Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I've got my data in but I now need to get some good use cases out of the windows log data!

achauhan2098
Engager
‎01-28-2021 03:14 PM
Relatively new to splunk but after a few challenges I have my splunk deployment up and running. I've limited this to 7 specific window event codes, namely (4776,4720,4723,1102,4624,4726,4625). I dont have the stick with these but I had advice from Splunk that this would be a good start.
 
However I now need to turn these into a good set of security use cases. I probably need to expand my inputs.conf file as currently its deliberately limited:
 
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4776,4720,4723,1102,4624,4726,4625
index=wineventlog
renderXml=true
 
[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
 
So my question is to get some good security event logs from what I have configured above, do I just work with this and try to get the search terms to match what I'm trying to achieve or is there anything more fundamental I need to change first?
 
Also, if there are any good resources for windows security searches that would be great.
 
Thanks!
Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2021 11:23 PM

Hi @achauhan2098,

welcome in the Splunk Community!

At first i hint to add some other EventCodes to complete your first windows analysis with the following:

  • access
    • 4634 Logout: it's useful to understand the session closing;

then, if you have logs from the Domain Controllers, are very useful for Security monitoring:

  • Group Change Monitoring:

    • Event 4727         A Security-enabled Global Group was created

    • Event 4737         A Security-enabled Global Group was changed

    • Event 4728         A member was added to a security-enabled Global group

    • Event 4729         A member was removed from a security-enabled Global group

    • Event 4730         A Security-enabled Global Group was removed

      Event 4754         A Security-enabled Universal Group was created

    • Event 4755         A Security-enabled Universal Group was changed

    • Event 4756         A member was added to a security-enabled Universal group

    • Event 4757         A member was removed from a security-enabled Universal group

    • Event 4758         A Security-enabled Universal Group was removed

    • Event 4731         A Security-enabled Local Group was created

    • Event 4735         A Security-enabled Local Group was changed

    • Event 4732         A member was added to a security-enabled Domain Local group

    • Event 4733         A member was removed from a security-enabled Domain Local group

    • Event 4734         A Security-enabled Domain Local Group was removed

    • Event 4781         Group Rename

    • Event 4764         Group Change Type

  • User Change Monitoring:

    • Event 4720         A user account was created

    • Event 4724         An attempt was made to reset an account Password

    • Event 4738         A User account was changed

    • Event 4725         A user account was disabled

    • Event 4722         A user account was enabled

    • Event 4726         A user account was deleted

  • Policy Change Monitoring:
    • 4719 Policy Change

To have these EventCodes from the Domain Controllers you have to enable them because, by default, they are disabled.

Anyway, the EventCodes you're ingesting are:

  • 4776: The domain controller attempted to validate the credentials for an account,
  • 4720: A user account was created,
  • 4723: An attempt was made to change an account's password,
  • 1102: The audit log was cleared,
  • 4624: Login,
  • 4726: A user account was deleted,
  • 4625: Logfail.

So these are some immediate security Use Cases that you can develop:

  • Brute force: many login in a period on the same server,
  • audit logs deletion,
  • User accounts managing (creation and deletion).

If you're interested to Security Use Cases, I hint to install the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) that propose all the Use Case possible with your data.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...