Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events: (1) Logons (Success/Fail...
See more...
Hello, Newb here trying to get up to speed... I need to create dashboards that will allow me to perform the audit events listed in the JSIG: 1. Authentication events: (1) Logons (Success/Failure) (2) Logoffs (Success) 2. Security Relevant File and Objects events: (1) Create (Success/Failure) (2) Access (Success/Failure) (3) Delete (Success/Failure) (4) Modify (Success/Failure) (5) Permission Modification (Success/Failure) (6) Ownership Modification (Success/Failure) 3. Export/Writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 4. Import/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure) 5. User and Group Management events: (1) User add, delete, modify, disable, lock (Success/Failure) (2) Group/Role add, delete, modify (Success/Failure) 6. Use of Privileged/Special Rights events: (1) Security or audit policy changes (Success/Failure) (2) Configuration changes (Success/Failure) 7. Admin or root-level access (Success/Failure) 8. Privilege/Role escalation (Success/Failure) 9. Audit and security relevant log data accesses (Success/Failure) 10. System reboot, restart and shutdown (Success/Failure) 11. Print to a device (Success/Failure) 12. Print to a file (e.g., pdf format) (Success/Failure) 13. Application (e.g., Adobe, Firefox, MS Office Suite) initialization Are there templated Splunk search commands for these? And if so, could you point me to them? Many thanks!