Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Search for multiple tasks

Cyberguru
Engager
‎01-25-2023 07:51 AM

Hey Splunk Community!

 

Working on a dashboard ( For Incident Response) in splunk but need some assistance initially with queries on the following in Splunk:

  • Computer or host showing if malicious
  • Logon info for other machines that a user has logged in for the ay
  • IP address of machine, Location or Country, Is it a VM, and Laptop
  • Active Directory info on user
  • Remote machine name - to find out what machine was used to remote into the Server on the last incident

Need this soon, would be appreciated.

Thanks Very much!

Labels (4)
Tags (3)
0 Karma
Reply

Cyberguru
Engager
‎01-25-2023 08:03 AM

Just need -malicious host for Symantec AV for e.g.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2023 08:09 AM

Hi @Cyberguru,

see in Splunkbase (apps.splunk.com) the Add-on to collect data and the App to display data.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2023 07:59 AM

Hi @Cyberguru,

there isn't a general answer to your question because the searches depend on the data you have: e.g. if you speak of malicious host, this depends on the Antivirus or WAF or the IPS/IDS you're using.

So start from the technologies you're collecting logs, then see in Splunkbase (apps.splunk.com) if there's an App (usually there is!) that gives you the dashboards you need.

In addition I hint to install and see the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435) that contains many security searches and guides you in the data analysis.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...