Alerting

How create an alert that will trigger when server is being attacked to satisfy Splunk STIG

alfredoh14
Explorer

Hello,
I need to create a simple alert that would satisfy the below DOD STIG:
SPLK-CL-000320 - Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.


We do not have a budget to buy the paid splunk security app. But we haveSPLUNK enterprise 9 installed. 
Moreover, we are inside an intranet so attacks, if any, would be minimal.

therefore, I would like to get any ideas of what would be considered an attack?
for example I have the below ideas myself:
1. user logs in but is denied access for whatever reason.
2. user attempts to open a file he/she does not have rights to.

I am experienced on splunk more than linux security so any help would be apreciated.

 

 

Labels (1)
0 Karma

alfredoh14
Explorer

I am working on a linux server, does anyone have a few spl suggestions? which logs to look for?  what text to look for in thelogs?  that would be great help.  thanks for the responses but i need somethin more specific, like what logs/text to look for.  i have the linux app installed and the os index is basically indexing most of the important log files in /ar/log, but do not know what to look for or which log to specifically target.  help would be apreciated.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Noone can tell you what _you_ need to monitor and what to look for - it depends on your environments, your use cases, your users and your work characteristics.

You can look for inspiration here https://research.splunk.com/

0 Karma

PickleRick
SplunkTrust
SplunkTrust

it's a very broad description.

And don't worry about lack of Enterprise Security app. Yes, it's great and has many useful functionalities but you can do quite a lot with Splunk Enterprise on its own. The "problem" here is that you don't know what you need. Think what data you have and what can tell you of a possible attack.

You can use Security Essentials app for inspiration.

But please, don't do "checkbox security" meaning "just write something that seems to satisfy some literal requirement in the least-effort way possible" so that you can cross it off your todo list. That actually impairs your security posture.

0 Karma

deepakc
Builder

As you are not able to use Splunk ES(SIEM) you can still do a lot of security monitoring with Splunk.

At a high level:

 I would first look at the various data sources, that give you the data you want such as Windows & Linux Authentication and Access Linux Logs (event logs in Windows - Security Event Log and various secure logs in Linux - /var/log/auth.log /var/log/secure / /var/log/audit/audit.log etc).

 For File level access Windows or Linux, you need Audit logging enabled, so you will need to ensure this data is in the logs

Its best to work with your security team / OS admins, define and ensure the logs you want are set, and start to ingest the data into Splunk as per standard methods.

Once you have data/log ingested into Splunk you can, analyse the data and begin to develop the SPL Query.

I would start by looking at the Splunk Security Essentials - this provide many uses cases and the SPL code. Yes, many are related to Splunk ES(SIEM), but you can still begin to look at some of the basic ones with SPL, example  Brute Force Detection this will show some out of the box SPL, from there you can use and develop and look at others.

Once you have the ones suitable for you environment,  and you have tested them, you can set reports and email alerts via Splunk. 

Download this app, it’s to help with security use cases and then some more. (Its not a monitoring app)

This is the app

https://splunkbase.splunk.com/app/3435 

This is getting started with SE 

https://lantern.splunk.com/Security/Getting_Started/Getting_started_with_Splunk_Security_Essentials 

Use Case Explorer - helps with more use cases

https://lantern.splunk.com/Security/UCE 

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...