Hi,
I was assigned to set up splunk alerts that deals with malicious activities done in our EC2 instances, including:
1. SSH sessions / any login activities
2. changes to critical system config files
3. Download files form public internet, etc.

Does anyone have a good approach to this? Thanks in advance!