Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to use Splunk to audit Windows processes created and the users who are running them?

chuckcoggins
Engager
‎02-20-2019 02:18 PM

Good evening,

I have been trying to figure out a way to get a list of all of the software that runs on my servers under the user Administrator.

The end goal is to disable the admin account and replace it with a bunch of specific users.

Ideally, I am going to have to figure out what services / software / backups etc etc that are run as Administrator.

Is this something Splunk can / will do for me?

I have been banging my head on this for about 2 days trying to figure out how to create scripts to do all of this with no real luck other than figuring out what services.

Thank you in advance for any help you might be able to provide me.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

whrg
Motivator
‎02-21-2019 06:50 AM

If i understand correctly, you want to monitor process creation.

For Windows servers, I'm familiar with two ways of process logging.

Option 1) Windows has a built-in feature for process tracking using the Windows Event Log. The particular Event Code we are interested in is 4688: A new process has been created.

By default, process tracking is turned off. You need to enable it in the Local Security Policy or via group policies:

alt text

Next, you need to configure Splunk to monitor the Windows Event Log. Something like this via inputs.conf:

[WinEventLog://Security]
disabled = false
index = windows

Now these events should be available in Splunk:

index=windows source="WinEventLog:Security" EventCode=4688

alt text

You can see that the user (Account Name), who ran this process, got logged. (I anonymized it.)

Option 2: You install Sysmon in conjunction with Add-on for Microsoft Sysmon.

Sysmon can log a wealth of information, including process creation. I find it particularly useful that Sysmon can log the hash value for each process/program. You will also see which user runs which process. However, Sysmon is slightly more complex to setup.

View solution in original post

Preview file
57 KB
Preview file
37 KB
Reply
Solved! Jump to solution
Solution

whrg
Motivator
‎02-21-2019 06:50 AM

If i understand correctly, you want to monitor process creation.

For Windows servers, I'm familiar with two ways of process logging.

Option 1) Windows has a built-in feature for process tracking using the Windows Event Log. The particular Event Code we are interested in is 4688: A new process has been created.

By default, process tracking is turned off. You need to enable it in the Local Security Policy or via group policies:

alt text

Next, you need to configure Splunk to monitor the Windows Event Log. Something like this via inputs.conf:

[WinEventLog://Security]
disabled = false
index = windows

Now these events should be available in Splunk:

index=windows source="WinEventLog:Security" EventCode=4688

alt text

You can see that the user (Account Name), who ran this process, got logged. (I anonymized it.)

Option 2: You install Sysmon in conjunction with Add-on for Microsoft Sysmon.

Sysmon can log a wealth of information, including process creation. I find it particularly useful that Sysmon can log the hash value for each process/program. You will also see which user runs which process. However, Sysmon is slightly more complex to setup.

Preview file
57 KB
Preview file
37 KB
Reply
Solved! Jump to solution

chuckcoggins
Engager
‎02-21-2019 08:41 AM

Thank you so much for your help!
I should also be able to do this with EventID='4624' as well using the same steps correct?

0 Karma
Reply
Solved! Jump to solution

whrg
Motivator
‎02-21-2019 10:04 AM

Yes, basically, the steps are the same for event code 4624 (successful login).

Again, it might be necessary to activate the according audit policy for this particular event code.

Also, I forgot to mention that you should to install the "Splunk Add-on for Microsoft Windows" on your search head so that you will get field extractions, etc.

Reply
Solved! Jump to solution

whrg
Motivator
‎02-20-2019 08:38 PM

Which operating system is running on your servers?

0 Karma
Reply
Solved! Jump to solution

chuckcoggins
Engager
‎02-21-2019 04:20 AM

Windows 2012R2

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...