Hey Guys, I just wanted to find out what other IT security teams are doing with splunk.
I have a number of dashboards displaying information for us, including:
Microsoft AD - Failed logins, account lockout numbers etc
Symantec SEP - Latest alerts, figures on most infections by machine, user and malware type.
Web - number of 404's detected in the last 60 mins, 24hour. this helps with detecting folder enumeration etc.
Number of /etc/passwd attempts etc.
So, Im trying to get other ideas.
What are YOU using this great tool for?
Thanks,.
For firewalls (Checkpoints): number of accepts/denies for a particular service (port) (i.e. profiling.)
Also for baselining: log voulumes for every type of events.
Failed login attempts, locked accounts, uncategorized website attempts (based off of Websense), outbound compressed file traffic, cleared event logs, specific query alerts, etc.