topic What are Splunk SOC rules? in Alerting

What are Splunk SOC rules?

VijaySrrie — Thu, 30 Jun 2022 13:35:57 GMT

Hi All,

Please help me with the splunk alerts for below scenario

Thanks,

Vijay Sri S

Re: Splunk SOC rules

VijaySrrie — Thu, 30 Jun 2022 08:31:54 GMT

Criminals gain access to the platform and install Ransomware that disrupts platform

An employee deliberately or accidentally misusing their access to PII records

Denial of service attack by criminals or state-sponsored actors flooding cloud resources, causing platform to become unavailable and inaccessible.

Supply chain security is compromised and Ovo loses access to services it is provided

Ineffective controls on endpoint devices, enabling unauthorised access by criminals or state-sponsored actors

Criminals gain access to underlying cloud infrastructure and steal PII data

Criminals gain access to exposed APIs and steal PII data

Users could escalate privileges and/or move laterally in the platform to see data they shouldn't

Re: Splunk SOC rules

VatsalJagani — Thu, 30 Jun 2022 09:28:13 GMT

Hi @VijaySrrie ,

You can take reference from these:

Actually, this is not the list of scenarios, actually to achieve one of the items you listed here you may require to implement many alerts.

For example, to implement the "Criminals gain access to the platform and install Ransomware that disrupts platform" scenario, there are many sample searches already provided here - https://research.splunk.com/stories/ransomware/ And you can make countless more.

But, I'm happy to hear from others who have better security experience than me to find out if there is a quicker way to go about this.🤔

I hope this helps!!!

SOC is not installation but rather a journey.!!!!