Tag: Splunk SPL

Linux Syscall Threat Detection in Splunk with Uncoder AI
Linux Syscall Threat Detection in Splunk with Uncoder AI

How It Works The detection logic here is built around monitoring use of the mknod syscall, which is rarely used in legitimate workflows but can be exploited by attackers to: Create fake block or character devices Interact with kernel interfaces Bypass file system controls or establish backdoors Left Panel – Sigma Rule: Logsource: auditd on […]

Read More
Exposing Event Log Tampering with Uncoder AI’s AI Decision Tree for Splunk Queries
Exposing Event Log Tampering with Uncoder AI’s AI Decision Tree for Splunk Queries

One of the more advanced tactics in attacker playbooks is tampering with event log configurations to erase traces of compromise. Detecting such attempts via Windows Registry modifications is complex—often involving detailed Splunk queries that filter by registry keys and permissions. To quickly make sense of these queries, analysts are turning to Uncoder AI’s AI-generated Decision […]

Read More
Exposing Suspicious Scripting via CrushFTP with Uncoder AI in Microsoft Defender
Exposing Suspicious Scripting via CrushFTP with Uncoder AI in Microsoft Defender

File transfer services like CrushFTP are critical for business operations—but they can also be leveraged as stealthy launchpads for post-exploitation activity. When a server process such as crushftpservice.exe spawns command-line interpreters like powershell.exe , cmd.exe , or bash.exe , it may signal that an attacker is executing commands or deploying payloads under the radar. In […]

Read More