A Necessity of use cases related to Nessus and Win...

leillo28 · ‎02-21-2020

Hi all,
We have the necessity to implements alerts related to Nessus scans and Windows systems.
We have seen a few of them related to Windows in the Use Case Library at Enterprise Security but I was wondering if you have any sort of alerts that we could implement furthermore than those.
Thank you in advance.

alonsocaio · ‎02-21-2020

Hi,

For Windows use cases I think you could consider monitoring:

Windows authentication brute force attempts.
Process creation and powershell execution
Inclusion and Removal of users in admin groups
Creation of local admin accounts
Audit log clear
RDP connections
And much more...

You can also take a look at Splunk Security Essentials (https://splunkbase.splunk.com/app/3435/) and Splunk ES Content Updates (https://splunkbase.splunk.com/app/3449/). Both apps contain lots of alerts and correlation searches you can use, some of them even mapped to MITRE ATT&CK framework.

In addiction, this github repo has several monitoring rules that can be used in SIEM, including Windows use cases: https://github.com/Neo23x0/sigma

Maybe Tenable App for Splunk can give you some insights about Nessus: https://splunkbase.splunk.com/app/4061/#/details

A Necessity of use cases related to Nessus and Windows.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?