Alerting

Is there a way to have Splunk notify admins when a user has removed or installed a Windows application they are not supposed to?

skparkj
New Member

Hello,

Is there a way to have Splunk notify admins when a user has removed a windows application or installed an application that they are not supposed to? I know you can search Windows event ID's, but I believe that generates too many log files. Any apps or premium Splunk solutions?

0 Karma
1 Solution

jnussbaum_splun
Splunk Employee
Splunk Employee

The Splunk App for Windows Infrastructure (with the Splunk Add On for Microsoft Windows installed on your endpoints) will show app app installs, and can be configured to show uninstalls.

Event code 11707 is app installs, so you could either feed this search a filter to produce results where a program that's installed isn't a part of a lookup table or existing search result of programs that should be installed.

Similar logic can be applied to program uninstalls, which is Event code 11724.

Alerts can be created to schedule the search and take action when results are found.

As far as Windows generating too many log files, if needed - you could have the forwarder only forward event codes you're looking for. If you do this however, you'll be missing out on other use cases and value.

Hope this helps.

View solution in original post

jnussbaum_splun
Splunk Employee
Splunk Employee

The Splunk App for Windows Infrastructure (with the Splunk Add On for Microsoft Windows installed on your endpoints) will show app app installs, and can be configured to show uninstalls.

Event code 11707 is app installs, so you could either feed this search a filter to produce results where a program that's installed isn't a part of a lookup table or existing search result of programs that should be installed.

Similar logic can be applied to program uninstalls, which is Event code 11724.

Alerts can be created to schedule the search and take action when results are found.

As far as Windows generating too many log files, if needed - you could have the forwarder only forward event codes you're looking for. If you do this however, you'll be missing out on other use cases and value.

Hope this helps.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...