Monitoring Splunk

Please help me with creating a few Alerts - Share SPL please. See message below. Thank u

SamHTexas
Builder

Please help with SPLs for the following Alerts. Thank u very much in advance.

Active Directory unusual login activity after hours 10PM-6AM EST

Active Directory Possible compromised admin accts

DNS communication with Foreign / Risky countries

SQL DB monitoring unauthorized changes

 

Labels (1)
Tags (1)
0 Karma

splunkcol
Builder

 

Active Directory unusual login activity after hours 10PM-6AM EST

The query that you should use and possible codes that can be related to events in the AD See this post link

For the non-working time range use this cron when setting the alert after hitting "save as" "alert" Link
0 22,23,0,1,2,3,4,5,6 * * *

splunkcol_0-1617133074380.png


Active Directory Possible compromised admin accts

I am sure that in this thread you will find the answer 
https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-new-authentication-aga...


DNS communication with Foreign / Risky countries
https://www.splunk.com/en_us/blog/security/hunting-your-dns-dragons.html


0 Karma

richgalloway
SplunkTrust
SplunkTrust

What have you tried so far?  Have you checked out the Splunk Security Essentials app?  It has examples for similar use cases.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SamHTexas
Builder

I already have Splunk ES. If that is better that the essential ? Please show me how to use for such Alerts. Thank u

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Enterprise Security and Security Essentials are different apps that do not compete with each other.  Use SSE to see examples of what security use cases can be solved with Splunk or ES.  It also will help you determine what use cases apply to the data you have and, conversely, what data you need for a given use case.

The SSE app has good documentation that should be reviewed.  To see use cases, go to Security Content->Security Content and scroll through what's there.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SamHTexas
Builder

Thank u for your message. I am reviewing the Security essentials app. Where is it best to be installed for best output?

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...