Library
Command reference
Search the live database for syntax, tools, use cases, tags, MITRE context, and safe lab-ready command examples.
Defensive
Intermediate
Free
Trend high severity signatures over time.
Trend high severity signatures over time.
index=security severity=high | timechart span=15m count by signature
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Review simulated LSASS access telemetry.
Review simulated LSASS access telemetry.
index=endpoint file_name=lsass.exe action=read | table _time host process_name user
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Filter high severity Wazuh alerts.
Filter high severity Wazuh alerts.
agent.name:* AND rule.level:>=10
wazuh
incident-response
expanded-library
Wazuh / Incident Response
Open
Defensive
Intermediate
Free
Find failed authentication events with source IP context.
Find failed authentication events with source IP context.
rule.groups:authentication_failed AND data.srcip:*
wazuh
incident-response
expanded-library
Wazuh / Incident Response
Open
Defensive
Intermediate
Free
Review file integrity modifications.
Review file integrity modifications.
rule.groups:syscheck AND syscheck.event:modified
wazuh
incident-response
expanded-library
Wazuh / Incident Response
Open
Defensive
Intermediate
Free
Find suspicious PowerShell process alerts.
Find suspicious PowerShell process alerts.
data.win.eventdata.image:*powershell.exe AND rule.level:>=7
wazuh
incident-response
expanded-library
Wazuh / Incident Response
Open
Defensive
Intermediate
Free
Review rootcheck findings on web servers.
Review rootcheck findings on web servers.
rule.groups:rootcheck AND agent.name:web-*
wazuh
incident-response
expanded-library
Wazuh / Incident Response
Open
Defensive
Intermediate
Free
Filter SSH decoder events.
Filter SSH decoder events.
manager.name:* AND decoder.name:sshd
wazuh
incident-response
expanded-library
Wazuh / Incident Response
Open