Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Assistance creating alerts

channa_tep
Loves-to-Learn
‎09-15-2021 02:53 PM

Hello All
Just got a job with Splunk inheritance, no knowledge about Splunk I could say I'm in the category Splunk for Dummy. what I know is we have

  • Splunk Enterprise
  • Universal forward install on domain controller and other important servers as well. 

Could someone assistance me creating alerts for the following

  1. Excessive Login Failures
  2. Account Added to Security Enabled Group
  3. Event Logs Cleared
  4. Detect Excessive Account Lockouts from Endpoint 
  5. Short Lived Windows Accounts
  6. Windows User Account Created/Deleted
  7. Unclean Malware Detected
  8. Disk Utilization Over 95%

thank you very much in advance.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-15-2021 04:36 PM

If you have no knowledge, go and do Splunk Fundamentals 1

https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

It's a free course and will give you basics.

 

0 Karma
Reply

channa_tep
Loves-to-Learn
‎09-16-2021 07:47 AM

Thank you

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-15-2021 03:10 PM

I would probably suggest starting with the Splunk Security Essentials app to discover use cases you can meet in your environment with the data you have ingested in Splunk.

It is well documented and should be very helpful, especially since you have limited Splunk experience.

You might also find some nuggets here.

0 Karma
Reply

channa_tep
Loves-to-Learn
‎09-15-2021 03:15 PM

Thank you, I will look into it

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-15-2021 03:25 PM

There's also a couple of free fundamentals training classes available here, fyi.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...