Resource Development Analytic Stories

Name Data Sources Tactics Products Date
Suspicious AWS Login Activities aws icon AWS CloudTrail ConsoleLogin, AWS CloudTrail Defense Evasion Resource Development Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Suspicious Cloud Authentication Activities aws icon AWS CloudTrail Credential Access Defense Evasion Resource Development Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Okta Account Takeover Okta Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-06
Splunk Vulnerabilities splunk icon Splunk Stream TCP, Splunk Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-22
Office 365 Account Takeover O365 Add app role assignment grant to user., O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log Collection Credential Access Defense Evasion Execution Exfiltration Impact Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-17
Data Destruction linux icon AWS Cloudfront, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Office 365 Reporting Message Trace, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201 Collection Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-06
Compromised User Account windows icon ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, Office 365 Universal Audit Log, PingID, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4625 Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-19
GCP Account Takeover Google Workspace login_failure, Google Workspace Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-10-12
AWS Identity and Access Management Account Takeover aws icon ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-08-19
Azure Active Directory Account Takeover azure icon Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory, Azure Monitor Activity, Office 365 Universal Audit Log Collection Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-14
WhisperGate windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 9, Windows Event Log Security 4688 Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-01-19
NOBELIUM Group windows icon Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036 Collection Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-12-14
Ransomware windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 104, Windows Event Log System 7036 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Unusual Processes windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04