|
Windows Attack Surface Reduction
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1132, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007
|
Defense Impairment
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Living Off The Land
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145
|
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS S3 Bucket Security Monitoring
|
AWS Cloudfront, Sysmon EventID 22
|
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
GCP Cross Account Activity
|
|
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Disabling Security Tools
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Cloud Provisioning Activities
|
AWS CloudTrail
|
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious GCP Storage Activities
|
|
Collection
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Cloud User Activities
|
ASL AWS CloudTrail, AWS CloudTrail
|
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Use of Cleartext Protocols
|
Cisco Secure Firewall Threat Defense Connection Event
|
N/A
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Remote Monitoring and Management Software
|
Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Command and Control
Execution
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Okta Activity
|
Okta
|
Command and Control
Credential Access
Discovery
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
GitHub Malicious Activity
|
GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs
|
Defense Impairment
Impact
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Security Hub Alerts
|
AWS Security Hub
|
N/A
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Asset Tracking
|
|
N/A
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Audit Policy Tampering
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4719
|
Defense Impairment
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Kubernetes Security
|
Kubernetes Audit, Kubernetes Falco
|
Credential Access
Discovery
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Linux Post-Exploitation
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
Command and Control
Execution
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Cloud Instance Activities
|
ASL AWS CloudTrail, AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail
|
Exfiltration
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Router and Infrastructure Security
|
Cisco IOS Logs
|
Collection
Credential Access
Exfiltration
Impact
Initial Access
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS IAM Privilege Escalation
|
ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateAccessKey, AWS CloudTrail CreateLoginProfile, AWS CloudTrail CreatePolicyVersion, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DeleteGroup, AWS CloudTrail DeletePolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail SetDefaultPolicyVersion, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail UpdateLoginProfile, AWS CloudTrail
|
Credential Access
Discovery
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Command And Control
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command and Control
Execution
Exfiltration
Initial Access
Lateral Movement
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS User Monitoring
|
AWS CloudTrail
|
Discovery
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Prohibited Traffic Allowed or Protocol Mismatch
|
Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 22
|
Command and Control
Exfiltration
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
|
Execution
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cloud Cryptomining
|
AWS CloudTrail
|
Defense Impairment
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Information Sabotage
|
Windows Event Log Security 5145
|
Exfiltration
|
Splunk Behavioral Analytics, Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Collection and Staging
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Kubernetes Sensitive Object Access Activity
|
|
N/A
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious AWS S3 Activities
|
ASL AWS CloudTrail, AWS CloudTrail CreateTask, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, AWS CloudTrail
|
Collection
Exfiltration
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Post-Exploitation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious AWS Login Activities
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail
|
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Defense Evasion
|
ASL AWS CloudTrail, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogGroup, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteTrail, AWS CloudTrail DeleteWebACL, AWS CloudTrail PutBucketLifecycle, AWS CloudTrail StopLogging, AWS CloudTrail UpdateTrail
|
Defense Impairment
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Network ACL Activity
|
ASL AWS CloudTrail, AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail DeleteNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Defense Impairment
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Log Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104
|
Defense Impairment
Impact
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Dynamic DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Identity and Access Management Account Takeover
|
ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail
|
Collection
Credential Access
Defense Impairment
Discovery
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DNS Amplification Attacks
|
|
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Data Protection
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Collection
Command and Control
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cloud Federated Credential Abuse
|
ASL AWS CloudTrail, AWS CloudTrail UpdateSAMLProvider, CrowdStrike ProcessRollup2, O365 Add app role assignment grant to user., O365 UserLoginFailed, O365, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Cloud Authentication Activities
|
AWS CloudTrail
|
Credential Access
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Dev Sec Ops
|
ASL AWS CloudTrail, AWS CloudTrail DescribeImageScanFindings, AWS CloudTrail PutImage, CircleCI, G Suite Drive, G Suite Gmail
|
Credential Access
Discovery
Execution
Exfiltration
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Kubernetes Scanning Activity
|
|
Discovery
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Bedrock Security
|
AWS CloudTrail DeleteGuardrail, AWS CloudTrail DeleteKnowledgeBase, AWS CloudTrail DeleteModelInvocationLoggingConfiguration, AWS CloudTrail
|
Defense Impairment
Discovery
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious AWS Traffic
|
|
N/A
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Zscaler Browser Proxy Threats
|
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Azure Active Directory Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory, O365 Add app role assignment grant to user., Office 365 Universal Audit Log, Powershell Script Block Logging 4104
|
Command and Control
Credential Access
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
