Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Generate a sample detection in behavioral analytics service

You can use any Microsoft Windows machine in your environment to trigger a detection so you can verify your environment is properly configured.

Perform the following tasks to generate a Detect Prohibited Applications Spawning cmd.exe detection:

  1. Log in to a Micorsoft Windows device.
  2. Click Start, type PowerShell, and then click Windows PowerShell.
  3. In the PowerShell window, type cmd.exe. This triggers the Detect Prohibited Applications Spawning cmd.exe detection in behavioral analytics service. This detection looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.
  4. Log in to your Splunk Mission Control tenant.
  5. In Splunk Mission Control, select Investigations > Entities to open the Entities page.
  6. In the search field, enter the user associated with the detection, such as administrator.
  7. Click on the name of the user to access the entity details page.
  8. In the Activity timeline, verify that the Detect Prohibited Applications Spawning cmd.exe detection is visible. Click to expand the details to view the process and parent process that triggered the detection.
Last modified on 05 January, 2023
Leverage operational logging for self-service supportability   Investigate hidden threats in behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters