detection.wiki

Splunk rule coverage

149 events across 21 providers with Splunk detection rules, 2923 rule mappings total. Each rule links to its own page (predicates, exclusions, shared indicators). For the rule-centric ATT&CK browse across every vendor, see all detection rules; non-Windows Splunk rules are grouped by platform and technique at Splunk non-Windows coverage.

Microsoft-Windows-Security-Auditing 84 events, 1139 rules

Event ID 632 1 rule
Event ID 4624 An account was successfully logged on. 20 rules
Event ID 4625 An account failed to log on. 15 rules
Event ID 4627 Group membership information. 1 rule
Event ID 4648 A logon was attempted using explicit credentials. 5 rules
Event ID 4656 A handle to an object was requested. 15 rules
Event ID 4657 A registry value was modified. 14 rules
Event ID 4661 A handle to an object was requested. 1 rule
Event ID 4662 An operation was performed on an object. 7 rules
Event ID 4663 An attempt was made to access an object. 30 rules
Event ID 4670 Permissions on an object were changed. 1 rule
Event ID 4672 Special privileges assigned to new logon. 1 rule
Event ID 4673 A privileged service was called. 1 rule
Event ID 4688 A new process has been created. 812 rules
Event ID 4690 An attempt was made to duplicate a handle to an object. 1 rule
Event ID 4697 A service was installed in the system. 2 rules
Event ID 4698 A scheduled task was created. 16 rules
Event ID 4699 A scheduled task was deleted. 1 rule
Event ID 4700 A scheduled task was enabled. 3 rules
Event ID 4702 A scheduled task was updated. 3 rules
Event ID 4703 A user right was adjusted. 2 rules
Event ID 4719 System audit policy was changed. 2 rules
Event ID 4720 A user account was created. 5 rules
Event ID 4722 A user account was enabled. 1 rule
Event ID 4723 An attempt was made to change an account's password. 3 rules
Event ID 4724 An attempt was made to reset an account's password. 3 rules
Event ID 4725 A user account was disabled. 2 rules
Event ID 4726 A user account was deleted. 3 rules
Event ID 4727 A security-enabled global group was created. 3 rules
Event ID 4728 A member was added to a security-enabled global group. 4 rules
Event ID 4730 A security-enabled global group was deleted. 1 rule
Event ID 4731 A security-enabled local group was created. 2 rules
Event ID 4732 A member was added to a security-enabled local group. 4 rules
Event ID 4733 A member was removed from a security-enabled local group. 1 rule
Event ID 4734 A security-enabled local group was deleted. 1 rule
Event ID 4735 A security-enabled local group was changed. 1 rule
Event ID 4737 A security-enabled global group was changed. 1 rule
Event ID 4738 A user account was changed. 6 rules
Event ID 4741 A computer account was created. 2 rules
Event ID 4742 A computer account was changed. 7 rules
Event ID 4743 A computer account was deleted. 1 rule
Event ID 4744 A security-disabled local group was created. 1 rule
Event ID 4749 A security-disabled global group was created. 1 rule
Event ID 4754 A security-enabled universal group was created. 1 rule
Event ID 4756 A member was added to a security-enabled universal group. 1 rule
Event ID 4759 A security-disabled universal group was created. 1 rule
Event ID 4764 A group’s type was changed. 1 rule
Event ID 4768 A Kerberos authentication ticket (TGT) was requested. 11 rules
Event ID 4769 A Kerberos service ticket was requested. 6 rules
Event ID 4771 Kerberos pre-authentication failed. 2 rules
Event ID 4776 The domain controller attempted to validate the credentials for an account. 5 rules
Event ID 4778 A session was reconnected to a Window Station. 2 rules
Event ID 4779 A session was disconnected from a Window Station. 3 rules
Event ID 4780 The ACL was set on accounts which are members of administrators groups. 1 rule
Event ID 4781 The name of an account was changed. 2 rules
Event ID 4783 A basic application group was created. 1 rule
Event ID 4790 An LDAP query group was created. 1 rule
Event ID 4794 An attempt was made to set the Directory Services Restore Mode administrator password. 1 rule
Event ID 4798 A user's local group membership was enumerated. 1 rule
Event ID 4799 A security-enabled local group membership was enumerated. 1 rule
Event ID 4876 Certificate Services backup started. 1 rule
Event ID 4882 The security permissions for Certificate Services changed. 1 rule
Event ID 4886 Certificate Services received a certificate request. 3 rules
Event ID 4887 Certificate Services approved a certificate request and issued a certificate. 4 rules
Event ID 4890 The certificate manager settings for Certificate Services changed. 1 rule
Event ID 4891 A configuration entry changed in Certificate Services. 1 rule
Event ID 4892 A property of Certificate Services changed. 1 rule
Event ID 4946 A change has been made to Windows Firewall exception list. A rule was added. 1 rule
Event ID 4947 A change has been made to Windows Firewall exception list. A rule was modified. 1 rule
Event ID 4948 A change has been made to Windows Firewall exception list. A rule was deleted. 1 rule
Event ID 5136 A directory service object was modified. 24 rules
Event ID 5137 A directory service object was created. 5 rules
Event ID 5138 A directory service object was undeleted. 1 rule
Event ID 5139 A directory service object was moved. 1 rule
Event ID 5140 A network share object was accessed. 8 rules
Event ID 5141 A directory service object was deleted. 2 rules
Event ID 5145 A network share object was checked to see whether client can be granted desired access. 16 rules
Event ID 5152 The Windows Filtering Platform blocked a packet. 1 rule
Event ID 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. 1 rule
Event ID 5156 The Windows Filtering Platform has permitted a connection. 13 rules
Event ID 5157 The Windows Filtering Platform has blocked a connection. 1 rule
Event ID 5447 A Windows Filtering Platform filter has been changed. 1 rule
Event ID 5448 A Windows Filtering Platform provider has been changed. 1 rule
Event ID 6416 A new external device was recognized by the system. 1 rule

Microsoft-Windows-Sysmon 21 events, 1310 rules

Event ID 1 Process creation 826 rules
Event ID 3 Network connection 31 rules
Event ID 5 Process terminated 2 rules
Event ID 6 Driver loaded 5 rules
Event ID 7 Image loaded 38 rules
Event ID 8 CreateRemoteThread 11 rules
Event ID 9 RawAccessRead 2 rules
Event ID 10 ProcessAccess 15 rules
Event ID 11 FileCreate 94 rules
Event ID 12 RegistryEvent (Object create and delete) 23 rules
Event ID 13 RegistryEvent (Value Set) 194 rules
Event ID 14 RegistryEvent (Key and Value Rename) 2 rules
Event ID 15 FileCreateStreamHash 4 rules
Event ID 17 PipeEvent (Pipe Created) 10 rules
Event ID 18 PipeEvent (Pipe Connected) 10 rules
Event ID 20 WmiEvent (WmiEventConsumer activity detected) 1 rule
Event ID 21 WmiEvent (WmiEventConsumerToFilter activity detected) 1 rule
Event ID 22 DNSEvent (DNS query) 23 rules
Event ID 23 FileDelete (File Delete archived) 10 rules
Event ID 26 FileDeleteDetected (File Delete logged) 7 rules
Event ID 29 FileExecutableDetected 1 rule

Microsoft-Windows-Windows-Defender 10 events, 22 rules

Event ID 1121 2 rules
Event ID 1122 2 rules
Event ID 1125 2 rules
Event ID 1126 3 rules
Event ID 1129 2 rules
Event ID 1131 2 rules
Event ID 1132 2 rules
Event ID 1133 2 rules
Event ID 1134 2 rules
Event ID 5007 3 rules

Microsoft-Windows-AppXDeployment-Server 4 events, 5 rules

Event ID 400 Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully. 1 rule
Event ID 603 Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh. 1 rule
Event ID 854 Successfully added the following uri(s) to be processed: Path. 1 rule
Event ID 855 Finished resolving action lists. 2 rules

Microsoft-Windows-Eventlog 4 events, 6 rules

Event ID 104 The LogFileCleared.Channel log file was cleared. 2 rules
Event ID 517 The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102). 1 rule
Event ID 1100 The event logging service has shut down. 1 rule
Event ID 1102 The audit log was cleared. 2 rules

Microsoft-Windows-PrintService 3 events, 4 rules

Event ID 316 Printer driver param1 for param2 param3 was added or updated. 2 rules
Event ID 808 The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode. 1 rule
Event ID 4909 Print Service event 4909 (manifest stub). 1 rule

MsiInstaller 3 events, 6 rules

Event ID 1033 Windows Installer installed the product. 1 rule
Event ID 1040 Beginning a Windows Installer transaction: %0 3 rules
Event ID 1042 Ending a Windows Installer transaction: %0 2 rules

Service-Control-Manager 3 events, 24 rules

Event ID 7036 3 rules
Event ID 7040 3 rules
Event ID 7045 18 rules

MSSQLSERVER 2 events, 4 rules

Event ID 8128 1 rule
Event ID 15457 3 rules

Microsoft-Windows-CAPI2 2 events, 2 rules

Event ID 70 For more details for this event, please refer to the "Details" section 1 rule
Event ID 81 For more details for this event, please refer to the "Details" section 1 rule

Microsoft-Windows-PowerShell 2 events, 390 rules

Event ID 4103 Payload Context: ContextInfo User Data: UserData. 111 rules
Event ID 4104 Creating Scriptblock text (MessageNumber of MessageTotal). 279 rules

Microsoft-Windows-TaskScheduler 2 events, 2 rules

Event ID 200 Task Scheduler launched action "TaskName" in instance "ActionName" of task "Name". 1 rule
Event ID 201 Task Scheduler successfully completed task "Name" , instance "TaskInstanceId" , action "TaskName" . 1 rule

Application-Error 1 event, 1 rule

Event ID 1000 1 rule

Microsoft-Windows-AppxPackagingOM 1 event, 1 rule

Event ID 171 The reader was created successfully for app package packageFullName. 1 rule

Microsoft-Windows-CertificateServicesClient-Lifecycle-System 1 event, 1 rule

Event ID 1007 A certificate has been exported. 1 rule

Microsoft-Windows-IIS-W3SVC-WP 1 event, 1 rule

Event ID 2282 The Module DLL 'ModuleDll' could not be loaded due to a configuration problem 1 rule

Microsoft-Windows-ProcessExitMonitor 1 event, 1 rule

Event ID 3000 The process 'param1' exited with exit code param2. 1 rule

Microsoft-Windows-TerminalServices-ClientActiveXCore 1 event, 1 rule

Event ID 1024 RDP ClientActiveX is trying to connect to the server (Value). 1 rule

Microsoft-Windows-TerminalServices-RemoteConnectionManager 1 event, 1 rule

Event ID 1149 Remote Desktop Services: User authentication succeeded. 1 rule

User32 1 event, 1 rule

Event ID 1074 The process param1 has initiated the param5 of computer param2 on behalf of user param7 for the following reason: 1 rule

VSSAudit 1 event, 1 rule

Event ID 8222 1 rule