Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

User activities in single query

SPLUNK111
New Member
‎12-10-2020 07:47 PM

HI Team,

I'm new to splunk..could 

How to check the different activities by listed users(ex: 10 users) from single query

1)password failure

2)Malware operations/malicious file

3)Traffic towards malicious public IP

4)Suspicious mail activity

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-11-2020 12:29 AM

Hi @SPLUNK111,

you question is just a little bit vague!

How can I help you without knowing which are the data where to extract fields and create searches?

Anyway, your approach should be:

  • analyze your data,
  • extract fields to use in all your searches (using regexes or the Interactive Field Extractor),
  • create one by one your searches answering to you use cases.

If you're new, the best approach is to follow the Splunk Fundamentals I course (https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html) and the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to understand how to do the above activities.

In addition on YouTube you can find many videos about this.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...