 0 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*" contentBody:"APC-Maturing".

DS014WebServer-ET01Access

Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user account, (actual) source ip, reverse proxy ip, site, url, and port.

Found 1 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Maturing". UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016 DS006UserActivity

User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems inscope for logging and monitoring within this phase.

Found 4 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Maturing". UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016

UCESS004 Account Deleted (Narrative and Use Case Center) Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last ... Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016 DS013TicketManagement-ET01

Notable event ticket data is indexed with no administrator action required.

Found 2 search result(s) for title:UCESS* contentBody:"DS013TicketManagement*" contentBody:"APC-Maturing". UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

PRT08-ProductAdoption-ES-Mature

DS010NetworkCommunication

Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network from third party network peers that are not part of the public internet should be included.

Found 3 search result(s) for title:UCESS* contentBody:"DS010NetworkCommunication*" contentBody:"APC-Mature". UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016

DS004EndPointAntiMalware

Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting database. Events including, detected, definition update and scheduled scan execution should be indexed.

Found 0 search result(s) for title:UCESS* contentBody:"DS004EndPointAntiMalware*" contentBody:"APC-Mature".

DS005WebProxyRequest

Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.

Found 0 search result(s) for title:UCESS* contentBody:"DS005WebClientRequest*" contentBody:"APC-Mature".

DS002DNS

Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.

Found 2 search result(s) for title:UCESS* contentBody:"DS002DNS*" contentBody:"APC-Mature". UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016

UCESS018 Excessive DNS Failures (Narrative and Use Case Center) Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting

Copyright © 2016, Splunk Inc.

5 minutes ago, using all summary data even if the model has changed, provide a count where ... Aug 14, 2016

DS003Authentication

Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.

Found 7 search result(s) for title:UCESS* contentBody:"DS003Authentication*" contentBody:"APC-Mature". UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center) Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user ... Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center) Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time seen, 2nd to last time seen and user ... Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center) Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look across the time range of less than 90 days ago and greater ... Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user ... Aug 14, 2016

DS001MAIL

Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall communication logs where destination port is 25.

Found 0 search result(s) for title:UCESS* contentBody:"DS001MAIL*" contentBody:"APC-Mature".

Copyright © 2016, Splunk Inc.

DS007AuditTrail

Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.

Found 2 search result(s) for title:UCESS* contentBody:"DS007AuditTrail*" contentBody:"APC-Mature". UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center) Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). For the past 30 days ... Aug 14, 2016

DS012NetworkIntrusionDetection-ET01SigDetection

Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall based on destination port.

Found 0 search result(s) for title:UCESS* contentBody:"DS012NetworkIntrusionDetection*" contentBody:"APC-Mature".

DS014WebServer-ET01Access

Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user account, (actual) source ip, reverse proxy ip, site, url, and port.

Found 1 search result(s) for title:UCESS* contentBody:"DS014WebServer*" contentBody:"APC-Mature". UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016 DS006UserActivity

User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems inscope for logging and monitoring within this phase.

Found 4 search result(s) for title:UCESS* contentBody:"DS006UserActivity*" contentBody:"APC-Mature". UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016

UCESS004 Account Deleted (Narrative and Use Case Center) Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last ... Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center) Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values

Copyright © 2016, Splunk Inc.

where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016 DS013TicketManagement-ET01

Notable event ticket data is indexed with no administrator action required.

Found 2 search result(s) for title:UCESS* contentBody:"DS013TicketManagement*" contentBody:"APC-Mature". UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

Motivating Risk View Perspective Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes. Each use case will be further labeled to collect the use cases into a risk based paradigm RV1-AbuseofAccess — Abuse of access addressed the risk of authorized or entitled access in such a way as to cause harm

to the organization RV2-Access — Access addressed the risk of unauthorized access in such a way as to cause harm to the organization RV3-MaliciousCode — Malicious code addressed the risk of processes used against the organization, these risks include "malware" as well as authorized software used for malicious intent. RV4-ScanProbe — Risk of activities that could discover a weakness in the organizations systems, controls, or configuration that could latter be used to harm the organization RV5-DenialofService — Risk of denial of service includes such concerns as load based and destructive change to the infrastructure. RV6-Misconfiguration — Modification of a system that results in a misconfiguration defined as insecure or unreliable impacting the compliance, security, or availability of the system. Such configuration may increase the likelihood or impact of other adverse events.

Copyright © 2016, Splunk Inc.

RV1-AbuseofAccess Abuse of access addressed the risk of authorized or entitled access in such a way as to cause harm to the organization

Supporting Use Cases Essentials Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV1-AbuseofAccess".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS035 Host With Multiple Infections (Narrative and Use Case Center) Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ... Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center) Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is MalwareAttacks ... Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center) Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination ... Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center) Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority ... Aug 14, 2016

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center) Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, user ... Aug 14, 2016

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016

UC0006 Windows security event log purged (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ... Apr 08, 2016

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV1-AbuseofAccess".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center) Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain is not in the corporate web domain lookup ... Aug 14, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

Copyright © 2016, Splunk Inc.

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

Copyright © 2016, Splunk Inc.

RV2-Access Access addressed the risk of unauthorized access in such a way as to cause harm to the organization

Supporting Use Cases Essentials Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV2-Access".

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center) ... Following a successful authentication, an attacker will attempt to determine what resources may be accesse d without causing host intrusion or DLP technologies to detect activity. Commonly the attacker ... Apr 08, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV2-Access".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)

Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

Copyright © 2016, Splunk Inc.

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center) ... Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last access ... Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center) ... indicate an adversary has identified a specific high value account and is attempting to gain access. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity ... Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center) Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) ... RV6Misconfiguration DS003AuthenticationET01Success DS010NetworkCommunicationET01TrafficAppAware DE001AssetInformation Categorization providing information to identify authorized remote access systems DE002IdentityInformation Categorization providing information on which users may access an individual remote access technology Adoption Phase Customer Adoption Phase SME Adoption ... Apr 08, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center) ... Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment ... Apr 11, 2016

Copyright © 2016, Splunk Inc.

RV3-MaliciousCode Malicious code addressed the risk of processes used against the organization, these risks include "malware" as well as authorized software used for malicious intent.

Supporting Use Cases Essentials Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV3-MaliciousCode".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS035 Host With Multiple Infections (Narrative and Use Case Center) Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ... Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center) Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is MalwareAttacks ... Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center) Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination ... Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center) Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority ... Aug 14, 2016

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center) Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, user ... Aug 14, 2016

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center) Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware ... Apr 26, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV3-MaliciousCode".

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. Problem Types Addressed ... Apr 08, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed

Copyright © 2016, Splunk Inc.

Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center) Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center) Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

RV4-ScanProbe Risk of activities that could discover a weakness in the organizations systems, controls, or configuration that could latter be used to harm the organization

Supporting Use Cases Essentials Click here to expand... Found 6 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV4-ScanProbe".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center) prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware ... Apr 08, 2016

UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center) External IDS devices reporting an attack using a signature not previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ... Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)

Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

Maturing Click here to expand... Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV4-ScanProbe".

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext

Copyright © 2016, Splunk Inc.

(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center) prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use. Problem Types ... Apr 08, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

RV5-DenialofService Risk of denial of service includes such concerns as load based and destructive change to the infrastructure.

Supporting Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV5-DenialofService".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV5-DenialofService".

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

RV6-Misconfiguration Modification of a system that results in a misconfiguration defined as insecure or unreliable impacting the compliance, security, or availability of the system. Such configuration may increase the likelihood or impact of other adverse events.

Supporting Use Cases Essentials Click here to expand... Found 5 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"RV6-Misconfiguration".

UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center) Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center) Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ... Apr 19, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016

UCESS022 Expected Host Not Reporting (Narrative and Use Case Center) Discovers hosts that are longer reporting events but should be submitting log events. This rule is used to monitor hosts that you know should be providing a constant stream of logs in order to determine why the host has failed to provide log data.Every 15 ... Aug 14, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV6-Misconfiguration".

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) ... Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

Copyright © 2016, Splunk Inc.

Supporting Data View Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success. DS001MAIL — Email remains the primary form of formal communication in most organizations. As such, mail server

databases and logs are some of the most important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations. DS002DNS — The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources for particular domains, such as a company or governme DS003Authentication — Authentication systems establish the identity of an actor using one or more secret values i.e. password and one time pin. The authentication system typically issues a new secret which can be provided to applications i.e. Kerberos token or web cookie to permit access to a secured resource. DS004EndPointAntiMalware — The weakest link in corporate security are individuals, and antivirus is one way to protect them from performing inadvertently harmful actions. Whether it is clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage. DS005WebProxyRequest — Web Proxies and some next generation firewalls may act in transparent or explicit mode communicating with (s) servers on behalf of a client. Using a number of related technologies the request and response can and permitted or blocked based on users role, site or resource category or attack indicator. Data logged in the events can potentially be used in detective correlation. DS006UserActivity — User activity within the organization environment such as Create Read(display), update, delete, search events must include critical data such as action, result, app, and a locator uri allowing normalized search on the targets of activity. DS007AuditTrail — Audit trail events represent a special class of events which can be triggered based on automated or user interaction with systems and indicate a condition has occurred where the integrity of the source is suspect at a point in time. DS008HRMasterData — Master Data system for Human Resources may publish an event indicating critical changes impacting people in an organization. Human Resources records include the entire employee lifecycle including recruitment, selection, hiring, job position and classification, promotion, salary, and bonuses, performance and ratings, disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR data often includes time and attendance records. HR systems often feed payr DS009EndPointIntel — In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity not otherwise generated by the host operating system from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications. Endpoints also log their configuration and various security parameters (certificates, local anti-malware signatures, etc.), all of which is useful DS010NetworkCommunication — Network communication data is a record of communication between two system commonly using TCP version 4 or TCP version 6. Network communication can be recorded by a number of technologies including host operating systems, firewalls, switches, routers, deep packet inspection, and intrusion detection systems. DS011MalwareDetonation — Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach detection and prevention capability DS012NetworkIntrusionDetection — What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typic DS013TicketManagement — Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place. DS014WebServer — Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with extension modules. Web Server logs are criti DS015ConfigurationManagement — Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems

Copyright © 2016, Splunk Inc.

can provide valuable security investigations by providing information about who and what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to identify windows of vulnerability. DS016DataLossPrevention — Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of attempted actions and the systems response such as allow or block. DS017PhysicalSecurity — Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to employee badges; however, locations with stringent security requirements may use some form of a biometric reader or digital key. Regardless of the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As digital systems, badge readers record information su DS018VulnerabilityDetection — An effective way to find security holes is to examine one's infrastructure from the attacker's point of view. Vulnerability scans probe an organization's network for known software defects that provide entry points for external agents. The scans yield data about open ports and IP addresses that can be used by malicious agents to gain entry to a particular system or entire network. Systems often keep network services running by default, even when they aren't required for a particular server. The DS019PatchManagement — Keeping operating systems and applications updated with the latest bug fixes and security patches is an essential task that can prevent unplanned downtime, random application crashes and security breaches. Although commercial apps and OSs often have embedded patching software, some organizations use independent patch management software to consolidate patch management and ensure the consistent application of patches across their software fleet and to build patch jobs for custom, internal applic DS020HostIntrustionDetection — Host based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the environment. DS021Telephony — Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss, making service quality and reliability much more sensitive to network condi DS022Performance — Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and application requirements, such as a database using all available system memory and frequ DS023CrashReporting — Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure of business services. DS024ApplicationServer — Application server logs, considering the actual business application, middleware such as Tomcat, and run time logs such as java runtime. contain a wealth of information created when users and systems interact. Anomalies in the logs can indicate potential failures or compromise attempts.

How to read the Supporting Data View Each data source represents a parent type of event and can contain zero or more specific event types for use by use case narratives and providing technologies.

Consuming use cases Consuming use cases are listed based on a dynamic search grouped by Adoption Phase Customer listing filtered for APC-Essential and APC-Mat uring

Provider Types Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases identified.

Copyright © 2016, Splunk Inc.

DS001MAIL Introduction Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations.

Security Value Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP and domain increasing identify actors and potential victims of email based attacks Forensic Investigation Utilize email log events in contribution of other events to identify potential actors involved in targeted activity Utilize email log events to identify additional possible victims of email based attacks Utilize email log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize email logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Available Continuous Monitoring Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS031 Host Sending Excessive Email (Narrative and Use Case Center) Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate ... May 02, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center) Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ... Apr 19, 2016 Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-*".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

Copyright © 2016, Splunk Inc.

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center) Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ... Apr 08, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-*".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center) Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ... Apr 08, 2016

Providing Technologies Found 3 search result(s) for title:PT* contentBody:"DS001MAIL".

PT001-Microsoft-Exchange (Narrative and Use Case Center) ... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0 01MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication Authentication occurs for Administrative action Active Sync ... Apr 01, 2016 Labels: provider-type

PT003-ExtraHop-SMTP (Narrative and Use Case Center) ... Provides DS001MAIL providertype Feb 05, 2016 Labels: provider-type

PT002-Splunk-Stream-SMTP (Narrative and Use Case Center) ... Provides DS001MAIL providertype Feb 05, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS002DNS The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources for particular domains, such as a company or government agency or by acting as caching servers that store DNS query results for subsequent lookup by users in a specific location or organization; for example, a broadband provider caching addresses for its customers.

Security Value Continuous Monitoring Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify potential command and control systems Forensic Investigation Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity Utilize communication log events to identify additional ingress and egress points Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments Utilize communication log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize communication logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 7 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS".

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative

UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016

UCESS018 Excessive DNS Failures (Narrative and Use Case Center) Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ... Aug 14, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ... Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center) endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center) Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 7 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS002DNS".

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative

UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016

UCESS018 Excessive DNS Failures (Narrative and Use Case Center) Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ... Aug 14, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center) Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ... Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0076 Excessive DNS Failures (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center) Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

Providing Technologies Found 3 search result(s) for title:PT* contentBody:"DS002DNS".

PT002-Splunk-Stream-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT013-ISCBIND-DNS (Narrative and Use Case Center) Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS003Authentication Authentication systems establish the identity of an actor using one or more secret values i.e. password and one time pin. The authentication system typically issues a new secret which can be provided to applications i.e. Kerberos token or web cookie to permit access to a secured resource. Enterprise Directory is a central system containing information about accounts such as name, phone, public certificates, email addresses, and group membership. Common enterprise directories such as Microsoft Active Directory, Tivoli Directory Server or Oracle Directory Server are widely distributed systems across multiple geographies and may involve thousands of servers. Application Authentication logs are a subset of application telemetry focused on user identity and login attempts. Network access (or admission, if you are a Cisco customer) control is a form of client/endpoint security that uses a locally installed software agent to pre-authorize connections to a protected network. NAC screens client devices for contamination by known malware and adherence to security policies such as running an approved OS with the most recent patches. Clients failing NAC screens are rerouted to an isolated quarantine network until any detected problems are corrected. Network appliances, including switches, routers, firewalls, proxies and performance monitoring tools have access to read and modify significant amounts of enterprise data and their modification could weaken the security posture of the organization. Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch. Network proxies are used in several ways in IT infrastructure: as Web application accelerators and intelligent traffic direction, application-level firewalls and content filters. By acting as a transparent, 'bump-in-the-wire' intermediary, proxies see the entire Layer 7 network protocol stack, which allows them to implement application-specific traffic management and security policies. Hosting platforms including on-prem physical systems such as Cisco UCS, HP Insights, Virtual systems such as Vmware, and cloud providers such as AWS, Azure, and Digital Ocean contain significant critical infrastructure. Online and Backup storage systems contain all enterprise raw data. While all logical access is otherwise monitored frequently the ability of the actor to clone and read data from storage is unmonitored. Midrange and Mainframe systems such as IBM system Z, HP Nonstop Server (tandem), IBM system I, VAX, and Stratus are often overlooked.

Security Value Continuous Monitoring Monitoring using analytic concepts such as new, rare, extremely over fields IP and source host increasing identify actors and potential victims of account takeover based attacks Monitoring evidence of password guessing in single factor authentication schemes. Forensic Investigation Utilize authentication log events in contribution of other events to identify potential actors involved in targeted activity Utilize authentication log events to identify additional ingress and egress points Utilize authentication log events to identify pivot points utilized by attackers to move into controlled network segments Utilize authentication log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize communication logs to support discovery and defense of legal claims.

Adoption Phase APC-Essential All central authentication solutions All authentication points for systems of elevated risk such as those with confidential information or identified as critical All border authentication points such as: Webmail VPN Single sign on Employee external portal APC-Maturing All servers All network devices All network authentication APC-Mature All endpoint local authentication

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Copyright © 2016, Splunk Inc.

Problem Types Addressable Found 9 search result(s) for title:PRT* contentBody:"DS003Authentication".

PRT02-SecurityVisibilityLateralMovement (Narrative and Use Case Center) ... within an organizations network following the compromise of an initial endpoint. Supporting Data Types DS003A uthentication DS006UserActivity DS009EndPointIntel DS010NetworkCommunication DS012NetworkIntrusionDetectionET01SigDetection Supporting Use Cases Essentials Maturing May 16, 2016

PRT01Compliance-PCI (Narrative and Use Case Center) ... logging and monitoring processes 10.1 Implement collection and retention of the following log sources DS003A uthentication DS003AuthenticationET01Success DS003AuthenticationET02Failure 10.2 See below 10.2.1 Implement collection and retention of the following ... Jun 24, 2016

PRT02-SecurityVisibilityExfiltration (Narrative and Use Case Center) ... from many types of systems in the enterprise and in the cloud. Supporting Data Sources DS001MAIL DS003Au thentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS007AuditTrail DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS014WebServerET01Access Supporting Use ... May 16, 2016

PRT02-SecurityVisibilityZeroDayAttacks (Narrative and Use Case Center) ... many types of systems in the enterprise and in the cloud. Supporting Data Sources DS001MAIL DS002DNS DS 003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonationET01Detection DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Supporting Use Cases ... May 16, 2016

PRT02-SecurityVisibilityPriviledgeUserMonitoring (Narrative and Use Case Center) ... monitored with greater scrutiny than users not similarly entrusted. Supporting Data Types DS003Authenticatio n DS006UserActivity DS008HRMasterData DS009EndPointIntel DS017PhysicalSecurityET01Access Supporting Use Cases Essentials Maturing May 05, 2016

PRT02-IdentifyPatientZero (Narrative and Use Case Center) ... methods of the attackers and assist in the preparation of improved defenses. Supporting Data Types DS002DNS DS003Authentication DS004EndPointAntiMalware DS005WebProxyRequest DS006UserActivity DS008HRMasterData DS009EndPointIntel DS010NetworkCommunication DS011MalwareDetonationET01Detection DS017PhysicalSecurityET01Access Supporting Use ... May 05, 2016

PRT08-ProductAdoption-ES-Maturing (Narrative and Use Case Center) ... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication Authentication logs covering all central authentication systems such as Active Directory, ADFS ... Aug 14, 2016

PRT08-ProductAdoption-ES-Mature (Narrative and Use Case Center) ... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication Authentication logs covering all central authentication systems such as Active Directory, ADFS ... Aug 14, 2016

PRT08-ProductAdoption-ES-Essentials (Narrative and Use Case Center) ... should be confirmed using the firewall communication logs where destination port is 23. DS003Authentication Authentication logs covering all central authentication systems such as Active Directory, ADFS ... Aug 14, 2016

Consuming Use Cases

Copyright © 2016, Splunk Inc.

Essentials Found 6 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication".

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center) Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, user ... Aug 14, 2016

UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016 Maturing Found 31 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication".

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ e and Use Case Center)

human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk Addressed Event ... Apr 08, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center) Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user

Copyright © 2016, Splunk Inc.

... Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center) Single IP address attempting authentication of more than two valid users within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against an approved SSO System. Problem Types Addressed ... Apr 08, 2016

UC0034 Brute force successful authentication (Narrative and Use Case Center) source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use case successfully logins after failing once from the same source address. Problem Types Addressed Risk Addressed Event Data ... Apr 27, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center) Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last ... Jun 24, 2016

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is attempting ... Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center) Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment

Copyright © 2016, Splunk Inc.

PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center) public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ... Apr 11, 2016

UC0044 Network authentication using password auth (Narrative and Use Case Center) Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of network authentication utilizing password. Problem Types Addressed ... Apr 11, 2016

UC0032 Brute force authentication attempt (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ... Apr 08, 2016

UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center) Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer is a workstation or terminal server Problem Types Addressed Risk ... Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case Center)

user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success ... Apr 08, 2016

UC0008 Activity on previously inactive account (Narrative and Use Case Center) Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success DE002IdentityInformation Adoption ... Apr 08, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center) Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time seen, 2nd to last time seen and user ... Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center) Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look across the time range of less than 90 days ago and greater ... Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use

Copyright © 2016, Splunk Inc.

Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user ... Aug 14, 2016

UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center) Internet facing authentication system has allowed authenticated access from a risky source network. Always Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications consider the following sources risky Dial ... Apr 08, 2016

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center) logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of the logon to determine if the account is authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a network or batch ... Jun 24, 2016 Labels: creative

UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case Center)

Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ... Apr 08, 2016

UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case Center)

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ... Apr 08, 2016

UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center) employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful authentications to a remote access solution in a short period of time indicates a likely compromise of credentials. The short period of time value ... Apr 25, 2016

UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case Center)

Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access ... Apr 08, 2016

UC0011 Improbable distance between logins (Narrative and Use Case Center) Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful connections. Detect where: Total distance is greater than ... Apr 08, 2016

UC0035 Compromised account access testing (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016 Mature Found 31 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS003Authentication".

Copyright © 2016, Splunk Inc.

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ e and Use Case Center)

human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk Addressed Event ... Apr 08, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center) Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user ... Aug 14, 2016

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center) Single IP address attempting authentication of more than two valid users within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against an approved SSO System. Problem Types Addressed ... Apr 08, 2016

UC0034 Brute force successful authentication (Narrative and Use Case Center) source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use case successfully logins after failing once from the same source address. Problem Types Addressed Risk Addressed Event Data ... Apr 27, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center) Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last ... Jun 24, 2016

Copyright © 2016, Splunk Inc.

UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is attempting ... Jun 08, 2016

UC0045 Local authentication server (Narrative and Use Case Center) Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center) public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ... Apr 11, 2016

UC0044 Network authentication using password auth (Narrative and Use Case Center) Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of network authentication utilizing password. Problem Types Addressed ... Apr 11, 2016

UC0032 Brute force authentication attempt (Narrative and Use Case Center) When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ... Apr 08, 2016

UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center) Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer is a workstation or terminal server Problem Types Addressed Risk ... Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case Center)

user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success ... Apr 08, 2016

UC0008 Activity on previously inactive account (Narrative and Use Case Center) Excluding computer accounts in active directory, an account with new activity that has not been active in the previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success

Copyright © 2016, Splunk Inc.

DE002IdentityInformation Adoption ... Apr 08, 2016

UCESS014 Completely Inactive Account (Narrative and Use Case Center) Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access. Access tracker contains destination (host, IP, name), first and last time seen, 2nd to last time seen and user ... Aug 14, 2016

UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center) Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look across the time range of less than 90 days ago and greater ... Aug 14, 2016

UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use Case Center)

Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user ... Aug 14, 2016

UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center) Internet facing authentication system has allowed authenticated access from a risky source network. Always Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications consider the following sources risky Dial ... Apr 08, 2016

UC0007 Account logon successful method outside of policy (Narrative and Use Case Center) logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of the logon to determine if the account is authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a network or batch ... Jun 24, 2016 Labels: creative

UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case Center)

Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ... Apr 08, 2016

UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case Center)

Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ... Apr 08, 2016

UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center) employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful authentications to a remote access solution in a short period of time indicates a likely compromise of credentials. The short period of time value ... Apr 25, 2016

UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case Center)

Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access ... Apr 08, 2016

Copyright © 2016, Splunk Inc.

UC0011 Improbable distance between logins (Narrative and Use Case Center) Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful connections. Detect where: Total distance is greater than ... Apr 08, 2016

UC0035 Compromised account access testing (Narrative and Use Case Center) Following a successful authentication, an attacker will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect to databases ... Apr 08, 2016

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS003Authentication" NOT contentBody:"DS003Authentication-*".

Copyright © 2016, Splunk Inc.

DS004EndPointAntiMalware The weakest link in corporate security are individuals, and antivirus is one way to protect them from performing inadvertently harmful actions. Whether it is clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage.

Security Value Continuous Monitoring Monitoring for detection of malicious code using signatures to maintain a clean environment and react to newly identified weakness as exploited by attackers Forensic Investigation Identification of point of origin and potentially involved hosts in targeted and untargeted attacks Legal compliance Utilize communication logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware".

UCESS035 Host With Multiple Infections (Narrative and Use Case Center) Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ... Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center) Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is MalwareAttacks ... Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center) Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination ... Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center) Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority ... Aug 14, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center) Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware ... Apr 26, 2016

UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should

Copyright © 2016, Splunk Inc.

be evaluated to determine why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the timesignatureversion and return results that the day difference between ... Apr 26, 2016

UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center) Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5 minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against the malwaretracker and match on destination and signature. If a match ... Apr 26, 2016

UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center) Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past 10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ... Apr 26, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE007 Signature Special Processing List ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center) When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. Problem Types Addressed Risk ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 6 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware".

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center) Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center) Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data

Copyright © 2016, Splunk Inc.

Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center) Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware Mature Found 6 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS004EndPointAntiMalware".

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center) Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center) Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center) Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware".

Copyright © 2016, Splunk Inc.

DS005WebProxyRequest Web Proxies and some next generation firewalls may act in transparent or explicit mode communicating with (s) servers on behalf of a client. Using a number of related technologies the request and response can and permitted or blocked based on users role, site or resource category or attack indicator. Data logged in the events can potentially be used in detective correlation.

Security Value Continuous Monitoring Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP, and domain increasing identify actors and potential victims of web-based attacks Monitor user agent strings in relation to websites and categories for potential indication of malware command and control. Monitor user agent strings and change in requests for a resource for potential indication of data exfiltration Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of related attacks Utilize log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebProxyRequest".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 4 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebProxyRequest".

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center) Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain is not in the corporate web domain lookup ... Aug 14, 2016

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center) prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use. Problem Types ... Apr 08, 2016

UC0047 Communication with newly seen domain (Narrative and Use Case Center) Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky ... Jul 20, 2016 Labels: prt05-tacticalthreat-ransomeware

Copyright © 2016, Splunk Inc.

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware Mature Found 4 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS005WebProxyRequest".

UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center) Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain is not in the corporate web domain lookup ... Aug 14, 2016

UC0001 Detection of new/prohibited web application (Narrative and Use Case Center) prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application instances should be reviewed to ensure proper use. Problem Types ... Apr 08, 2016

UC0047 Communication with newly seen domain (Narrative and Use Case Center) Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially identify weaknesses or risky ... Jul 20, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

Providing Technologies Found 6 search result(s) for title:PT* contentBody:"DS005WebProxyRequest".

PT004-McAfee Web Gateway (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware providertype Apr 06, 2016 Labels: provider-type

PT009-SourceFire (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT008-Snort (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware

Copyright © 2016, Splunk Inc.

DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT011-Bluecoat (Narrative and Use Case Center) ... Provides DS003Authentication DS005WebProxyRequest providertype Feb 05, 2016 Labels: provider-type

PT010-Websense (Narrative and Use Case Center) ... Provides DS003Authentication DS005WebProxyRequest providertype Feb 05, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS006UserActivity User activity within the organization environment such as Create Read(display), update, delete, search events must include critical data such as action, result, app, and a locator uri allowing normalized search on the targets of activity.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity".

UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016 Maturing Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-*".

UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center) Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center) Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016

UC0013 Monitor change for high value groups (Narrative and Use Case Center) Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity category reductioninforce ... Apr 08, 2016

UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center) Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

UCESS004 Account Deleted (Narrative and Use Case Center) Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last ... Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center) Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016 Mature Found 9 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS006UserActivity-*".

UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center) Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ... Apr 11, 2016

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center) Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016

UC0013 Monitor change for high value groups (Narrative and Use Case Center) Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity category reductioninforce ... Apr 08, 2016

UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center) Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

Copyright © 2016, Splunk Inc.

UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center) Use of a secret/shared secret account for access to such a system rather than accountable credentials could indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ... Apr 11, 2016

UCESS004 Account Deleted (Narrative and Use Case Center) Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last ... Aug 14, 2016

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center) Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016

Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS006UserActivity".

PT012-Splunk-InternalLogging (Narrative and Use Case Center) ... extensive internal logging covering performance and usage. Provides DS003Authentication DS003AuthenticationET01Success DS003AuthenticationET02Failure DS006UserActivity Key Facts Impact to index/license None LOADLow Work Estimates None ... Apr 01, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS007AuditTrail Audit trail events represent a special class of events which can be triggered based on automated or user interaction with systems and indicate a condition has occurred where the integrity of the source is suspect at a point in time.

Security Value Continuous Monitoring - Identification of conditions which may impact the trustworthiness of a log source Forensic Investigation - Identification of point in time where trust in the log source may be suspect Legal compliance Utilize logs to support discovery and defense of legal claims. Utilize logs to establish a time sequence

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail".

UC0006 Windows security event log purged (Narrative and Use Case Center) Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ... Apr 08, 2016

UC0046 Endpoint failure to sync time (Narrative and Use Case Center) Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016

UCESS022 Expected Host Not Reporting (Narrative and Use Case Center) ... Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV6Misconfiguration DS007AuditTrail DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase Industry ... Aug 14, 2016 Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-*".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center) Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). For the past 30 days ... Aug 14, 2016 Mature

Copyright © 2016, Splunk Inc.

Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS007AuditTrail-*".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center) Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). For the past 30 days ... Aug 14, 2016

Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail".

PT005-Microsoft-Windows (Narrative and Use Case Center) ... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS007A uditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on log files ... Aug 09, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS008HRMasterData Master Data system for Human Resources may publish an event indicating critical changes impacting people in an organization. Human Resources records include the entire employee lifecycle including recruitment, selection, hiring, job position and classification, promotion, salary, and bonuses, performance and ratings, disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR data often includes time and attendance records. HR systems often feed payroll and finance systems for processing salary and benefits. HR records provide the definitive source of employee information for identity management systems and enterprise directories, making them an important source for authentication and authorization data. Although HR data traditionally has been textual, it increasingly includes images and biometric information such as an employee's portrait, fingerprints, and iris scans.

Security Value Continuous Monitoring - Identification of events which could increase the risk of a user

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData".

Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-*".

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case Center)

... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... Apr 08, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS008HRMasterData-*".

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case Center)

... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... Apr 08, 2016

Copyright © 2016, Splunk Inc.

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData".

Copyright © 2016, Splunk Inc.

DS009EndPointIntel In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity not otherwise generated by the host operating system from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications. Endpoints also log their configuration and various security parameters (certificates, local anti-malware signatures, etc.), all of which is useful in posthoc forensic security incident analysis. Sources of endpoint data vary in their coverage consider Microsoft EMET, Microsoft Symon, Tripwire, Bit9, SolidCore, or Mcafee HIDs as examples.

Security Value Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP and domain increasing identify actors and potential victims of email based attacks Forensic Investigation Utilize email log events in contribution of other events to identify potential actors involved in targeted activity Utilize email log events to identify additional possible victims of email based attacks Utilize email log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize email logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 5 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel".

UCESS008 Anomalous New Service (Narrative and Use Case Center) ... Data Sources Enrichment Select PRT Values RV3MaliciousCode https://securitykit.atlassian.net/wiki/display/GD/RV3MaliciousCode?src=contextnavpagetreemode RV6Misconfiguration https://securitykit.atlassian.net/wiki/display/GD/RV6Misconfiguration?src=contextnavpagetreemode DS009EndPoi ntIntel https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DS009EndPointIntelET01ServiceChange https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation?src=contextnavpagetreemode DDE004 Threat List ... Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and

Copyright © 2016, Splunk Inc.

Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. Problem Types Addressed ... Apr 08, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw event ... Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw ... Aug 14, 2016 Mature Found 5 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS009EndPointIntel".

UCESS008 Anomalous New Service (Narrative and Use Case Center) ... Data Sources Enrichment Select PRT Values RV3MaliciousCode https://securitykit.atlassian.net/wiki/display/GD/RV3MaliciousCode?src=contextnavpagetreemode RV6Misconfiguration https://securitykit.atlassian.net/wiki/display/GD/RV6Misconfiguration?src=contextnavpagetreemode DS009EndPoi ntIntel https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DS009EndPointIntelET01ServiceChange https://securitykit.atlassian.net/wiki/display/GD/DS009EndPointIntel?src=contextnavpagetreemode DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation?src=contextnavpagetreemode DDE004 Threat List ... Aug 14, 2016

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. Problem Types Addressed ... Apr 08, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw event ... Aug 14, 2016

UCESS047 Prohibited Service Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel".

Copyright © 2016, Splunk Inc.

DS010NetworkCommunication Network communication data is a record of communication between two system commonly using TCP version 4 or TCP version 6. Network communication can be recorded by a number of technologies including host operating systems, firewalls, switches, routers, deep packet inspection, and intrusion detection systems. Firewalls demarcate zones of different security policy. By controlling the flow of network traffic, firewalls act as gatekeepers collecting valuable data that might not be captured in other locations due to the firewall's unique position as the gatekeeper to network traffic. Firewalls also execute security policy and thus may break applications using unusual or unauthorized network protocols. Deep Package Inspection Data (DPI) is a fundamental technique used by firewalls to inspect headers and the payload of network packets before passing them down the network subject to security rules. DPI provides information about the source and destination of the packet, the protocol, other IP and TCP/UDP header information and the actual data. Virtual private networks (VPNs) are a way of building a secure extension of a private network over an insecure, public one. VPNs can be established either between networks, routing all traffic between two sites, or between a client device and a network. Network-to-network VPNs typically are created using strong credentials such as certificates on each end of the connection. Client-to-network VPNs rely on user authentication, which can be as simple as a username and password. VPNs use network tunneling IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges. Though this type of source can provide this data it is rare to implement at scale due to performance and placement constraints in the enterprise network Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch. Routers are devices responsible for ensuring that traffic goes to the right network segment. Unlike switches that operate at Layer 2, routers work at Layer 3, directing traffic based on TCP/IP address and protocol (port number). Routers are responsible for particular Layer 3 address spaces and manage traffic using information in routing tables and configured policies. Routers exchange information and update their forwarding tables using dynamic routing protocols. Netflow is a network monitoring protocol originally developed by Cisco but now supported by most equipment vendors, that provides a detailed record of network traffic organized by packet flow. A flow is defined as a set of IP packets sharing a set of five to seven attributes, namely IP source and destination address, source and destination port, Layer 3 protocol type, class of service (CoS) and router or switch interface (physical port). Flow records can be exported and aggregated to show traffic movement, statistics, and historical trends.

Security Value Continuous Monitoring Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify actors and potential victims of network based attacks Monitoring for blocked communication activity by intermediate defensive systems such as firewalls and intrusion detection systems Forensic Investigation Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity Utilize communication log events to identify additional ingress and egress points Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments Utilize communication log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize communication logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 4 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on

Copyright © 2016, Splunk Inc.

the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center) prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware ... Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016 Maturing Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit

Copyright © 2016, Splunk Inc.

permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016

Providing Technologies

Copyright © 2016, Splunk Inc.

Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".

PT009-SourceFire (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT008-Snort (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS011MalwareDetonation Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach detection and prevention capability

Security Value Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, ip and domain increasing identify actors and potential victims of email based attacks Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 4 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center) prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware ... Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the

Copyright © 2016, Splunk Inc.

function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all

Copyright © 2016, Splunk Inc.

summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016 Mature Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may

Copyright © 2016, Splunk Inc.

indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016

Providing Technologies Click here to expand... Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".

PT009-SourceFire (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT008-Snort (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

Copyright © 2016, Splunk Inc.

DS012NetworkIntrusionDetection What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges.

Security Value Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature increasing identify actors and potential victims network vulnerability based attacks Forensic Investigation Identify compromised or potentially compromised hosts based on exploitation data Legal compliance Utilize email logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS012NetworkIntrusionDetection".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".

Providing Technologies

Copyright © 2016, Splunk Inc.

Found 2 search result(s) for title:PT* contentBody:"DS012NetworkIntrusionDetection".

PT017-Trend-TippingPoint (Narrative and Use Case Center) Trend Micro tippingpoint IPS product Provides DS012NetworkIntrusionDetectionET01SigDetection Key Facts Impact to index/license Based on log files total size of message tracking log file over 7 days from devices where local log collection ... Jul 25, 2016 Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS013TicketManagement Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.

Security Value Continuous Monitoring - Monitoring the effective execution of triage and remediation activities. Legal compliance Utilize logs to support discovery and defense of legal claims. Establish a timeline of what was known, when and by whom

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essentials" contentBody:"DS013TicketManagement-*".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment

Copyright © 2016, Splunk Inc.

PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".

Copyright © 2016, Splunk Inc.

DS014WebServer Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Security Value Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and IP increasing identify actors and potential victims of attacks Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or specific resource Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify scope of exploitation Utilize log events to identify scope of time for an incident Legal compliance Utilize logs to support discovery and defense of legal claims.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS014WebServer".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".

Copyright © 2016, Splunk Inc.

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016

Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS015ConfigurationManagement Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to identify windows of vulnerability.

Security Value Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration values or modification to critical controls Forensic Investigation Establish a time line of activities of a privileged user Establish when controls were placed or removed on a specific host Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS015ConfigurationManagement*".

Maturing Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016 Mature Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016

Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ...

Copyright © 2016, Splunk Inc.

Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS016DataLossPrevention Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of attempted actions and the systems response such as allow or block.

Security Value Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring. Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise Forensic Investigation Utilize events in contribution of other events to identify potential actors involved in targeted activity Utilize events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims. Utilize logs to support documentation of compliance

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS016DataLossPrevention".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".

Copyright © 2016, Splunk Inc.

DS017PhysicalSecurity Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to employee badges; however, locations with stringent security requirements may use some form of a biometric reader or digital key. Regardless of the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.

Security Value Forensic Investigation Utilize log events to place a badge (single factor) or person (two-factor bio/pin) in a specific location Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS017PhysicalSecurity".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".

Copyright © 2016, Splunk Inc.

DS018VulnerabilityDetection An effective way to find security holes is to examine one's infrastructure from the attacker's point of view. Vulnerability scans probe an organization's network for known software defects that provide entry points for external agents. The scans yield data about open ports and IP addresses that can be used by malicious agents to gain entry to a particular system or entire network. Systems often keep network services running by default, even when they aren't required for a particular server. These running, yet orphaned, i.e. unmonitored services are a common means of external attack since they may not be patched with the latest OS security updates. Broadscale vulnerability scans can reveal security holes that could be leveraged to access an entire enterprise network.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS018VulnerabilityDetection".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS018VulnerabilityDetection-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection".

Copyright © 2016, Splunk Inc.

DS019PatchManagement Keeping operating systems and applications updated with the latest bug fixes and security patches is an essential task that can prevent unplanned downtime, random application crashes and security breaches. Although commercial apps and OSs often have embedded patching software, some organizations use independent patch management software to consolidate patch management and ensure the consistent application of patches across their software fleet and to build patch jobs for custom, internal applications. Patch management software keeps a patch inventory using a database of available updates and can match these against an organization’s installed software. Other features include patch scheduling, post-install testing and validation and documentation of required system configurations and patching procedures.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS019PatchManagement*".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS019PatchManagement-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS019PatchManagement-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS019PatchManagement".

Copyright © 2016, Splunk Inc.

DS020HostIntrustionDetection Host based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the environment.

Security Value Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of email based attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS020HostIntrustionDetection".

Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

Copyright © 2016, Splunk Inc.

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".

Copyright © 2016, Splunk Inc.

DS021Telephony Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss, making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony; as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their delivery through the network.

Security Value Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS021Telephony".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".

Copyright © 2016, Splunk Inc.

DS022Performance Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis of complex application problems that may involve subtle interactions between multiple machines and/or network devices.

Security Value Continuous Monitoring Monitor system resources for increased utilization or exhaustion as possible indication of denial of service attack Monitor system resources for increased utilization or exhaustion as possible indication of brute force attack. Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS022Performance".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS022Performance".

Copyright © 2016, Splunk Inc.

DS023CrashReporting Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure of business services.

Security Value Continuous Monitoring Monitor and triage occurrences as possible indication of attack Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS023CrashReporting".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".

Copyright © 2016, Splunk Inc.

DS024ApplicationServer Application server logs, considering the actual business application, middleware such as Tomcat, and run time logs such as java runtime. contain a wealth of information created when users and systems interact. Anomalies in the logs can indicate potential failures or compromise attempts.

Security Value Continuous Monitoring Develop implementation specific monitoring to alert security operations to potential issues created by external interaction Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a timeline of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS024ApplicationServer".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".

Copyright © 2016, Splunk Inc.

Supporting Event Type View

Copyright © 2016, Splunk Inc.

DS001Mail-ET01Access Event indicates a specific message has been accessed by a user from a specific source system

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET01Send".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01Send".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET01Send".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01Send".

Copyright © 2016, Splunk Inc.

DS001Mail-ET02Receive An event indicates a message has been received one or more user.

Consuming Use Cases Essentials Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET02Receive".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET02Receive".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative Mature Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET02Receive".

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET02Receive".

PT001-Microsoft-Exchange (Narrative and Use Case Center) ... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0 01MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication Authentication occurs for Administrative action Active Sync ... Apr 01, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS001Mail-ET03Send Indicates a authorized user or system has sent a message to one or more recipients.

Consuming Use Cases Essentials Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001Mail-ET03Send".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS031 Host Sending Excessive Email (Narrative and Use Case Center) Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate ... May 02, 2016

UC0003 Server generating email outside of approved usage (Narrative and Use Case Center) Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ... Apr 19, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET03Send".

UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center) Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ... Apr 08, 2016

Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET03Send".

PT001-Microsoft-Exchange (Narrative and Use Case Center) ... solution and channel of communication useful in various attacks access monitoring is imperative. Provides D S001MAIL DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication Authentication occurs for Administrative action Active Sync ... Apr 01, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS002DNS-ET01Query DNS request and response reassembled into a single event

DS002DNS-ET01QueryRequest — DNS Request from a client, response reassembly is not required DS002DNS-ET01QueryResponse — Reassembled request response as a single event containing the original client ip

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01Query".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

Maturing Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01Query".

UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ... Jun 24, 2016 Labels: prt05-tacticalthreat-ransomeware, creative

UC0076 Excessive DNS Failures (Narrative and Use Case Center) endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0049 Detection of DNS Tunnel (Narrative and Use Case Center) Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

Providing Technologies Click here to expand... Found 2 search result(s) for title:PT* contentBody:"DS002DNS-ET01Query".

PT002-Splunk-Stream-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest

Copyright © 2016, Splunk Inc.

providertype Apr 25, 2016 Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS002DNS-ET01QueryRequest DNS Request from a client, response reassembly is not required

Consuming Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryRequest".

Maturing

Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryRequest".

UCESS019 Excessive DNS Queries (Narrative and Use Case Center) Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ... Aug 14, 2016

UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center) Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ... Apr 25, 2016

UC0081 Communication with unestablished domain (Narrative and Use Case Center) Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ... Apr 25, 2016 Labels: prt05-tacticalthreat-ransomeware

Providing Technologies Click here to expand... Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryRequest".

PT013-ISCBIND-DNS (Narrative and Use Case Center) Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT002-Splunk-Stream-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS002DNS-ET01QueryResponse Reassembled request response as a single event containing the original client ip

Consuming Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryResponse".

Maturing

Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryResponse".

UCESS018 Excessive DNS Failures (Narrative and Use Case Center) Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ... Aug 14, 2016

Providing Technologies Click here to expand... Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryResponse".

PT013-ISCBIND-DNS (Narrative and Use Case Center) Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT002-Splunk-Stream-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

PT003-ExtraHop-DNS (Narrative and Use Case Center) Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS003Authentication-ET01Success Indicates the authentication system validated the factors provided

Consuming Use Cases Essentials Click here to expand... Found 5 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET01Success".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS005 Activity from Expired User Identity (Narrative and Use Case Center) Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, user ... Aug 14, 2016

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016

UC0043 Direct Authentication to NHA (Narrative and Use Case Center) Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ... Apr 11, 2016

Maturing Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET01Success".

UCESS016 Default Account Activity Detected (Narrative and Use Case Center) Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ... Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ... Aug 14, 2016

Copyright © 2016, Splunk Inc.

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UC0094 Insecure authentication method detected (Narrative and Use Case Center) each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ... Jun 24, 2016

UC0090 User account cross enclave access (Narrative and Use Case Center) Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be remediated Problem Types Addressed Risk Addressed Event Data ... Jun 24, 2016

UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center) Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last ... Jun 24, 2016

UC0045 Local authentication server (Narrative and Use Case Center) Following provisioning, nix servers seldom require local administration. Investigate any use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ... Apr 11, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0042 SSH Authentication using unknown key (Narrative and Use Case Center) public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ... Apr 11, 2016

Providing Technologies Click here to expand... Found 2 search result(s) for title:PT* contentBody:"DS003Authentication-ET01Success".

PT012-Splunk-InternalLogging (Narrative and Use Case Center) ... Enterprise Application includes extensive internal logging covering performance and usage. Provides DS003 Authentication DS003AuthenticationET01Success DS003AuthenticationET02Failure DS006UserActivity Key

Copyright © 2016, Splunk Inc.

Facts Impact to index/license None LOADLow ... Apr 01, 2016 Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS003Authentication-ET02Failure The authentication system did not approve the attempted based on invalid factors

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02Failure" NOT contentBody:"DS003Authentication-ET02Failure*".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02Failure" NOT contentBody:"DS003Authentication-ET02Failure*".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02Failure" NOT contentBody:"DS003Authentication-ET02Failure*".

Copyright © 2016, Splunk Inc.

DS003Authentication-ET02FailureBadFactor Indicates the authentication system determined the factors provided were invalid

Consuming Use Cases Essentials

Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureBadFactor".

UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center) Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ... Aug 14, 2016

UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center) Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ... Aug 14, 2016

Maturing

Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureBadFactor".

UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center) Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ... Aug 14, 2016

UCESS020 Excessive Failed Logins (Narrative and Use Case Center) Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user ... Aug 14, 2016

Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureBadFactor".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS003Authentication-ET02FailureError Indicates the authentication system encountered and error and was unable to authenticate the user.

Consuming Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureError".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureError".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureError".

Copyright © 2016, Splunk Inc.

DS003Authentication-ET02FailureUnknownAccount Indicates the authentication system was unable to locate the account, factors were not evaluated

Consuming Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureUnknownAccount".

Copyright © 2016, Splunk Inc.

DS004EndPointAntiMalware-ET01SigDetected Endpoint product detected based on a signature or specified heuristics class

Consuming Use Cases Essentials Click here to expand... Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

UCESS035 Host With Multiple Infections (Narrative and Use Case Center) Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ... Aug 14, 2016

UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center) Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is MalwareAttacks ... Aug 14, 2016

UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center) Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination ... Aug 14, 2016

UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center) Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority ... Aug 14, 2016

UCESS043 Outbreak Detected (Narrative and Use Case Center) Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware ... Apr 26, 2016

UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.Execute the malware operations tracker macro and calculate the timesignatureversion and return results that the day difference between ... Apr 26, 2016

UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center) Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5 minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against the malwaretracker and match on destination and signature. If a match ... Apr 26, 2016

UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center) Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past 10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ... Apr 26, 2016

UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center) Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or

Copyright © 2016, Splunk Inc.

quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DDE007 Signature Special Processing List ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center) When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events leading to the infection to determine if additional preventive measures can be put in place. Problem Types Addressed Risk ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

Maturing Click here to expand... Found 5 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center) Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center) Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts are active on a subnet. Problem Types Addressed ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and Use Case Center)

Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center) Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center) Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing ... Apr 11, 2016 Labels: prt05-tacticalthreat-ransomeware

Providing Technologies

Copyright © 2016, Splunk Inc.

Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

Copyright © 2016, Splunk Inc.

DS004EndPointAntiMalware-ET02UpdatedSig Update occurrence for the signature data used by the anti malware engine, in a multiple engine/database relationship the database updated should be specified

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET02UpdatedSig".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET02UpdatedSig".

UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center) Detection of logon device by asset name (may require resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified as loaner ... May 16, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006EndPointAntiMalware-ET02UpdatedSig".

Copyright © 2016, Splunk Inc.

DS004EndPointAntiMalware-ET03UpdatedEng Update occurrence for the engine used by the anti malware product, in a multiple engine/database relationship the engine updated should be specified

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".

Copyright © 2016, Splunk Inc.

DS005WebProxyRequest-ET01Requested Tradditional HTTP request from a client

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebClientRequest-ET01Requested".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET01Requested".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET01Requested".

Copyright © 2016, Splunk Inc.

DS005WebProxyRequest-ET01RequestedWebAppAware Indicates a traditional web application request with additional context provided by the generating system detecting the "application" implied by the request such as Facebook/Farmvile or Teamviewer

Consuming Use Cases Essentials

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Maturing

Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01RequestedWebAppAware".

Copyright © 2016, Splunk Inc.

DS005WebProxyRequest-ET02Connect Connect (tunnel) request from an http clienthttp

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS005WebClientRequest-ET02Connect".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET02Connect".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET02Connect".

Copyright © 2016, Splunk Inc.

DS006UserActivity-ET01List User activity listing the contents of a container

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET01List".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET01List".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET01List".

Copyright © 2016, Splunk Inc.

DS006UserActivity-ET02Read User activity Reading the contents of a object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET02Read".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET02Read".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET02Read".

Copyright © 2016, Splunk Inc.

DS006UserActivity-ET03Create User activity creating a new object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET03Create".

Maturing Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET03Create".

UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center) Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values where firstTime is greater than or equal to earliestQual ... Aug 14, 2016

UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET03Create".

Copyright © 2016, Splunk Inc.

DS006UserActivity-ET04Update User activity updating an object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET04Update".

Maturing Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET04Update".

UC0013 Monitor change for high value groups (Narrative and Use Case Center) Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity category reductioninforce ... Apr 08, 2016

UCESS040 Network Change Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw and count grouped by the device that reported the change dvc (host, IP, name), the action performed on the resource and the command that initiated the change. Problem Types ... Aug 14, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET04Update".

Copyright © 2016, Splunk Inc.

DS006UserActivity-ET05Delete User activity deleting an object

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET05Delete".

Maturing Click here to expand... Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET05Delete".

UCESS004 Account Deleted (Narrative and Use Case Center) Detects user and computer account deletion. Looking across a realtime window of /5 minutes, search for the value delete within the tag field (autogenerated field in datamodels) and show the following aggregated values when the count is greater than 0: Last ... Aug 14, 2016

UCESS049 Short-lived Account Detected (Narrative and Use Case Center) past 4 hours, find all events that action is equal to created or deleted. Look at the time range across user and destination and use only two events and only return events where the count is greater than 1 and the time range ... Aug 14, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET05Delete".

Copyright © 2016, Splunk Inc.

DS006UserActivity-ET06Search User activity searching for additional content

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET06Search".

UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)

Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".

Copyright © 2016, Splunk Inc.

DS006UserActivity-ET07ExecuteAs User activity searching for additional content

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS006UserActivity-ET06Search".

UCESS045 Potential Gap in Data (Narrative and Use Case Center) Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ... Aug 16, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".

UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)

Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess ... Apr 25, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".

Copyright © 2016, Splunk Inc.

DS007AuditTrail-ET01Clear Events such as Clear, Delete, Purge or Rotate should record the controlling user, target of the action and result

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET01Clear".

UC0006 Windows security event log purged (Narrative and Use Case Center) Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ... Apr 08, 2016

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET01Clear".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET01Clear".

PT005-Microsoft-Windows (Narrative and Use Case Center) ... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS00 7AuditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on log files ... Aug 09, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS007AuditTrail-ET02Alter Where possible identify the acting user, current and new log retention parameters

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET02Alter".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".

PT005-Microsoft-Windows (Narrative and Use Case Center) ... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS00 7AuditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on log files ... Aug 09, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS007AuditTrail-ET03TimeSync Where possible identify the acting user where not result is included success must be assumed due to limitations of common time sync software

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS007AuditTrail-ET02Alter".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".

UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center) Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a realtime window of /5 minutes, search for action ... Aug 14, 2016

Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".

PT005-Microsoft-Windows (Narrative and Use Case Center) ... Provides DS003Authentication Authentication occurs for User Authentication Computer Authentication DS00 7AuditTrail DS007AuditTrailET01Clear DS007AuditTrailET02Alter Key Facts Impact to index/license Based on log files ... Aug 09, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS008HRMasterData-ET01Joined Information regarding a new person in the organization

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET01Joined".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET01Joined".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET01Joined".

Copyright © 2016, Splunk Inc.

DS008HRMasterData-ET02SeperationNotice Advanced notice of separation for a human in the organization

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET02SeperationNotice".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET02SeperationNotice".

UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use Case Center)

Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of adverse separation, include but are not limited to the following: User has entered a remediation program with human resources User has been identified as included in a reduction ... Apr 08, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET02SeperationNotice".

Copyright © 2016, Splunk Inc.

DS008HRMasterData-ET03SeperationImmediate Final notice of separation for a human in the organization

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET03SeperationImmediate".

Copyright © 2016, Splunk Inc.

DS009EndPointIntel-ET01ObjectChange Change to an object such as file, registry, service or configuration

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel-ET01ObjectChange".

Maturing Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ObjectChange".

UCESS047 Prohibited Service Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro service and return services where isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw ... Aug 14, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel-ET01ObjectChange".

Copyright © 2016, Splunk Inc.

DS009EndPointIntel-ET01ProcessLaunch Endpoint product record of process launch

Consuming Use Cases Essentials Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS009EndPointIntel-ET01ProcessLaunch".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

Maturing Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ProcessLaunch".

UCESS028 High Process Count (Narrative and Use Case Center) Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ... Aug 14, 2016

UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and Use Case Center)

Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes other than the process name defined in the service or batch definition may indicate compromise. Problem Types Addressed ... Apr 08, 2016

UCESS046 Prohibited Process Detected (Narrative and Use Case Center) Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields to the output: origeventid (macro creates hash of indexer, time and raw event ... Aug 14, 2016

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET01SigDetected".

Copyright © 2016, Splunk Inc.

DS010NetworkCommunication-ET01Traffic Communication event including a result (allowed/denied) logged at the time the connection is created

Consuming Use Cases Essentials Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET01Traffic".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)

Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware

Maturing Click here to expand... Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET01Traffic".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by

Copyright © 2016, Splunk Inc.

dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016

Providing Technologies Click here to expand... Found 1 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01Traffic".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS010NetworkCommunication-ET01TrafficAppAware Communication event including a result (allowed/denied) logged at the time the connection is created

Consuming Use Cases Essentials

Click here to expand... Found 1 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center) prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware ... Apr 08, 2016

Maturing

Click here to expand... Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

Providing Technologies Click here to expand... Found 3 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".

PT009-SourceFire (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT008-Snort (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

PT006-PaloAlto Firewall (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS010NetworkCommunication-ET02State Event indicating the state of the firewall has changed (start/stop block/noblock)

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication-ET02State".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET02State".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET02State".

Copyright © 2016, Splunk Inc.

DS011MalwareDetonation-ET01Detection Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach detection and prevention capability

Security Value Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, ip and domain increasing identify actors and potential victims of email based attacks Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party

Event Types

Consuming Use Cases Essentials Found 4 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS010NetworkCommunication".

UCESS053 Threat Activity Detected (Narrative and Use Case Center) past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ... Sep 17, 2016 Labels: prt05-tacticalthreat-ransomeware

UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center) Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data even ... Apr 26, 2016

UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center) prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and accepted communications from the internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware ... Apr 08, 2016

UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center) Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ... Apr 08, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016 Mature Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".

UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center) primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ... Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0082 Communication with enclave by default rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider ingress ... Apr 27, 2016

UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center) Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac). Problem Types Addressed Risk Addressed ... Apr 28, 2016

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule (Narrative and Use Case Center) Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a allowed communication where the reviewed ... Apr 27, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ... Apr 08, 2016

UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center) Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ... Apr 08, 2016

UC0041 SSH v1 detected (Narrative and Use Case Center) Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication

Copyright © 2016, Splunk Inc.

of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ... Apr 11, 2016

UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center) Endpoints communicating with an excessive number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows server. Utilize category ... Apr 08, 2016

UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center) Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all summary data even ... Aug 14, 2016

UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center) Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ... Aug 14, 2016

Providing Technologies Click here to expand... Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".

PT009-SourceFire (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT008-Snort (Narrative and Use Case Center) Provides DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT006-PaloAlto Firewall (Narrative and Use Case Center) Provides DS003Authentication DS005WebProxyRequestET01RequestedWebAppAware DS010NetworkCommunicationET01TrafficAppAware providertype Apr 06, 2016 Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS012NetworkIntrusionDetection-ET01SigDetection What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges.

Security Value Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature increasing identify actors and potential victims network vulnerability based attacks Forensic Investigation Identify comproised or potentially compromised hosts based on exploitation data Legal compliance Utilize email logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 3 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS012NetworkIntrusionDetection".

UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.For the past ... Aug 14, 2016

UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center) Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique ... Aug 14, 2016

UC0074 Network Intrusion Internal Network (Narrative and Use Case Center) IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption Phase SME Adoption Phase ... May 09, 2016 Labels: prt05-tacticalthreat-ransomeware Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".

Providing Technologies Found 2 search result(s) for title:PT* contentBody:"DS012NetworkIntrusionDetection".

PT017-Trend-TippingPoint (Narrative and Use Case Center)

Copyright © 2016, Splunk Inc.

Trend Micro tippingpoint IPS product Provides DS012NetworkIntrusionDetectionET01SigDetection Key Facts Impact to index/license Based on log files total size of message tracking log file over 7 days from devices where local log collection ... Jul 25, 2016 Labels: provider-type

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS013TicketManagement-ET01 Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.

Security Value

Continuous Monitoring - Monitoring the effective execution of triage and remediation activities. Legal compliance Utilize logs to support discovery and defense of legal claims. Establish a timeline of what was known, when and by whom

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essentials" contentBody:"DS013TicketManagement-*".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS013TicketManagement-*".

UCESS058 Untriaged Notable Events (Narrative and Use Case Center) Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ... Aug 14, 2016

UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center) Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment

Copyright © 2016, Splunk Inc.

PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption Phase ... Apr 27, 2016

UCESS051 Substantial Increase In Events (Narrative and Use Case Center) Alerts when a statistically significant increase in a particular event is observed. For the past hour, using all summary data even if the model has changed, generate a count by signature and compare that count against the previous hour and trigger if the signature is above medium ... Aug 14, 2016

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".

Copyright © 2016, Splunk Inc.

DS014WebServer-ET01Access Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.

Event Types

Security Value Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and ip increasing identify actors and potential victims of attacks Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or specific resource Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify scope of exploitation Utilize log events to identify scope of time for an incident Legal compliance Utilize logs to support discovery and defense of legal claims.

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS014WebServer".

Maturing Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ... Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016 Mature Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".

UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center) Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...

Copyright © 2016, Splunk Inc.

Aug 16, 2016

UC0077 Detection Risky Referral Domains (Narrative and Use Case Center) Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ... Jun 24, 2016 Labels: creative

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use Case Center)

Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset Information ... Apr 27, 2016

Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS015ConfigurationManagement-ET01General Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to identify windows of vulnerability.

Security Value Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration values or modification to critical controls Forensic Investigation Establish a time line of activities of a privileged user Establish when controls were placed or removed on a specific host Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS015ConfigurationManagement*".

Maturing Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016 Mature Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS015ConfigurationManagement*".

UCESS009 Asset Ownership Unspecified (Narrative and Use Case Center) Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ... Aug 14, 2016

Providing Technologies Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".

PT016-Cisco-ASA/PIX/FWSM (Narrative and Use Case Center) Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ... Jul 25, 2016 Labels: provider-type

Copyright © 2016, Splunk Inc.

DS016DataLossPrevention-ET01Violation Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of attempted actions and the systems response such as allow or block.

Security Value Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring. Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise Forensic Investigation Utilize events in contribution of other events to identify potential actors involved in targeted activity Utilize events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims. Utilize logs to support documentation of compliance

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS016DataLossPrevention".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".

Copyright © 2016, Splunk Inc.

DS017PhysicalSecurity-ET01Access Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to employee badges; however, locations with stringent security requirements may use some form of biometric reader or digital key. Regardless of the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.

Security Value Forensic Investigation Utilize log events to place a badge (single factor) or person (two factor bio/pin) in a specific location Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS017PhysicalSecurity".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".

Copyright © 2016, Splunk Inc.

DS018VulnerabilityDetection-ET01SigDetected Vulnerability by signature detected based on a signature or specified heuristics class

Consuming Use Cases Essentials Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Maturing Click here to expand... Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Providing Technologies Click here to expand... Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection-ET01SigDetected".

Copyright © 2016, Splunk Inc.

DS019PatchManagement-Applied

Copyright © 2016, Splunk Inc.

DS019PatchManagement-Eligable

Copyright © 2016, Splunk Inc.

DS019PatchManagement-Failed

Copyright © 2016, Splunk Inc.

DS020HostIntrustionDetection-ET01SigDetected Host-based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the environment.

Security Value Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of email based attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS020HostIntrustionDetection".

Maturing Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016 Mature Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".

UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center) Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ... Jul 12, 2016

UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center) Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices ensure the first "xforwardedfor" entry ... Jun 24, 2016

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".

Copyright © 2016, Splunk Inc.

Copyright © 2016, Splunk Inc.

DS021Telephony-ET01CDR Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss, making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony; as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their delivery through the network.

Security Value Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS021Telephony".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".

Copyright © 2016, Splunk Inc.

DS022Performance-ET01General Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis of complex application problems that may involve subtle interactions between multiple machines and/or network devices.

Security Value Continuous Monitoring Monitor system resources for increased utilization or exaustion as possible indication of denial of service attack Monitor system resources for increased utilization or excaustion as possible indication of brute force attack. Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS022Performance".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS022Performance".

Copyright © 2016, Splunk Inc.

DS023CrashReporting-ET01General Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure of business services.

Security Value Continuous Monitoring Monitor and triage occurances as possible indication of attack Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS023CrashReporting".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".

Copyright © 2016, Splunk Inc.

DS024ApplicationServer-ET01General Application server logs, considering the actual business application, middle ware such as Tomcat, and run time logs such as java runtime. contain a wealth of information created as users and systems interact. Anomolies in the logs can indicate potential failures or compromise attempts.

Security Value Continuous Monitoring Develop implementation specific monitoring to alert security operations to potential issues created by external interaction Forensic Investigation Utilize log events in contribution of other events to identify potential actors involved in targeted activity Utilize log events to identify additional possible victims of social engineering attacks Utilize log events to establish a time line of who, when and what when investigating internal activity Legal compliance Utilize logs to support discovery and defense of legal claims.

Event Types

Consuming Use Cases Essentials Found 0 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS024ApplicationServer".

Maturing Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".

Mature Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".

Providing Technologies Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".

Copyright © 2016, Splunk Inc.

Technology Provider View Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting technology implementations the user can utilize this view to determine what use cases may be possible in a customer environment.

Copyright © 2016, Splunk Inc.

PT001-Microsoft-Exchange The Microsoft Exchange collaboration platform is a significant information resource to many organizations. Representing both a information storage solution and channel of communication useful in various attacks access monitoring is imperative.

Provides DS001MAIL DS001Mail-ET01Access DS001MAIL-ET02Receive DS001Mail-ET03Send DS003Authentication Authentication occurs for Administrative action Active Sync Exchange Web Services Outlook Web Access RPC (Deprecated)

Key Facts Impact to index/license Educated 3k * nm * nu = Total K per Day (average over at least 7 days dropping lowest 2) nm= number of emails sent recommend 40 nu= weighted number of users Educated option 2: 3k * actual message count = Total K per Day (average over at least 7 days dropping lowest 2) Based on log files total size of message tracking log file over 7 days from all exchange servers total size of iis logs over 7 days from all exchange servers Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files. This can result in a large historical load impacting or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key. LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity increasing utilization on IT Ops and Security search heads. Work Estimates Splunk Core Resource 10000

Note alternative implementation with XS should be considered Compliance YES Drilldown

Copyright © 2016, Splunk Inc.

| tstats allow_old_summaries=true dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.src"="$src$" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | append [ tstats allow_old_summaries=true dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" "DNS.src"="$src$" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","",message) ]

Container App DA-ESS-SecKit-NetworkProtection Rule Name - UC0049-S02-V001 Potential use of DNS tunneling Notable Title - UC0049-S02 $gov$-$src$ High DNS query count Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0049 Search Logic -

| tstats allow_old_summaries=true dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src" | rename "DNS.src" as "src" | where 'count'>100

Windows -65m@m to -5m@m Cron 20 * * * * Compliance YES Container App DA-ESS-SecKit-NetworkProtection

Copyright © 2016, Splunk Inc.

Related articles

Copyright © 2016, Splunk Inc.

UC0051 Excessive physical access failures to CIP assets A user with continuous physical access failures could be someone searching for a physical vulnerability within the organization. When this occurs in an area that is protecting CIP assets, it is something that should be followed up on immediately. Problem Types Addressed

Risk Addressed

Event Data Sources

Enrichment

PRT01-Compliance

RV2-Access

PT014-PhysicalAccessControl

TBD

PRT02-SecurityVisibilityUserActivity

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Response Investigate identity - add to watchlist for successful authentication This needs to be merged with OR added to a new Response Plan pertaining to Physical access responses

Implementation Details Effectiveness Monitoring Metrics Captured 1. Trending vs False positives Metrics Review 1. Review legitimate badge access attempts/failures (security officers, vulnerability assessments, etc); add to false positive database Artifacts TBD

Related articles

Copyright © 2016, Splunk Inc.

UC0052 Non-CIP user attempts to access CIP asset CIP assets require special protections; therefore, users that have not been vetted for CIP access, or should have had their access removed, should not have access. System owners should be notified immediately should a non-CIP user attempt to access a CIP asset. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV2-Access

DS003Authentication-ET01Success

PRT02-SecurityVisibilityUserActivity

RV6-Misconfiguration

DS003Authentication-ET02Failure

Adoption Phase Customer

Adoption Phase SME

APC-Edge

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Enrichment DE001AssetInformation CAT-gov:CIP DDE002 Identity Information CAT-gov:CIP

Adoption Phase Industry

Response Alert and Investigate cause of identity access attempt document disposition (examples below) administrative process error - user access incorrectly removed after review cycle due to inactivity; user needs to go through the process to be added back to the list employee training error - new employee without CIP access mistakenly tried to connect before completing the CIP training and vetting process; user needs to complete process to get on the list suspicious / malicious behavior - unjustified actions (including no explanation); incident response team to investigate the asset, and identify actors and follow up with management / HR / legal actions, and file relevant compliance paperwork This needs to be merged with OR added to a new Response Plan pertaining to electronic access responses

Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles

Copyright © 2016, Splunk Inc.

UC0065 Malware detected compliance asset Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even when automatic clean has occurred Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Edge

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV4 - Critical

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-PS-SecurtityEnabled

Response RP005 Malicious Code detected on endpoint

Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts TBD

Related articles

Copyright © 2016, Splunk Inc.

Enrichment DDE001 Asset Information CAT-gov

UC0071 Improbably short time between Remote Authentications with IP change For employers that allow remote external connectivity the detection of two or more distinct values of external source IP address for successful authentications to a remote access solution in a short period of time indicates a likely compromise of credentials.The short period of time value will need to be tuned for any given environment. A good starting point might be 15 minutes. Rare but valid exceptions (false positives) might include: employee logs in briefly from home, then goes to local coffee shop and logs in again there employee logs in from home, has power outage that resets router and gets new DHCP assignment from ISP employee alternates between two specific IPs such as mobile broadband and coffee shop connection due to IOS Wifi Assist Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityUserActivity

RV2-Access

DS003Authentication-ET01Success

Enrichment

DE001AssetInformation SRC IP not found in the asset information DE002IdentityInformation Employee Customer Can manage account Can admin users

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High (Customer)

RATED0-Rare

FIDELITY-Moderate

SV4 - Critical (Employee)

Adoption Phase Industry

well tuned RATED1-Common poorly tuned

System Load

Analyst Load

LOAD-Moderate

AnalystLoad-High

Implementation Skill

Response RP010 Contain potentially compromised account

Implementation Details Effectiveness Monitoring Metrics Captured 1. Trend Reporting by account type (employee vs customer) 2. Trend Reporting by result of investigation 3. Trend Reporting of call center impact (customer) Metrics Review 1. Review thresholds and monitoring statistics quarterly to determine if the tolerances should be modified relative to risk acceptance Artifacts TBD

Related articles

Copyright © 2016, Splunk Inc.

UC0072 Detection of unauthorized using DNS resolution for WPAD Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad.* where the domain portion is not a company owned domain. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS002DNS-ET01QueryRequest

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Accepted

API-Distinctive

Initial Severity

Occurrence

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Automation

SKILLI-Customer

Enrichment DDE001 Asset Information CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains

Adoption Phase Industry

Response RP019 Unauthorized device detected

Implementation Details Effectiveness Monitoring Metrics Captured Count notables generated Count resolution Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072 Search Logic - TBD Compliance YES Container App DA-ESS-SecKit-NetworkProtection

Related articles

Copyright © 2016, Splunk Inc.

UC0073 Endpoint detected malware infection from url Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use the information available for the event and determine how existing prevention controls can be modified to prevent future infections.Possible control gaps could include: detection signatures, white lists, and black lists not being updated on appliances possible misconfiguration of network traffic - for example a cable bypass of one or more of the network appliances endpoint connected to wrong network - for example an open wifi access point instead of a company provisioned network Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS004EndPointAntiMalware-ET01SigDetected

RV6-Misconfiguration

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Known

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

TBD

TBD

TBD

Enrichment DE001AssetInformation DDE007 Signature Special Processing List

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint Begin response plan at lessons learned stage. Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. Evaluate white list for additional removal based on risk tolerance. Artifacts

Detection Activities Rule Name - UC0073-S01-V001 Endpoint malware infection from url Dependency Notable Title - UC0073-S01 Endpoint malware infection from $domain$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0073 Search Logic

tag=attack tag=malware url=* | rex field=url "(?:http|https)://(?[^\/]*)" | rex field=url "(?[^?]*)" | stats first(domain) as domain first(url) as url by url_noquery Drilldown Name View Contributing Events Search

$domain$ (( tag=attack tag=malware ) OR (tag=web tag=proxy)) Compliance YES Container App DA-ESS-SecKit-EndpointProtection

Related articles

Copyright © 2016, Splunk Inc.

Copyright © 2016, Splunk Inc.

UC0074 Network Intrusion Internal Network IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS012NetworkIntrusionDetection-ET01SigDetection

Enrichment DE001AssetInformation

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Moderate

SKILLI-Customer

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking

Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0074-S01-V001 Network Intrusion Internal Network Notable Title - UC0074-S01 $gov$-$src$ Network Intrusion Internal Network $signature$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0074 Search Logic

| tstats `summariesonly` dc(IDS_Attacks.signature) as attack_count last(IDS_Attacks.severity) as severity values(IDS_Attacks.src_tag) as tag from datamodel=Intrusion_Detection where NOT IDS_Attacks.dest_category=ZONE_DMZ NOT IDS_Attacks.src_category=svc_scanner by IDS_Attacks.src,IDS_Attacks.category,IDS_Attacks.signature | `drop_dm_object_name("IDS_Attacks")` Note alternative implementation with XS should be considered Compliance YES Container App SecKit-DA-ESS-NetworkProtection Windows -65m@m to -5m@m Cron 20 * * * * Compliance YES Container App SecKit-DA-ESS-NetworkProtection

Related articles

Copyright © 2016, Splunk Inc.

UC0075 Network Malware Detection Internal malware detection system such as fire eye devices reporting an attack. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV3-MaliciousCode

DS011MalwareDetonation-ET01Detection

Enrichment DE001AssetInformation

PRT02-SecurityVisibilityEndpointMalware

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Essential

APS-Proposed

API-Expected

Initial Severity

Occurrence/Fidelity

Fidelity

SV3 - High

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

TBD

TBD

Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0075-S01-V001 FireEye detection unblocked Notable Title - UC0075-S01 $gov$-$src$ Fire Eye APT detection $signature$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0075 Search Logic

eventtype=fe action=notified NOT "169.250.0.1" | table src dvc_ip dest product signature severity impact ext_ref | `get_asset(src)` Compliance YES Container App SecKit-DA-ESS-NetworkProtection Windows -65m@m to now Cron */2 * * * * Compliance YES Container App SecKit-DA-ESS-NetworkProtection

Related articles

Copyright © 2016, Splunk Inc.

UC0076 Excessive DNS Failures An endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS002DNS-ET01Query

PRT02-SecurityVisibilityUserActivity

RV3-MaliciousCode

Enrichment

Adoption Phase Customer

Adoption Phase SME

APC-Maturing

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED0-Rare

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

LOAD-Low

AnalystLoad-Low

SKILLI-Customer

DE001AssetInformation CAT-svc:dnsresolver CAT-svc:mailgw CAT-svc:webproxy DDE017 Legitimate DNS command and control domains DDE010 Alexa TOP 1 million sites DDE019 CIM Corporate Web Domains

Adoption Phase Industry

Response RP005 Malicious Code detected on endpoint

Implementation Details Effectiveness Monitoring Metrics Captured Count notables generated Count resolution Indicator value Metrics Review Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted Artifacts

Detection Activities Rule Name - UC0076-S01-V001 Excessive DNS Failures Notable Title - UC0076-S01 $gov$-$asset_name$ Excessive DNS Failures $count$ Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0076 Search Logic

Copyright © 2016, Splunk Inc.

| tstats allow_old_summaries=true count values("DNS.query") as queries from datamodel=Network_Resolution where nodename=DNS "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src","DNS.query" | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | stats sum(count) as count mode(queries) as queries by src | `get_asset(src)` | where count>50

Drilldown

| tstats allow_old_summaries=true count from datamodel=Network_Resolution where nodename=DNS "DNS.src"="$src$" "DNS.reply_code"!="No Error" "DNS.reply_code"!="NoError" DNS.reply_code!="unknown" NOT "DNS.query"="*.arpa" "DNS.query"="*.*" by "DNS.src","DNS.query" | `drop_dm_object_name("DNS")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | stats sum(count) as count by src query | `get_asset(src)`

Compliance YES Container App DA-ESS-SecKit-NetworkProtection

Related articles

Copyright © 2016, Splunk Inc.

UC0077 Detection Risky Referral Domains Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 hours after first seen

Problem Types Addressed

Risk Addressed

Event Data Sources

PRT02-SecurityVisibilityEndpointMalware

RV3-MaliciousCode

DS001Mail-ET02Receive

Enrichment

DS014WebServer-ET01Access

Adoption Phase Customer

Adoption Phase SME

Adoption Phase Industry

APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-Moderate

System Load

Analyst Load

Implementation Skill

System LoadAnalystLoad-Low

AnalystLoad-Low

SKILLI-PS-SecurtitySpecialist

Response Implementation Details Effectiveness Monitoring Metrics Captured 1. N/A Metrics Review 1. N/A Artifacts

Detection Activities Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072 Search Logic - TBD Compliance YES Container App DA-ESS-SecKit-NetworkProtection

Related articles

Copyright © 2016, Splunk Inc.

UC0079 Use of accountable privileged identity to access new or rare sensitive resource Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review of access reason. Problem Types Addressed

Risk Addressed

Event Data Sources

PRT01-Compliance

RV1-AbuseofAccess

DS003Authentication-ET01Success

PRT02-SecurityVisibilityPriviledgeUserMonitoring

Adoption Phase Customer

Adoption Phase SME

APC-Mature

APS-Proposed

API-Distinctive

Initial Severity

Occurrence/Fidelity

Fidelity

SV2 - Medium

RATED1-Common

FIDELITY-High

System Load

Analyst Load

Implementation Skill

LOAD-High

TBD

TBD

Enrichment DE001AssetInformation CAT-gov_identifier DE002IdentityInformation CAT-privileged

Adoption Phase Industry

Response RP009 Unauthorized (actual or attempted) access by employees or contractors

Implementation Details Effectiveness Monitoring Metrics Captured 1. Time to investigate 2. Time to close 3. Number of re-portable incidents Metrics Review 1. Review thresholds determine if adjustments to reduce thresholds should be made Artifacts Dependencies DDT002 Logon Tracker Correlation Search "New/Rare Login"

|inputlookup logon_tracker | `get_asset(dest_dns)` | `get_identity(user_nick)` | search user_category="privlidged" | where _time
View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF