-
Notifications
You must be signed in to change notification settings - Fork 453
Expand file tree
/
Copy pathcompromised_user_account.yml
More file actions
18 lines (18 loc) · 1.07 KB
/
compromised_user_account.yml
File metadata and controls
18 lines (18 loc) · 1.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
name: Compromised User Account
id: 19669154-e9d1-4a01-b144-e6592a078092
version: 1
date: '2023-01-19'
author: Mauricio Velazco, Bhavin Patel, Splunk
status: production
description: Monitor for activities and techniques associated with Compromised User Account attacks.
narrative: Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.
references:
- https://www.proofpoint.com/us/threat-reference/compromised-account
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection