MasterJack5518/Splunk-Detection-Rules
GitHub: MasterJack5518/Splunk-Detection-Rules
面向 Splunk Enterprise Security 8 的生产级检测规则库,提供经过实战调优的 SPL 查询、MITRE ATT&CK 与 NIST 框架映射,以及配套的误报处理和风险评分配置。
Stars: 0 | Forks: 0
# 🛡️ Splunk 检测规则
[](https://www.splunk.com)
[](https://attack.mitre.org/)
[](https://www.nist.gov/)
[](./LICENSE)
## 📖 关于
此仓库记录了我在 **Splunk Enterprise Security 8** 中基于真实生产环境构建并调优的检测规则。
每条规则包含:
- ✅ 完整的 SPL 查询
- ✅ MITRE ATT&CK 战术与技术映射
- ✅ NIST 控制项映射
- ✅ 严重级别与风险评分
- ✅ 已知误报与调优说明
- ✅ 限流与调度配置
## 📁 仓库结构
detections/
└── aws/
└── cloudtrail/ # AWS CloudTrail 检测规则
## ☁️ AWS CloudTrail 检测
| # | 规则名称 | MITRE 技术 | 严重级别 | 状态 |
|---|-----------|----------------|----------|--------|
| 1 | [AWS - CloudTrail - Root 用户活动](./detections/aws/cloudtrail/aws_cloudtrail_root_user_activity.yml) | T1078.004 | 🔴 高 | ✅ 生产环境 |
## 📊 覆盖概览
| 平台 | 索引 | 规则数 |
|----------|-------|-------|
| AWS | cloudtrail | 1 |
## 🔍 规则格式
每个规则以 `.yml` 文件形式记录,包含:
```
name: # Rule display name
id: # Unique identifier
version: # Current version
author: # Rule author
status: # production / development
type: # Event-Based / Anomaly / etc.
description: # What it detects and why
search: # The SPL query
data_source: # Index and sourcetype
annotations: # MITRE ATT&CK + NIST mappings
known_false_positives: # FP guidance
throttling: # Dedup settings
risk_based_analytics: # RBA configuration
🚀 How To Use
Open the rule .yml file
Copy the SPL from the search: field
In Splunk ES: Content Management → Create New Detection
Paste the SPL and configure settings as documented
Tune thresholds based on your environment
🧩 Frameworks
Framework Usage
MITRE ATT&CK Tactic & Technique mapping per rule
NIST CSF Control mapping per rule
👤 Author
MasterJack — Detection Engineer | Threat Hunter | SOC Specialist | Incident-Response
```
标签:Amazon Web Services, AMSI绕过, AWS, Cloudflare, CloudTrail, DNS解析, DPI, MITRE ATT&CK, NIST 框架, PB级数据处理, Root 账户监控, SPL, Splunk Enterprise Security, Splunk ES, Splunk 查询语言, YAML, 威胁检测, 安全库, 安全检测规则, 安全运维, 开源项目, 有效帐户, 生产环境, 网络安全, 隐私保护