Useful security searches

robK123 — Fri, 23 Nov 2012 14:23:05 GMT

I am new to Splunk and am learning all about it, I was hoping you guys would be able to give me some examples of how I can use Splunk from a security prescriptive, I have already created searches for login failures but what else can Splunk do from a security point of view?

Thanks,

Re: Useful security searches

sd23c109 — Sun, 25 Nov 2012 04:30:41 GMT

Too numerous to cover them all, but the things I have seen are:

1) Using "transactions" to find abnormal behavior over a period of time (check out search reference guide to see what I mean).
2) Finding correlations across multiple log files (my syslog says this, my checkpoint FW said that, and I got my IDS telling me this....so this is what is going on).
3) Creating alerts and notifications that send emails or even log messages to your NOC.

The key is to pump data into Splunk and let it "learn" what you put in there. It will tell you things you never knew.

topic Re: Useful security searches in Security

Useful security searches

Re: Useful security searches