trying to make a dashboard for overall security in splunk.
here is a few of the searches i have:
Webattacks - index=main "../etc/passwd" OR "union select" OR "javascript:" OR " " query!="getHelp()" | stats count by host</p>
<p>failed logins - index=main "EventCode=4776" OR "Failed password for" OR "Access denied for user" OR "Login failed for user" | stats count by host | search count > 3 | sort by count</p>
<p>the failed logins is to detect windows logins, ssh, mysql, and mssql</p>
<p>anyone have any suggestion on improving them?</p>
<p>i have also been trying to build searches to detect APTs, maleware, and network attacks like dns and arp spoofing/poisoning. Any pointers on that? thank you.</p>
... View more