splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 22 LAB · LAB 22 — AUTHOR A USE CASE· week 4
Author a use case for scheduled-task persistence (T1053.005).
- ›Fill the use case template (data, logic, FPs, response).
- ›Use pre-loaded SPL.
- ›Mark shadow mode for 1 week.
Hint: Always document FP scenarios — admin scripts and software installers will fire this.
Configure
Saved Searches
No saved searches. Save one from the Search tab.