Splunk Enterprise Security

How to setup an Alert when events indicated changes to all NTP setting on any platform are made?

kappalkamal
New Member

Hi,

I need help on how to setup an Alert when – events indicated changes to all NTP setting on any platform are made for example, GPS appliances, Linux ntp server settings, windows time configurations or registry entries related to windows time.

Appreciate your response.

Thanks,
Kamal

0 Karma

Richfez
SplunkTrust
SplunkTrust

Hi, Kamal!

This is a rather a big topic, so let's break that down a bit.

First, some background help. The Splunk Fundamentals 1 class is free! I'd suggest that if you haven't taken that yet to do so. This will give you a decent grounding upon which to build.

Then go through the Splunk Tutorial, which is ALSO free.

You may also be able to lean on people at your own company for help or assistance. Do you already have Splunk in place? In that case there's possibly someone who manages this and who can help you more directly than we can here.

In any case, you'll likely need to talk to the people who run/manage/administer those systems to find out how they log, what they log, and what might be your best collection method.

Give you the specific answers to each of the platforms you asked about is far too large of a topic for one answer here. Each of the data sources will be different and will probably need a different approach, and at this time we don't know enough about any one of them to even try giving you an answer - except to start learning more Splunk and to start talking with the people who run those machines/appliances.

BTW, here's one attempt at trying to show someone how to onboard data - Lots of stuff in there, be sure to click the upvote on that answer if you find it useful!

0 Karma

Sukisen1981
Champion

Hi,

Can we see some samples of your events and a brief description of your alert condition ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...