Splunk Enterprise and audits

ochoa165 · ‎01-18-2021

Hello everyone I am extremely new at using Splunk enterprise and i have been tasked with generating security audits...i am aware of how to use the CLI to generate data integrity audits to ensure the data hasn't been tampered with however i am unsure of how to query audits for the below scenarios:

-failed logons

-brute force attempts

-user logons

-administrative privilege escalations

any help or guidance is appreciated... I have done limited research in terms of using :

https://gosplunk.com/category/splunk-dashboards/

I haven't been able to find much via splunk docs unfortunately.. maybe i havent found the right manual.

richgalloway · ‎01-19-2021

The Splunk Security Essentials app has examples for all of those use cases and many more.

---
If this reply helps you, Karma would be appreciated.

ochoa165 · ‎01-19-2021

Thank you for replying! So am I correct in assuming i would need to install the Splunk Security Essentials App on top of Splunk Enterprise?

richgalloway · ‎01-20-2021

If you wish to see the example queries then, yes, you will need to install the app.

---
If this reply helps you, Karma would be appreciated.

Splunk Enterprise and audits

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest