All Apps and Add-ons

Example of how to detect new interactive login from a service account?

Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to detect new interactive login from a service account?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Legitimate technicians use local admin accounts, but attackers use them too. In this use case, we'll search for new accounts that are elevated to local admins. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This use case depends on Windows Security EventID 4720 or 4732 Audit Logs.

Best practice: Use the Splunk Add-on for Microsoft Windows to accelerate time to value the necessary Windows filesystem data. For details, see Is it a best practice to use the Splunk Add-on for Microsoft Windows? on Splunk Answers.

  1. Enable the [WinEventLog://Security] input in the add-on to collect Windows security data. For details, see our post How do I collect basic Windows OS Event Log data from my Windows systems? on Splunk Answers.
  2. Deploy the add-on to the search heads to use the Common Information Model to normalize the data at search time. See Install the Splunk Add-on for Windows in Splunk documents for the procedure.
  3. Run the following search to verify you are collecting Windows data: index=* source="win*security" EventCode=4720 OR (EventCode=4732 Administrators) | head 10

Get insights

This search looks for new accounts elevated to local admins. It finds Windows Security Events with account creation events or account changes with group membership events and puts those events together as a single transaction for each unique username.

Best practice: In searches, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the 'main' index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search.
For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

index=* source="winEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators)
| transaction Security_ID maxspan=180m
| search EventCode=4720 (EventCode=4732 Administrators)
| table _time EventCode Account_Name Target_Account_Name Message

Known false positives: The only false positives for this search is for help desk admins who create local admin accounts. If this is common practice in the environment, filter out the admin account creation messages by excluding the usernames from the base search. If the local admin group does not include the term administrators, then it can potentially generate false negatives.

How to respond: When this search returns values, initiate the incident response process and capture the time of the creation, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, it's possible another person used the user credentials and additional investigation is warranted.

If no results appear, you may need to deploy the Splunk Add-on for Microsoft Windows to the search heads to use the knowledge objects necessary for simple searching.

Watch the following video to see an example of how to use Splunk Enterprise to find new local admin accounts.

New Interactive Logon from a Service Account

View solution in original post

Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Legitimate technicians use local admin accounts, but attackers use them too. In this use case, we'll search for new accounts that are elevated to local admins. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This use case depends on Windows Security EventID 4720 or 4732 Audit Logs.

Best practice: Use the Splunk Add-on for Microsoft Windows to accelerate time to value the necessary Windows filesystem data. For details, see Is it a best practice to use the Splunk Add-on for Microsoft Windows? on Splunk Answers.

  1. Enable the [WinEventLog://Security] input in the add-on to collect Windows security data. For details, see our post How do I collect basic Windows OS Event Log data from my Windows systems? on Splunk Answers.
  2. Deploy the add-on to the search heads to use the Common Information Model to normalize the data at search time. See Install the Splunk Add-on for Windows in Splunk documents for the procedure.
  3. Run the following search to verify you are collecting Windows data: index=* source="win*security" EventCode=4720 OR (EventCode=4732 Administrators) | head 10

Get insights

This search looks for new accounts elevated to local admins. It finds Windows Security Events with account creation events or account changes with group membership events and puts those events together as a single transaction for each unique username.

Best practice: In searches, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the 'main' index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search.
For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

index=* source="winEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators)
| transaction Security_ID maxspan=180m
| search EventCode=4720 (EventCode=4732 Administrators)
| table _time EventCode Account_Name Target_Account_Name Message

Known false positives: The only false positives for this search is for help desk admins who create local admin accounts. If this is common practice in the environment, filter out the admin account creation messages by excluding the usernames from the base search. If the local admin group does not include the term administrators, then it can potentially generate false negatives.

How to respond: When this search returns values, initiate the incident response process and capture the time of the creation, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, it's possible another person used the user credentials and additional investigation is warranted.

If no results appear, you may need to deploy the Splunk Add-on for Microsoft Windows to the search heads to use the knowledge objects necessary for simple searching.

Watch the following video to see an example of how to use Splunk Enterprise to find new local admin accounts.

New Interactive Logon from a Service Account

View solution in original post

Ultra Champion

I just changed to video to another that is a stronger match to this content.

0 Karma

Splunk Employee
Splunk Employee

Added related video.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!