Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Search for multiple tasks

Cyberguru
Engager
‎01-25-2023 07:51 AM

Hey Splunk Community!

 

Working on a dashboard ( For Incident Response) in splunk but need some assistance initially with queries on the following in Splunk:

  • Computer or host showing if malicious
  • Logon info for other machines that a user has logged in for the ay
  • IP address of machine, Location or Country, Is it a VM, and Laptop
  • Active Directory info on user
  • Remote machine name - to find out what machine was used to remote into the Server on the last incident

Need this soon, would be appreciated.

Thanks Very much!

Labels (4)
Tags (3)
0 Karma
Reply

Cyberguru
Engager
‎01-25-2023 08:03 AM

Just need -malicious host for Symantec AV for e.g.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2023 08:09 AM

Hi @Cyberguru,

see in Splunkbase (apps.splunk.com) the Add-on to collect data and the App to display data.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2023 07:59 AM

Hi @Cyberguru,

there isn't a general answer to your question because the searches depend on the data you have: e.g. if you speak of malicious host, this depends on the Antivirus or WAF or the IPS/IDS you're using.

So start from the technologies you're collecting logs, then see in Splunkbase (apps.splunk.com) if there's an App (usually there is!) that gives you the dashboards you need.

In addition I hint to install and see the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435) that contains many security searches and guides you in the data analysis.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...