I recently read the Splunk blog Spotting the Adversary… with Splunk. If you have a Windows based infrastructure, this is a great article to read as well as the referenced material. In the article, it talks about having to go through millions of events to even try to find the adversary and the struggles that it causes. The blog post is great because it even gives you a sample dashboard you can drop in to your environment, assuming you have the GPOs setup and that you have the Windows Infrastructure app installed. Lucky for me as I did have those setup.
The blog post is based off of a document from the NSA’s IA team. It is a great read. At 54 pages, it isn’t the usual long drawn out government paper. They even have screen shots of the options you need to make sure to change.
They also reference a talk from .conf2015. In the blog post, they link the slide deck. There is also recording of the slide deck with audio of the talk(https://conf.splunk.com/session/2015/recordings/2015-splunk-86v2.mp4).
I found the dashboard was overall very good. I did notice a few things not lining up correctly. For example, EventCode 43 is listed under USB Activity and I am seeing the logs for Definition Update for Microsoft Endpoint Protection. But the dashboard did break things down to where I was able to go through different menus and find things I might not have known without going through and digging in to the logs.