investigations/get_notable_history.yml

name: Get Notable History
id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
version: 2
date: '2017-09-20'
author: Bhavin Patel, Splunk
type: Investigation
datamodel: []
description: This search queries the notable index and returns all the Notable Events
  for the particular destination host, giving the analyst an overview of the incidents
  that may have occurred with the host under investigation.
search: '| search `notable` | search dest=$dest$ | table _time, dest, rule_name, owner,
  priority, severity, status_description'
how_to_implement: If you are using Enterprise Security you are likely already creating
  notable events with your correlation rules. No additional configuration is necessary.
known_false_positives: ''
references: []
tags:
  analytic_story:
  - AWS Cross Account Activity
  - AWS Cryptomining
  - AWS Network ACL Activity
  - AWS User Monitoring
  - Apache Struts Vulnerability
  - Asset Tracking
  - Brand Monitoring
  - Cloud Cryptomining
  - ColdRoot MacOS RAT
  - Collection and Staging
  - DHS Report TA18-074A
  - DNS Amplification Attacks
  - Data Protection
  - Disabling Security Tools
  - Dynamic DNS
  - Emotet Malware DHS Report TA18-201A
  - Hidden Cobra Malware
  - Host Redirection
  - JBoss Vulnerability
  - Kubernetes Scanning Activity
  - Lateral Movement
  - Malicious PowerShell
  - Monitor Backup Solution
  - Monitor for Unauthorized Software
  - Monitor for Updates
  - Netsh Abuse
  - Orangeworm Attack Group
  - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
  - Prohibited Traffic Allowed or Protocol Mismatch
  - Ransomware
  - Router and Infrastructure Security
  - SQL Injection
  - SamSam Ransomware
  - Spectre And Meltdown Vulnerabilities
  - Suspicious AWS EC2 Activities
  - Suspicious AWS S3 Activities
  - Suspicious AWS Traffic
  - Suspicious Cloud Authentication Activities
  - Suspicious Command-Line Executions
  - Suspicious DNS Traffic
  - Suspicious Emails
  - Suspicious MSHTA Activity
  - Suspicious WMI Use
  - Suspicious Windows Registry Activities
  - Unusual AWS EC2 Modifications
  - Unusual Processes
  - Use of Cleartext Protocols
  - Web Fraud Detection
  - Windows Defense Evasion Tactics
  - Windows File Extension and Association Abuse
  - Windows Log Manipulation
  - Windows Persistence Techniques
  - Windows Privilege Escalation
  - Windows Service Abuse
  - Data Exfiltration
  - F5 TMUI RCE CVE-2020-5902
  - Detect Zerologon Attack
  - GCP Cross Account Activity
  - Kubernetes Sensitive Object Access Activity
  - Kubernetes Sensitive Role Activity
  - Ransomware Cloud
  - Ryuk Ransomware
  - Suspicious Cloud Provisioning Activities
  - Suspicious GCP Storage Activities
  - Windows DNS SIGRed CVE-2020-1350
  - Command And Control
  product:
  - Splunk Phantom
  required_fields:
  - _time
  security_domain: endpoint