Security & the Enterprise
Much secured. So patch!

Splunk Enterprise and audits

ochoa165
Explorer

Hello everyone I am extremely new at using Splunk enterprise and i have been tasked with generating security audits...i am aware of how to use the CLI to generate data integrity audits to ensure the data hasn't been tampered with however i am unsure of how to query audits for the below scenarios:

 

-failed logons

-brute force attempts

-user logons

-administrative privilege escalations

 

any help or guidance is appreciated... I have done limited research in terms of using :

https://gosplunk.com/category/splunk-dashboards/

 

I haven't been able to find much via splunk docs unfortunately.. maybe i havent found the right manual.  

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Splunk Security Essentials app has examples for all of those use cases and many more.

---
If this reply helps you, Karma would be appreciated.

ochoa165
Explorer

Thank you for replying! So am I correct in assuming i would need to install the Splunk Security Essentials App on top of Splunk Enterprise?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you wish to see the example queries then, yes, you will need to install the app.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...