https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135342#M4140 <P>First, you should use eventtypes for failed login (windows and Unix apps should do that for your) and try to normalize your data (see the CIM standard). This will help you to simplify your queries, make them faster using the datamodel, and when you need a more advanced security solution, will simplify your migration to Enterprise Security.</P> Wed, 31 Dec 2014 15:19:48 GMT mdessus_splunk 2014-12-31T15:19:48Z https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135338#M4136 <P>trying to make a dashboard for overall security in splunk.<BR /> here is a few of the searches i have:<BR /> Webattacks - index=main "../etc/passwd" OR "union select" OR "javascript:" OR "<SCRIPT>&amp;quot; query!=&amp;quot;getHelp()&amp;quot; | stats count by host&lt;/p&gt; &lt;p&gt;failed logins - index=main &amp;quot;EventCode=4776&amp;quot; OR &amp;quot;Failed password for&amp;quot; OR &amp;quot;Access denied for user&amp;quot; OR &amp;quot;Login failed for user&amp;quot; | stats count by host | search count &amp;gt; 3 | sort by count&lt;/p&gt; &lt;p&gt;the failed logins is to detect windows logins, ssh, mysql, and mssql&lt;/p&gt; &lt;p&gt;anyone have any suggestion on improving them?&lt;/p&gt; &lt;p&gt;i have also been trying to build searches to detect APTs, maleware, and network attacks like dns and arp spoofing/poisoning. Any pointers on that? thank you.&lt;/p&gt;</SCRIPT></P> Thu, 17 Apr 2014 17:33:47 GMT https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135338#M4136 emada 2014-04-17T17:33:47Z https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135339#M4137 <P>You should take a look at the Enterprise Security app: <A href="http://apps.splunk.com/app/263/">http://apps.splunk.com/app/263/</A></P> Thu, 17 Apr 2014 18:28:06 GMT https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135339#M4137 martin_mueller 2014-04-17T18:28:06Z https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135340#M4138 <P>do you happen to know where to find the queries its using?</P> Thu, 17 Apr 2014 20:20:11 GMT https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135340#M4138 emada 2014-04-17T20:20:11Z https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135341#M4139 <P>They're stored within the app configuration, just like with any other app.</P> Thu, 17 Apr 2014 20:22:30 GMT https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135341#M4139 martin_mueller 2014-04-17T20:22:30Z https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135342#M4140 <P>First, you should use eventtypes for failed login (windows and Unix apps should do that for your) and try to normalize your data (see the CIM standard). This will help you to simplify your queries, make them faster using the datamodel, and when you need a more advanced security solution, will simplify your migration to Enterprise Security.</P> Wed, 31 Dec 2014 15:19:48 GMT https://community.splunk.com/t5/Security/overall-security-dashboard/m-p/135342#M4140 mdessus_splunk 2014-12-31T15:19:48Z