You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
author: Gowthamaraj Rajendran, Patrick Bareiss, Splunk
status: production
type: TTP
data_source: []
data_source: ["windows defender logs"]
description: The primary objective of this rule is to integrate and assess critical alerts from Endpoint, DLP, and firewall sources within the splunk system. By correlating these alerts and incorporating MITRE annotations, the rule provides a comprehensive view of customer risk. It triggers an alert when critical alerts from these categories are detected, preserving the originating source and assigning risk scores. The rule helps security analysts better understand potential threats, enabling timely and effective responses to mitigate risks. The results are collected in the risk index for continuous monitoring and analysis.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.signature Alerts.app, Alerts.severity, Alerts.description, source, Alerts.id, Alerts.dest
how_to_implement: In order to properly run this search, Splunk needs to ingest data from other security products such as crowdstrike, microsoft defender, or carbon black. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary.
known_false_positives: False positives may vary by endpoint protection tool; monitor and adjust the risk scores as needed.
