Hey Splunk Community!
Working on a dashboard ( For Incident Response) in splunk but need some assistance initially with queries on the following in Splunk:
Need this soon, would be appreciated.
Thanks Very much!
Just need -malicious host for Symantec AV for e.g.
Hi @Cyberguru,
see in Splunkbase (apps.splunk.com) the Add-on to collect data and the App to display data.
Ciao.
Giuseppe
Hi @Cyberguru,
there isn't a general answer to your question because the searches depend on the data you have: e.g. if you speak of malicious host, this depends on the Antivirus or WAF or the IPS/IDS you're using.
So start from the technologies you're collecting logs, then see in Splunkbase (apps.splunk.com) if there's an App (usually there is!) that gives you the dashboards you need.
In addition I hint to install and see the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435) that contains many security searches and guides you in the data analysis.
Ciao.
Giuseppe