Getting Data In

Number of events in logs after migrating to Exchange 2016

heathramos
Path Finder

We recently added Exchange 2016 to our Exchange environment and moved all mailboxes/pubic folders to it.

We have an universal forwarder installed on it and are getting a lot more security events forwarded to Splunk than the old Exchange 2010 server (from 4k per hour to 191k).

98% of the events from the security log of the Exchange 2016 server are Event Codes 4624, 4634 and 4672.

Should I be blacklisting at least a portion of these codes so I can drop it down to a reasonable number? This traffic is pushing me over my license limit and I need to address it.

The audit policies and blacklist on the Exchange 2010 and 2016 servers seem to be the same so I am not sure why the new server is so much more noisier.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, so I'd check a few things before answering.

First, VALIDATION: has the update to the 2016 caused a real increase of activity? For instance, is Exchange 2016 polling ten times as often, or chattering in some way? Are the connections dropping, and if so, is that by design? In other words, first make sure that you are not detecting a misconfiguration issue that should be resolved at the other end.

Second, EFFICIENCY: have you already installed transforms to drop the "wordiness" of Microsoft Event Codes? Literally 80% of a Microsoft event is redundant wording describing what the event is, that should have been presented in a table somewhere instead of written in each event. There are various add ons that can rip out all the redundant data while leaving the unique stuff.

Third, USE CASE: what is the purpose of your Splunk installation, and will that purpose be met if you don't have all the logons and logoffs of that type?

After you get past the above questions, You will be able to make a valid decision regarding data truncation.

I'd suggest that you are more interested in failed logons than real ones, and that it might be possible to truncate more of the logoffs before ingestion, since there is always a prior logon with the details, but those are nits compared with the results of the first two questions.

0 Karma

heathramos
Path Finder

I am not sure I have great answers but here it goes...

Validation: No misconfiguration afaik. Followed Microsoft procedures. We upgraded to Outlook 2019 at the same time which did cause issues but have been addressed (autodiscovery issues, encryption plug-in).

Efficiency: We have the same props file as the old Exchange server that uses SEDCMD

Use Case: We have Splunk alerts and Reports for various purposes (security mainly). From monitoring who is using VPN to changes to changes to local admin groups to file/folder auditing. Would blacklisting something like computer account logins over the network break any of my alerts or reports? Highly doubtful but I am always hesitant in blacklisting items that may be useful down the road.

Example: what if another report or alert notified me of a security breach but when I started looking thru logs, I discovered I had a need for something blacklisted? Kind of late at that point. Sometimes I log things not for everyday usage but if I need it for an investigation of some kind. So, in general, I need to be fairly comfortable it won't be useful in the future.

0 Karma

heathramos
Path Finder

regarding Event Code 4624:

is it safe to blacklist 4624 logon type 3 if the user is the computer account?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...