Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise Security
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Enterprise Security Suite
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LCM
Contributor
02-24-2011
09:47 AM
Doc Question regarding ESS
I checked out (e.g. http://www.splunk.com/view/enterprise-security-suite/SP-CAAAE8Z). It says the 50 most common security based search correlations are build-in in the ESS app.
Is there some more specific doc around ESS, where I see what EXACTLY comes already with the app (e.g. what kind of checks are done, reporting, alerts, etc., etc.)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LCM
Contributor
02-28-2011
12:49 PM
Correlation Search Domain
Anomalous Audit Trail Activity Detected audit
Anomalous New Listening Port endpoint
Anomalous New Processes endpoint
Anomalous New Services endpoint
Anomalous User Account Creation endpoint
Brute Force Access Behavior Detected access
Cleartext Password At Rest access
Completely Inactive Account access
Default Account Usage access
Default Accounts At Rest access
Excessive Failed Logins access
Expected Host Not Reporting audit
High Number of Hosts With Infection endpoint
High Number Of Infected Hosts endpoint
High Or Critical Priority Host With Malware endpoint
Host With Excessive Number Of Listening Ports endpoint
Host With Excessive Number Of Processes endpoint
Host With Excessive Number Of Services endpoint
Host With Multiple Infections endpoint
Inactive Account Usage access
Insecure Or Cleartext Authentication access
Internet Proxy Server Activity network
Known Web Attacker Activity network
LogMeIn Activity network
Old Malware Infection endpoint
Personally Identifiable Information Detection audit
PirateBay Activity network
Policy Or Configuration Change network
Prohibited Process Detection endpoint
Prohibited Service Detection endpoint
RapidShare Activity network
Recurring Malware Infection endpoint
SANS Block List Activity network
Should Timesync Host Not Syncing endpoint
Spyware Activity network
Substantial Increase in an Event network
Substantial Increase in Port Activity (By Destination) network
Tor Router Activity network
Unapproved Port Activity Detected network
Unroutable Host Activity network
Vulnerability Scanner Detection (by event) network
Vulnerability Scanner Detection (by targets) network
Watchlisted Events threat
Nearly 50, but happy so far! Further I got an ESS User Guide from Splunk - unfortunately, it's not public!?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcoates_splunk
Splunk Employee
02-23-2012
07:59 AM
Hi,
we've published the documentation now along with version 2.0 -- the current search listing may be found in the User's Manual. http://docs.splunk.com/Documentation/ES/latest/User/Overview
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LCM
Contributor
02-28-2011
12:49 PM
Correlation Search Domain
Anomalous Audit Trail Activity Detected audit
Anomalous New Listening Port endpoint
Anomalous New Processes endpoint
Anomalous New Services endpoint
Anomalous User Account Creation endpoint
Brute Force Access Behavior Detected access
Cleartext Password At Rest access
Completely Inactive Account access
Default Account Usage access
Default Accounts At Rest access
Excessive Failed Logins access
Expected Host Not Reporting audit
High Number of Hosts With Infection endpoint
High Number Of Infected Hosts endpoint
High Or Critical Priority Host With Malware endpoint
Host With Excessive Number Of Listening Ports endpoint
Host With Excessive Number Of Processes endpoint
Host With Excessive Number Of Services endpoint
Host With Multiple Infections endpoint
Inactive Account Usage access
Insecure Or Cleartext Authentication access
Internet Proxy Server Activity network
Known Web Attacker Activity network
LogMeIn Activity network
Old Malware Infection endpoint
Personally Identifiable Information Detection audit
PirateBay Activity network
Policy Or Configuration Change network
Prohibited Process Detection endpoint
Prohibited Service Detection endpoint
RapidShare Activity network
Recurring Malware Infection endpoint
SANS Block List Activity network
Should Timesync Host Not Syncing endpoint
Spyware Activity network
Substantial Increase in an Event network
Substantial Increase in Port Activity (By Destination) network
Tor Router Activity network
Unapproved Port Activity Detected network
Unroutable Host Activity network
Vulnerability Scanner Detection (by event) network
Vulnerability Scanner Detection (by targets) network
Watchlisted Events threat
Nearly 50, but happy so far! Further I got an ESS User Guide from Splunk - unfortunately, it's not public!?
Related Topics
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
