Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Assistance creating alerts

channa_tep
Loves-to-Learn
‎09-15-2021 02:53 PM

Hello All
Just got a job with Splunk inheritance, no knowledge about Splunk I could say I'm in the category Splunk for Dummy. what I know is we have

  • Splunk Enterprise
  • Universal forward install on domain controller and other important servers as well. 

Could someone assistance me creating alerts for the following

  1. Excessive Login Failures
  2. Account Added to Security Enabled Group
  3. Event Logs Cleared
  4. Detect Excessive Account Lockouts from Endpoint 
  5. Short Lived Windows Accounts
  6. Windows User Account Created/Deleted
  7. Unclean Malware Detected
  8. Disk Utilization Over 95%

thank you very much in advance.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-15-2021 04:36 PM

If you have no knowledge, go and do Splunk Fundamentals 1

https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

It's a free course and will give you basics.

 

0 Karma
Reply

channa_tep
Loves-to-Learn
‎09-16-2021 07:47 AM

Thank you

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-15-2021 03:10 PM

I would probably suggest starting with the Splunk Security Essentials app to discover use cases you can meet in your environment with the data you have ingested in Splunk.

It is well documented and should be very helpful, especially since you have limited Splunk experience.

You might also find some nuggets here.

0 Karma
Reply

channa_tep
Loves-to-Learn
‎09-15-2021 03:15 PM

Thank you, I will look into it

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-15-2021 03:25 PM

There's also a couple of free fundamentals training classes available here, fyi.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...