So I wanted to field this question out to the community. I'm looking to ensure that I'm covering as many attack vectors with my alerting as possible. I know that all environments differ in many ways, but has the community come up with a list of common attack vectors (queries) that all networks should be looking for?
Examples would be:
SSH brute force attempts
Inactive accounts being used
Brute force attempts that have 1 success
I would really like to know what others are doing. No suggestion is too simple or crazy. If this has been discussed in the past, can you point me in that direction?
Hi wweiland, I believe you will want to check out the Splunk App for Enterprise Security, which contains many notable event producing searches : https://splunkbase.splunk.com/app/263/
ES is a premium app so that is something of a barrier. Something else you can check out is the Security Ninjitsu App which seems to part education / part reference https://splunkbase.splunk.com/app/2903/
Let me know how this works out 😄
I've worked with the ES app in the past. I haven't looked at the Ninjitsu app yet, but will do so. I'm hoping to get an idea from the community what they are using that may not be in ES or from those who don't have access to ES.