Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with Search for multiple tasks

Cyberguru
Engager
‎01-25-2023 07:51 AM

Hey Splunk Community!

 

Working on a dashboard ( For Incident Response) in splunk but need some assistance initially with queries on the following in Splunk:

  • Computer or host showing if malicious
  • Logon info for other machines that a user has logged in for the ay
  • IP address of machine, Location or Country, Is it a VM, and Laptop
  • Active Directory info on user
  • Remote machine name - to find out what machine was used to remote into the Server on the last incident

Need this soon, would be appreciated.

Thanks Very much!

Labels (4)
Tags (3)
0 Karma
Reply

Cyberguru
Engager
‎01-25-2023 08:03 AM

Just need -malicious host for Symantec AV for e.g.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2023 08:09 AM

Hi @Cyberguru,

see in Splunkbase (apps.splunk.com) the Add-on to collect data and the App to display data.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2023 07:59 AM

Hi @Cyberguru,

there isn't a general answer to your question because the searches depend on the data you have: e.g. if you speak of malicious host, this depends on the Antivirus or WAF or the IPS/IDS you're using.

So start from the technologies you're collecting logs, then see in Splunkbase (apps.splunk.com) if there's an App (usually there is!) that gives you the dashboards you need.

In addition I hint to install and see the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435) that contains many security searches and guides you in the data analysis.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...