Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How create an alert that will trigger when server is being attacked to satisfy Splunk STIG

alfredoh14
Explorer
‎06-07-2024 11:16 AM

Hello,
I need to create a simple alert that would satisfy the below DOD STIG:
SPLK-CL-000320 - Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.


We do not have a budget to buy the paid splunk security app. But we haveSPLUNK enterprise 9 installed. 
Moreover, we are inside an intranet so attacks, if any, would be minimal.

therefore, I would like to get any ideas of what would be considered an attack?
for example I have the below ideas myself:
1. user logs in but is denied access for whatever reason.
2. user attempts to open a file he/she does not have rights to.

I am experienced on splunk more than linux security so any help would be apreciated.

 

 

Labels (1)
Labels
0 Karma
Reply

alfredoh14
Explorer
‎06-11-2024 10:36 AM

I am working on a linux server, does anyone have a few spl suggestions? which logs to look for?  what text to look for in thelogs?  that would be great help.  thanks for the responses but i need somethin more specific, like what logs/text to look for.  i have the linux app installed and the os index is basically indexing most of the important log files in /ar/log, but do not know what to look for or which log to specifically target.  help would be apreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-13-2024 12:32 AM

Noone can tell you what _you_ need to monitor and what to look for - it depends on your environments, your use cases, your users and your work characteristics.

You can look for inspiration here https://research.splunk.com/

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2024 02:11 PM

it's a very broad description.

And don't worry about lack of Enterprise Security app. Yes, it's great and has many useful functionalities but you can do quite a lot with Splunk Enterprise on its own. The "problem" here is that you don't know what you need. Think what data you have and what can tell you of a possible attack.

You can use Security Essentials app for inspiration.

But please, don't do "checkbox security" meaning "just write something that seems to satisfy some literal requirement in the least-effort way possible" so that you can cross it off your todo list. That actually impairs your security posture.

0 Karma
Reply

deepakc
Builder
‎06-08-2024 12:22 AM

As you are not able to use Splunk ES(SIEM) you can still do a lot of security monitoring with Splunk.

At a high level:

 I would first look at the various data sources, that give you the data you want such as Windows & Linux Authentication and Access Linux Logs (event logs in Windows - Security Event Log and various secure logs in Linux - /var/log/auth.log /var/log/secure / /var/log/audit/audit.log etc).

 For File level access Windows or Linux, you need Audit logging enabled, so you will need to ensure this data is in the logs

Its best to work with your security team / OS admins, define and ensure the logs you want are set, and start to ingest the data into Splunk as per standard methods.

Once you have data/log ingested into Splunk you can, analyse the data and begin to develop the SPL Query.

I would start by looking at the Splunk Security Essentials - this provide many uses cases and the SPL code. Yes, many are related to Splunk ES(SIEM), but you can still begin to look at some of the basic ones with SPL, example  Brute Force Detection this will show some out of the box SPL, from there you can use and develop and look at others.

Once you have the ones suitable for you environment,  and you have tested them, you can set reports and email alerts via Splunk. 

Download this app, it’s to help with security use cases and then some more. (Its not a monitoring app)

This is the app

https://splunkbase.splunk.com/app/3435 

This is getting started with SE 

https://lantern.splunk.com/Security/Getting_Started/Getting_started_with_Splunk_Security_Essentials 

Use Case Explorer - helps with more use cases

https://lantern.splunk.com/Security/UCE 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...