https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628302#M16551 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253226">@Cyberguru</a>,</P><P>there isn't a general answer to your question because the searches depend on the data you have: e.g. if you speak of malicious host, this depends on the Antivirus or WAF or the IPS/IDS you're using.</P><P>So start from the technologies you're collecting logs, then see in Splunkbase (apps.splunk.com) if there's an App (usually there is!) that gives you the dashboards you need.</P><P>In addition I hint to install and see the Splunk Security Essentials App (<A href="https://splunkbase.splunk.com/app/3435)" target="_blank">https://splunkbase.splunk.com/app/3435)</A>&nbsp;that contains many security searches and guides you in the data analysis.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Jan 2023 15:59:38 GMT gcusello 2023-01-25T15:59:38Z https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628297#M16550 <P>Hey Splunk Community!</P> <P>&nbsp;</P> <P>Working on a dashboard ( For Incident Response) in splunk but need some assistance initially with queries on the following in Splunk:</P> <UL> <LI>Computer or host showing if malicious</LI> <LI>Logon info for other machines that a user has logged in for the ay</LI> <LI>IP address of machine, Location or Country, Is it a VM, and Laptop</LI> <LI>Active Directory info on user</LI> <LI>Remote machine name - to find out what machine was used to remote into the Server on the last incident</LI> </UL> <P>Need this soon, would be appreciated.</P> <P>Thanks Very much!</P> Thu, 26 Jan 2023 00:02:11 GMT https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628297#M16550 Cyberguru 2023-01-26T00:02:11Z https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628302#M16551 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253226">@Cyberguru</a>,</P><P>there isn't a general answer to your question because the searches depend on the data you have: e.g. if you speak of malicious host, this depends on the Antivirus or WAF or the IPS/IDS you're using.</P><P>So start from the technologies you're collecting logs, then see in Splunkbase (apps.splunk.com) if there's an App (usually there is!) that gives you the dashboards you need.</P><P>In addition I hint to install and see the Splunk Security Essentials App (<A href="https://splunkbase.splunk.com/app/3435)" target="_blank">https://splunkbase.splunk.com/app/3435)</A>&nbsp;that contains many security searches and guides you in the data analysis.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Jan 2023 15:59:38 GMT https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628302#M16551 gcusello 2023-01-25T15:59:38Z https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628304#M16552 <P>Just need -malicious host for Symantec AV for e.g.</P> Wed, 25 Jan 2023 16:03:28 GMT https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628304#M16552 Cyberguru 2023-01-25T16:03:28Z https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628307#M16553 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253226">@Cyberguru</a>,</P><P>see in Splunkbase (apps.splunk.com) the Add-on to collect data and the App to display data.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Jan 2023 16:09:34 GMT https://community.splunk.com/t5/Security/Help-with-Search-for-multiple-tasks/m-p/628307#M16553 gcusello 2023-01-25T16:09:34Z