Defensive
Intermediate
Free
Find repeated authentication failures by source and user.
Find repeated authentication failures by source and user.
index=security sourcetype=auth action=failure | stats count by src_ip user | sort -count
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Baseline Windows process creation pairs.
Baseline Windows process creation pairs.
index=windows EventCode=4688 | stats count by New_Process_Name Parent_Process_Name | sort -count
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Hunt for suspicious DNS queries to abused file extensions.
Hunt for suspicious DNS queries to abused file extensions.
index=dns query="*.zip" OR query="*.mov" | stats count by src_ip query
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Review large outbound web transfers.
Review large outbound web transfers.
index=proxy status=200 bytes_out>5000000 | table _time src_ip user url bytes_out
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Find PowerShell encoded command usage.
Find PowerShell encoded command usage.
index=edr process_name=powershell.exe | search command_line="*EncodedCommand*"
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Identify users authenticating from multiple source locations.
Identify users authenticating from multiple source locations.
index=vpn action=success | stats dc(src_ip) as locations by user | where locations > 2
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Hunt failed cloud console logons.
Hunt failed cloud console logons.
index=cloud eventName=ConsoleLogin responseElements.ConsoleLogin=Failure | stats count by sourceIPAddress userIdentity.arn
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Summarize phishing verdicts by sender and recipient.
Summarize phishing verdicts by sender and recipient.
index=email verdict=phish | stats count by sender recipient subject
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Trend high severity signatures over time.
Trend high severity signatures over time.
index=security severity=high | timechart span=15m count by signature
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Review simulated LSASS access telemetry.
Review simulated LSASS access telemetry.
index=endpoint file_name=lsass.exe action=read | table _time host process_name user
splunk
threat-hunting
expanded-library
Splunk / Threat Hunting
Open
Defensive
Intermediate
Free
Convert a Sigma rule to a Splunk query.
Convert a Sigma rule to a Splunk query.
sigma convert -t splunk rules/windows/process_creation/proc_creation_win_susp_powershell.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Validate process creation rules for syntax errors.
Validate process creation rules for syntax errors.
sigma check rules/windows/process_creation/*.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
List supported SIEM conversion targets.
List supported SIEM conversion targets.
sigma list targets
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Convert AWS failed login detection to ElastAlert.
Convert AWS failed login detection to ElastAlert.
sigma convert -t elastalert rules/cloud/aws/aws_console_login_failures.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Convert a PowerShell download rule to Sentinel KQL.
Convert a PowerShell download rule to Sentinel KQL.
sigma convert -t sentinel rules/windows/powershell/powershell_susp_download.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Validate Linux auditd Sigma rules.
Validate Linux auditd Sigma rules.
sigma check rules/linux/auditd/*.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Convert suspicious user-agent detection to Lucene.
Convert suspicious user-agent detection to Lucene.
sigma convert -t lucene rules/proxy/proxy_susp_user_agent.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Convert Sysmon Sigma rules with a Splunk pipeline.
Convert Sysmon Sigma rules with a Splunk pipeline.
sigma convert -t splunk --pipeline splunk_windows rules/windows/sysmon/*.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Run strict Sigma repository validation.
Run strict Sigma repository validation.
sigma check --fail-on-warnings rules/
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Convert suspicious logon detection to QRadar syntax.
Convert suspicious logon detection to QRadar syntax.
sigma convert -t qradar rules/windows/builtin/win_security_susp_logon.yml
sigma
detection-engineering
expanded-library
Sigma / Detection Engineering
Open
Defensive
Intermediate
Free
Test Suricata configuration and local rules.
Test Suricata configuration and local rules.
suricata -T -c /etc/suricata/suricata.yaml -S local.rules
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
List available Suricata rule sources.
List available Suricata rule sources.
suricata-update list-sources
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Enable Emerging Threats Open rules.
Enable Emerging Threats Open rules.
suricata-update enable-source et/open
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Run Suricata against a packet capture.
Run Suricata against a packet capture.
suricata -r capture.pcap -k none -l eve-output/
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Filter Suricata EVE alerts.
Filter Suricata EVE alerts.
jq 'select(.event_type=="alert")' eve.json
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Extract DNS events from EVE JSON.
Extract DNS events from EVE JSON.
jq 'select(.event_type=="dns") | {src_ip,query:.dns.rrname}' eve.json
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Inspect Suricata rule path configuration.
Inspect Suricata rule path configuration.
suricata --dump-config | grep default-rule-path
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Request a non-blocking rule reload.
Request a non-blocking rule reload.
suricatasc -c ruleset-reload-nonblocking
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Review high priority Suricata signatures.
Review high priority Suricata signatures.
jq 'select(.alert.severity<=2) | .alert.signature' eve.json
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Intermediate
Free
Validate the main Suricata configuration.
Validate the main Suricata configuration.
suricata -T -c suricata.yaml
suricata
detection-engineering
expanded-library
Suricata / Detection Engineering
Open
Defensive
Advanced
Premium
Run a local Velociraptor information query.
Run a local Velociraptor information query.
velociraptor query "SELECT * FROM info()"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
List Windows-focused artifacts.
List Windows-focused artifacts.
velociraptor artifacts list | grep Windows
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
Inspect running process telemetry.
Inspect running process telemetry.
velociraptor query "SELECT Name, CommandLine FROM pslist()"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
Collect simulated temp directory file listing.
Collect simulated temp directory file listing.
velociraptor query "SELECT * FROM glob(globs='C:/Windows/Temp/*')"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
Run a Windows event log hunting artifact.
Run a Windows event log hunting artifact.
velociraptor query "SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter()"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
Collect generic endpoint info.
Collect generic endpoint info.
velociraptor query "SELECT * FROM Artifact.Generic.Client.Info()"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
Review Velociraptor client configuration.
Review Velociraptor client configuration.
velociraptor config show --section Client
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
List endpoint users.
List endpoint users.
velociraptor query "SELECT * FROM users()"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
Inspect endpoint network connections.
Inspect endpoint network connections.
velociraptor query "SELECT * FROM netstat()"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Advanced
Premium
Hash a known endpoint binary.
Hash a known endpoint binary.
velociraptor query "SELECT * FROM hash(path='C:/Windows/System32/cmd.exe')"
velociraptor
endpoint-security
expanded-library
Velociraptor / Endpoint Security
Open
Defensive
Intermediate
Free
Query running process inventory.
Query running process inventory.
osqueryi "select name,path,pid from processes limit 10;"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Find unusual listening ports.
Find unusual listening ports.
osqueryi "select * from listening_ports where port not in (80,443,22);"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Review local users.
Review local users.
osqueryi "select username,description from users;"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Inventory installed software.
Inventory installed software.
osqueryi "select name,version from programs order by name;"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Review startup persistence entries.
Review startup persistence entries.
osqueryi "select * from startup_items;"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Show logged-in user sessions.
Show logged-in user sessions.
osqueryi "select * from logged_in_users;"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Review endpoint interface addresses.
Review endpoint interface addresses.
osqueryi "select address,mac,interface from interface_addresses;"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Inspect certificates matching organization hints.
Inspect certificates matching organization hints.
osqueryi "select * from certificates where common_name like '%corp%';"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Review scheduled cron entries.
Review scheduled cron entries.
osqueryi "select * from crontab;"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open
Defensive
Intermediate
Free
Hash a system binary.
Hash a system binary.
osqueryi "select path,sha256 from hash where path='/bin/bash';"
osquery
endpoint-security
expanded-library
Osquery / Endpoint Security
Open