Windows Filtering Platform event logs - Username

CyberCyber · ‎09-30-2023

Hi

I'm currently working on obtaining Windows Filtering Platform event logs to identify the user responsible for running an application. My goal is to enhance firewall rules by considering both the application and the specific user. To achieve this, I've set up a system to send all logs to Splunk, which is already operational. However, I've encountered an issue with WFP event logs not displaying the authorized principal user who executed the application. This absence of user information makes it challenging to determine who used what application before I can further refine the firewall rules.

If you have any insights or suggestions on how to address this issue, I would greatly appreciate your assistance. I can readily access various details such as destination, source, port, application, and protocol, but the missing username is a crucial piece of information I need.

Thank you for any guidance you can provide.

PickleRick · ‎09-30-2023

Ok, but if you don't have this information in the logs, how should Splunk help here? It's the source's responsibility to produce logs. If you have means of 1) identifying unambigously which instance of a program hit the firewall rule and 2) logging spawning of processes then maybe you could somehow correlate that together. But if you don't have this info how would you like to get it? Guess?

Windows Filtering Platform event logs - Username

Windows

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio