Splunk Search

Are there a standard set of attack vectors to search and alert for?

wweiland
Contributor

So I wanted to field this question out to the community. I'm looking to ensure that I'm covering as many attack vectors with my alerting as possible. I know that all environments differ in many ways, but has the community come up with a list of common attack vectors (queries) that all networks should be looking for?

Examples would be:

SSH brute force attempts
Inactive accounts being used
Brute force attempts that have 1 success

I would really like to know what others are doing. No suggestion is too simple or crazy. If this has been discussed in the past, can you point me in that direction?

0 Karma

wweiland
Contributor

Nobody else has any suggestions?

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi wweiland, I believe you will want to check out the Splunk App for Enterprise Security, which contains many notable event producing searches : https://splunkbase.splunk.com/app/263/

ES is a premium app so that is something of a barrier. Something else you can check out is the Security Ninjitsu App which seems to part education / part reference https://splunkbase.splunk.com/app/2903/

Let me know how this works out 😄

0 Karma

wweiland
Contributor

I've worked with the ES app in the past. I haven't looked at the Ninjitsu app yet, but will do so. I'm hoping to get an idea from the community what they are using that may not be in ES or from those who don't have access to ES.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...