Getting Data In

Windows Filtering Platform event logs - Username

CyberCyber
New Member

Hi

I'm currently working on obtaining Windows Filtering Platform event logs to identify the user responsible for running an application. My goal is to enhance firewall rules by considering both the application and the specific user. To achieve this, I've set up a system to send all logs to Splunk, which is already operational. However, I've encountered an issue with WFP event logs not displaying the authorized principal user who executed the application. This absence of user information makes it challenging to determine who used what application before I can further refine the firewall rules.

If you have any insights or suggestions on how to address this issue, I would greatly appreciate your assistance. I can readily access various details such as destination, source, port, application, and protocol, but the missing username is a crucial piece of information I need.

Thank you for any guidance you can provide.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ok, but if you don't have this information in the logs, how should Splunk help here? It's the source's responsibility to produce logs. If you have means of 1) identifying unambigously which instance of a program hit the firewall rule and 2) logging spawning of processes then maybe you could somehow correlate that together. But if you don't have this info how would you like to get it? Guess?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...