Splunk Tech Talks
Deep-dives for technical practitioners.

Splunk SOAR Playbooks: Conducting an Azure New User Census

melissap
Splunk Employee
Splunk Employee

View our Tech Talk, Security Edition: Splunk SOAR Playbooks: Conducting an Azure New User Census

In January and February of 2021, the threat actor called Hafnium used a number of post-exploitation tools after gaining access to Exchange servers through a zero-day exploit. One of their persistence methods was creating new user accounts in the domain, giving them the ability to log back into the network using normal authentication rather than use a web shell or continue to re-exploit the vulnerability (which has since been patched). There are several good Splunk detections and Phantom responses that can find a Hafnium-like attack earlier in the chain, but monitoring new user accounts from Phantom is one of the easiest to get started with and the least specific to any particular kind of attack. We already knew Active Directory was one of the most important systems for our security posture, and Hafnium just gave us a not-so-subtle reminder that we need to stay on top of it, whether on-premises through regular Active Directory or in the cloud with Azure Active Directory.

Tune in to this webinar to learn:

  • How to get started with an account monitoring use case
  • How our newest community playbook initiates a scheduled review of new accounts created in Azure Active Directory each week
  • How your security team should have a good understanding of the frequency and common attributes of newly created accounts
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...