Create splunk alerts for suspicious activities of EC2 instances

Path Finder

I was assigned to set up splunk alerts that deals with malicious activities done in our EC2 instances, including:
1. SSH sessions / any login activities
2. changes to critical system config files
3. Download files form public internet, etc.

Does anyone have a good approach to this? Thanks in advance!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!