Generate a sample detection in behavioral analytics service
You can use any Microsoft Windows machine in your environment to trigger a detection so you can verify your environment is properly configured.
Perform the following tasks to generate a Detect Prohibited Applications Spawning cmd.exe detection:
- Log in to a Micorsoft Windows device.
- Click Start, type PowerShell, and then click Windows PowerShell.
- In the PowerShell window, type cmd.exe. This triggers the Detect Prohibited Applications Spawning cmd.exe detection in behavioral analytics service. This detection looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.
- Log in to your Splunk Mission Control tenant.
- In Splunk Mission Control, select Investigations > Entities to open the Entities page.
- In the search field, enter the user associated with the detection, such as administrator.
- Click on the name of the user to access the entity details page.
- In the Activity timeline, verify that the Detect Prohibited Applications Spawning cmd.exe detection is visible. Click to expand the details to view the process and parent process that triggered the detection.
Leverage operational logging for self-service supportability | Investigate hidden threats in behavioral analytics service |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2
Feedback submitted, thanks!