Security

Need use case query for firewall configuration changes in a network

ADCW7TQ
Explorer

Hi,

I am working on creating a use case for changes made in firewall configuration. Whenever a firewall admin making changes in a configuration, it should trigger an alert.

sourcetype=firewall action=accept user=admin login=(success OR failure)

Looking for better use case query options?

Tags (2)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.

For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.

On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.

Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.

For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.

On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.

Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.

0 Karma

ADCW7TQ
Explorer

Thanks Dal for the information and guidance.

DalJeanis
SplunkTrust
SplunkTrust

@ADCW7TQ - Sure! Let us know how it comes out, and especially please tag me if you find your shop is significantly different from the above or if you learn anything significant that I didn't know.

This whole splunk thing is a learning process, and if there's one thing I've completely learned, it is that there are a LOT of ways to do anything in tech.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...