Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

A Necessity of use cases related to Nessus and Windows.

leillo28
New Member
‎02-21-2020 07:16 AM

Hi all,
We have the necessity to implements alerts related to Nessus scans and Windows systems.
We have seen a few of them related to Windows in the Use Case Library at Enterprise Security but I was wondering if you have any sort of alerts that we could implement furthermore than those.
Thank you in advance.

0 Karma
Reply

alonsocaio
Contributor
‎02-21-2020 04:36 PM

Hi,

For Windows use cases I think you could consider monitoring:

  • Windows authentication brute force attempts.
  • Process creation and powershell execution
  • Inclusion and Removal of users in admin groups
  • Creation of local admin accounts
  • Audit log clear
  • RDP connections
  • And much more...

You can also take a look at Splunk Security Essentials (https://splunkbase.splunk.com/app/3435/) and Splunk ES Content Updates (https://splunkbase.splunk.com/app/3449/). Both apps contain lots of alerts and correlation searches you can use, some of them even mapped to MITRE ATT&CK framework.

In addiction, this github repo has several monitoring rules that can be used in SIEM, including Windows use cases: https://github.com/Neo23x0/sigma

Maybe Tenable App for Splunk can give you some insights about Nessus: https://splunkbase.splunk.com/app/4061/#/details

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...