WEEK_4 · DAY_22 · LAB

Lab 22 — Author a Use Case

From threat hypothesis to production correlation search

LAB PROGRESS0/4 steps · 0%

Lab Objectives

›Translate a threat into a use case
›Document data sources, logic, FPs, response
›Build, test, tune, and ship
›Track use case lifecycle (proposed → tuning → production → retired)

Lab Instructions

1
Pick a threat: 'Adversary uses scheduled tasks for persistence (T1053.005)'.
2
Fill the template: data sources, logic (use SPL above), FP list, response.
3
Build the search; mark as shadow (notable disabled) for a week.
4
Document tuning plan.

SPL for this Lab

Scheduled task persistence open in Splunk

index=sysmon EventCode=1 Image="*\\schtasks.exe"
  CommandLine="*/create*"
  CommandLine!="*\\Windows\\System32\\*"
| stats count by Computer, User, CommandLine

// T1053.005 — non-system schtasks creation = persistence.

← LAB 21

Lab 21 — Wire Asset & Identity

LAB 23 →

Lab 23 — Walk a Malware Alert