Splunk Tech Talks
Deep-dives for technical practitioners.

Splunk SOAR Playbooks: Conducting an Azure New User Census

Splunk Employee
Splunk Employee

View our Tech Talk, Security Edition: Splunk SOAR Playbooks: Conducting an Azure New User Census 

In January and February of 2021, the threat actor called Hafnium used a number of post-exploitation tools after gaining access to Exchange servers through a zero-day exploit. One of their persistence methods was creating new user accounts in the domain, giving them the ability to log back into the network using normal authentication rather than use a web shell or continue to re-exploit the vulnerability (which has since been patched). There are several good Splunk detections and Phantom responses that can find a Hafnium-like attack earlier in the chain, but monitoring new user accounts from Phantom is one of the easiest to get started with and the least specific to any particular kind of attack.

We already knew Active Directory was one of the most important systems for our security posture, and Hafnium just gave us a not-so-subtle reminder that we need to stay on top of it, whether on-premises through regular Active Directory or in the cloud with Azure Active Directory.

Tune in to this webinar to learn:

  • How to get started with an account monitoring use case
  • How our newest community playbook initiates a scheduled review of new accounts created in Azure Active Directory each week
  • How your security team should have a good understanding of the frequency and common attributes of newly created accounts
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...