Please help with SPLs for the following Alerts. Thank u very much in advance.
Active Directory unusual login activity after hours 10PM-6AM EST
Active Directory Possible compromised admin accts
DNS communication with Foreign / Risky countries
SQL DB monitoring unauthorized changes
Active Directory unusual login activity after hours 10PM-6AM EST
The query that you should use and possible codes that can be related to events in the AD See this post link
For the non-working time range use this cron when setting the alert after hitting "save as" "alert" Link
0 22,23,0,1,2,3,4,5,6 * * *
Active Directory Possible compromised admin accts
I am sure that in this thread you will find the answer
https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-new-authentication-aga...
DNS communication with Foreign / Risky countries
https://www.splunk.com/en_us/blog/security/hunting-your-dns-dragons.html
What have you tried so far? Have you checked out the Splunk Security Essentials app? It has examples for similar use cases.
I already have Splunk ES. If that is better that the essential ? Please show me how to use for such Alerts. Thank u
Enterprise Security and Security Essentials are different apps that do not compete with each other. Use SSE to see examples of what security use cases can be solved with Splunk or ES. It also will help you determine what use cases apply to the data you have and, conversely, what data you need for a given use case.
The SSE app has good documentation that should be reviewed. To see use cases, go to Security Content->Security Content and scroll through what's there.
Thank u for your message. I am reviewing the Security essentials app. Where is it best to be installed for best output?