In the article linked below, Splunker Ryan Kovar has provided practical guidance on implementing SUNBURST detections. Based on the information provided by FireEye and Microsoft, Ryan walks us through configuring the following tools to detect SUNBURST activity:
- Leveraging threat intelligence feeds and lookups to enrich event data with SUNBURST IOC’s.
- Using searches from Splunk Security Essentials use cases which are mapped to the MITRE ATT&CK techniques associated with SUNBURST.
- Utilizing Microsoft Azure App for Splunk to serach for SUNBURST activity in Azure AD.
I am sure you will find this article to be very informative and useful! Happy Splunking!