All Apps and Add-ons

Example of how to detect Windows audit log tampering?

sloshburch
Ultra Champion

Does anyone have examples of how to use Splunk to detect Windows audit log tampering?

0 Karma
1 Solution

sloshburch
Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

There rarely is a valid reason to be tampering with the audit logs of any system. Such actions may be evidence of a user or attacker removing evidence of their activity from the event logs.

Load data

How to implement: This example use case depends on Windows security and system event data, specifically audit log events (EventCode=1100 OR EventCode=1102 OR EventCode=104).

For Windows logon events, install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] and [WinEventLog://System] inputs to collect Windows Event data from endpoints.

Get insights

Find Windows event codes that indicate the Windows Audit Logs were tampered with.

Run the following search.

index=* index=* (source="*WinEventLog:Security" AND (EventCode=1102 OR EventCode=1100)) OR ((source="*WinEventLog:System") AND EventCode=104) 
| stats count BY _time EventCode sourcetype host

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: When this search returns results, contact the owner of the account who is responsible for clearing the Windows logs to ensure it was a legitimate action.

Help

detect Windows audit log tampering

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

sloshburch
Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

There rarely is a valid reason to be tampering with the audit logs of any system. Such actions may be evidence of a user or attacker removing evidence of their activity from the event logs.

Load data

How to implement: This example use case depends on Windows security and system event data, specifically audit log events (EventCode=1100 OR EventCode=1102 OR EventCode=104).

For Windows logon events, install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] and [WinEventLog://System] inputs to collect Windows Event data from endpoints.

Get insights

Find Windows event codes that indicate the Windows Audit Logs were tampered with.

Run the following search.

index=* index=* (source="*WinEventLog:Security" AND (EventCode=1102 OR EventCode=1100)) OR ((source="*WinEventLog:System") AND EventCode=104) 
| stats count BY _time EventCode sourcetype host

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: When this search returns results, contact the owner of the account who is responsible for clearing the Windows logs to ensure it was a legitimate action.

Help

detect Windows audit log tampering

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

sloshburch
Ultra Champion

The question and answer of this post have been updated to provide more explanation of the relevance.

0 Karma

sloshburch
Ultra Champion

Update: I changed the video link to youtube version.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.