Our blog

How to Detect Sunburst Backdoor with Splunk Enterprise Security

Using Splunk Statistical Commands: Eventstats and Streamstats by bitsIO

In the article linked below, Splunker Ryan Kovar has provided practical guidance on implementing SUNBURST detections. Based on the information provided by FireEye and Microsoft, Ryan walks us through configuring the following tools to detect SUNBURST activity:

  • Leveraging threat intelligence feeds and lookups to enrich event data with SUNBURST IOC’s.
  • Using searches from Splunk Security Essentials use cases which are mapped to the MITRE ATT&CK techniques associated with SUNBURST.
  • Utilizing Microsoft Azure App for Splunk to serach for SUNBURST activity in Azure AD.

I am sure you will find this article to be very informative and useful! Happy Splunking!