Skip to content

Included Detections and Key Security Indicators (KSI)

The following sections contains a list of included Correlation Searches and Detections included with the OT Add-on for Splunk. These searches can be found under Content Management within Enterprise Security and are linked appropriately in the Use Case Library for OT Security.

Detections - Notables

  • Access Granted for Uncertified Official (NERC CIP related)
  • Exploitation of Remote Services
  • External Report Services
  • Graphical User Interface Usage
  • Remote File Copy
  • Suspicious Local Log On after Denied Physical Access
  • Theft of Operational Information
  • Command-Line Interface
  • Data Destruction
  • Data Historian Compromise
  • Engineering Workstation Compromise
  • Replication Through Removable Media
  • Scripting
  • Service Stop
  • Upapproved Removable Media Use on OT Asset
  • User Execution
  • Default Credentials Detected
  • Detected Use of Default Accounts from External System
  • Detected Use of Priviledge Accounts from External System
  • Valid Account Usage
  • Commonly Used Port
  • Connection Proxy Detected
  • Denial of Service
  • Exploit Public Facing Application
  • Internet Accessible Device in OT
  • Network Connection Enumeration
  • Network Service Scanning
  • Network Sniffing
  • Remote System Discovery
  • Standard Application Layer Protocol Usage
  • Data from Information Repositories
  • Drive by Compromise
  • Masquerading
  • Project File Infection
  • Spearphishing Attached Related Activity

Detections - Risk Based Alerts (RBA)

  • Risk Threshold Exceeded for OT Asset Over 24 Hour Period
  • Risk Threshold Exceeded for OT Facility Over 24 Hour Period
  • Risk Threshold Exceeded for OT User Over 24 Hour Period

Detections - Importing of Notables from Other Platforms

  • MITRE ICS Alert - leveraged when integrations provide technique_id fields for MITRE ATT&CK for ICS
  • Non-MITRE ICS OT Security Alert - leveraged when integrations do no provide MITRE ATT&CK for ICS related information

Key Security Indicators (KSI)

  • Vulnerabilities - Detected CVE's
  • Active IT/OT Devices
  • Active Notables for OT
  • Active OT Devices
  • Asset Count with Notables
  • Critical Assets with Known Vulnerability
  • OT Firewall Changes
  • Aggregated Risk in OT
  • Average Risk Score in OT
  • Total Assets in OT
  • Total OT Devices
  • Total Unknown Assets
  • Total CVE Defintions Imported
  • Total Assets Missing Endpoint Protection
  • Total Assets Not Receiving Malware Signature Updates
  • Total Assets with Endpoint Protection
  • Total Assets without Malware Signature Updats within the last 7 Days
  • AD Group Changes
  • Number of Inbound External Connections
  • Number of Outbound External Connections
  • Count of Prohibited Traffic Allowed
  • Count of Prohibited Traffic Blocked
  • Number of RDP Sessions
  • Number of Remote Access Sessions
  • Number of Screen Share Sessions
  • Total Number of IDS Alerts
  • Total Number of VPN Sessions
  • Total Number of Assets Using an Industrial Protocols
  • Total Number of Industrial Protocols Detected
  • Total Number of Perimeter Devices Sending Data to Splunk
  • Number of Account Changes
  • Number of Account Lockouts