Assistance creating alerts

channa_tep · ‎09-15-2021

Hello All
Just got a job with Splunk inheritance, no knowledge about Splunk I could say I'm in the category Splunk for Dummy. what I know is we have

Splunk Enterprise
Universal forward install on domain controller and other important servers as well.

Could someone assistance me creating alerts for the following

Excessive Login Failures
Account Added to Security Enabled Group
Event Logs Cleared
Detect Excessive Account Lockouts from Endpoint
Short Lived Windows Accounts
Windows User Account Created/Deleted
Unclean Malware Detected
Disk Utilization Over 95%

thank you very much in advance.

bowesmana · ‎09-15-2021

If you have no knowledge, go and do Splunk Fundamentals 1

https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

It's a free course and will give you basics.

channa_tep · ‎09-16-2021

Thank you

s2_splunk · ‎09-15-2021

I would probably suggest starting with the Splunk Security Essentials app to discover use cases you can meet in your environment with the data you have ingested in Splunk.

It is well documented and should be very helpful, especially since you have limited Splunk experience.

You might also find some nuggets here.

channa_tep · ‎09-15-2021

Thank you, I will look into it

s2_splunk · ‎09-15-2021

There's also a couple of free fundamentals training classes available here, fyi.

Assistance creating alerts

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?