Hello,
I want to write a detection for watching abuse of a service being used. How to do i start writing the logic. any help would be appreciated.
thank you.
Detection for abuse of service account being used
Rich is asking what do you mean by abuse?
Count of failures? Count of success? By source? Over a given time range? From a given source to a number of destinations in a given time window?
You always need to start with defining the criteria of what you mean when using terms like abuse, unusual, unexpected etc when creating detections. That drives what you do in SPL.
Hi Rich,
Thanks for your response.
abuse means unusual authentications, interactive activity, suspicious processes. I would like to build detections for any of these terms. could you please suggest me how can I proceed further with this?
thank you,
Lakshmi
Check out the Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435/).
Please explain what "abuse of service account" means to you.