Splunk Enterprise Security

A Necessity of use cases related to Nessus and Windows.

New Member

Hi all,
We have the necessity to implements alerts related to Nessus scans and Windows systems.
We have seen a few of them related to Windows in the Use Case Library at Enterprise Security but I was wondering if you have any sort of alerts that we could implement furthermore than those.
Thank you in advance.

0 Karma

Contributor

Hi,

For Windows use cases I think you could consider monitoring:

  • Windows authentication brute force attempts.
  • Process creation and powershell execution
  • Inclusion and Removal of users in admin groups
  • Creation of local admin accounts
  • Audit log clear
  • RDP connections
  • And much more...

You can also take a look at Splunk Security Essentials (https://splunkbase.splunk.com/app/3435/) and Splunk ES Content Updates (https://splunkbase.splunk.com/app/3449/). Both apps contain lots of alerts and correlation searches you can use, some of them even mapped to MITRE ATT&CK framework.

In addiction, this github repo has several monitoring rules that can be used in SIEM, including Windows use cases: https://github.com/Neo23x0/sigma

Maybe Tenable App for Splunk can give you some insights about Nessus: https://splunkbase.splunk.com/app/4061/#/details

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!