Security & the Enterprise
Much secured. So patch!

Splunk Enterprise and audits

ochoa165
Explorer

Hello everyone I am extremely new at using Splunk enterprise and i have been tasked with generating security audits...i am aware of how to use the CLI to generate data integrity audits to ensure the data hasn't been tampered with however i am unsure of how to query audits for the below scenarios:

 

-failed logons

-brute force attempts

-user logons

-administrative privilege escalations

 

any help or guidance is appreciated... I have done limited research in terms of using :

https://gosplunk.com/category/splunk-dashboards/

 

I haven't been able to find much via splunk docs unfortunately.. maybe i havent found the right manual.  

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Splunk Security Essentials app has examples for all of those use cases and many more.

---
If this reply helps you, an upvote would be appreciated.

ochoa165
Explorer

Thank you for replying! So am I correct in assuming i would need to install the Splunk Security Essentials App on top of Splunk Enterprise?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you wish to see the example queries then, yes, you will need to install the app.

---
If this reply helps you, an upvote would be appreciated.