Monitoring Splunk

Please help me with creating a few Alerts - Share SPL please. See message below. Thank u

SamHTexas
Builder

Please help with SPLs for the following Alerts. Thank u very much in advance.

Active Directory unusual login activity after hours 10PM-6AM EST

Active Directory Possible compromised admin accts

DNS communication with Foreign / Risky countries

SQL DB monitoring unauthorized changes

 

Labels (1)
Tags (1)
0 Karma

splunkcol
Builder

 

Active Directory unusual login activity after hours 10PM-6AM EST

The query that you should use and possible codes that can be related to events in the AD See this post link

For the non-working time range use this cron when setting the alert after hitting "save as" "alert" Link
0 22,23,0,1,2,3,4,5,6 * * *

splunkcol_0-1617133074380.png


Active Directory Possible compromised admin accts

I am sure that in this thread you will find the answer 
https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-new-authentication-aga...


DNS communication with Foreign / Risky countries
https://www.splunk.com/en_us/blog/security/hunting-your-dns-dragons.html


0 Karma

richgalloway
SplunkTrust
SplunkTrust

What have you tried so far?  Have you checked out the Splunk Security Essentials app?  It has examples for similar use cases.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SamHTexas
Builder

I already have Splunk ES. If that is better that the essential ? Please show me how to use for such Alerts. Thank u

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Enterprise Security and Security Essentials are different apps that do not compete with each other.  Use SSE to see examples of what security use cases can be solved with Splunk or ES.  It also will help you determine what use cases apply to the data you have and, conversely, what data you need for a given use case.

The SSE app has good documentation that should be reviewed.  To see use cases, go to Security Content->Security Content and scroll through what's there.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SamHTexas
Builder

Thank u for your message. I am reviewing the Security essentials app. Where is it best to be installed for best output?

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...