What are the top 5 searches you have automated or would like to automate in Graylog?
Please share your thoughts below 
What do you mean by “automating searches”?
1 Like
@jtkarvo that could be every “saved search” or search that you are do at least once a day. Like you search for the browser agents in your web server log files and build quick values from that.
1 Like
- Security focused searches, like looking for people trying to send tags, or sql queries. Then if I find anything, I then look for all the traffic from that person.
- 200’s/404’s over time
- java exceptions
- PHP fatal errors
1 Like
-
WebServer
Top IPs with # of hits -
OS
Top IPs/users with failed login attempts
Top ports accessed -
Network Device
Top SNMP Traps received
1 Like
- Failed logins by IP, Computer, User from AD and Exchange, ADFS
- VDI Session Usage
- Web Browser type, codes
- Source IP Maps
- Exchange Message Tracking top senders, recipients
1 Like
- WebServer and proxy (apache & Squid, top web sites, denied, httpd_status, duration_usec, …)
- Mail infrastructure (Postfix, Cyrus)
- Identity: openldap & AD & workflow rules (users, groups, workstations, audit, etc)
- Freeradius (Top users, etc)
- Network Device & DHCP/DNS servers
I would really like to automate a way to correlate all IPs that are involved in an access denied, or too much access in the last day/week with common threat intelligence DB (hopefully can do this soon with the threat intelligence plugin)
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.