Rogue System Detection with Splunk

November 7, 2014

This Splunk search allows you to be alerted when a new IP is seen by Bro. The requirements for this alert to work are the bro_known_hosts log and a CSV with all allowed IP addresses. Setup the CSV as an automatic lookup table. The automatic lookup table is setup based on the host (securityonion) and […]