List of common related security alerts

mcoleman2 · ‎03-14-2016

Is there a list of common security related alerts somewhere? Like a cheat sheet of security alerts on various types of servers. I know there's the Enterprise Security app, but it's too expensive for us.

Alerts like: multiple failed login attempts in a short period of time, an abnormal spike in traffic on a webserver, registry changes in windows machines, etc

AndySplunks · ‎03-14-2016

There isn't a specific list I've seen anywhere. I've found the generic alerts in Enterprise Security to be mostly useless. Your IDS / IPS or the native systems should be handling a fair majority of those use cases.

What sorts of systems are you sending to Splunk?

Example Use Cases For Windows:
- Who can modify user accounts? Alert if anyone else does it.
- Are there any accounts being used that don't match your naming standards?
- Are there any accounts of a specific standard behaving differently? For example, is a server account logging in to an endpoint?
- List item

mcoleman2 · ‎03-14-2016

I'm sending Windows and Linux logs to Splunk.

AndySplunks · ‎03-18-2016

Linux is a little tougher. I've yet to find too many good alerts.

This site, Malware Archaeology, has amazing resources for monitoring Windows systems via Splunk. I've implemented a fair number of their use cases.

List of common related security alerts

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?