Create splunk alerts for suspicious activities of EC2 instances

Hi, I was assigned to set up splunk alerts that deals with malicious activities done in our EC2 instances, including: 1. SSH sessions / any login activities 2. changes to critical system config files 3. Download files form public internet, etc. Does anyone have a good approach to this? Thanks in advance!