- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Need use case query for firewall configuration cha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am working on creating a use case for changes made in firewall configuration. Whenever a firewall admin making changes in a configuration, it should trigger an alert.
sourcetype=firewall action=accept user=admin login=(success OR failure)
Looking for better use case query options?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.
For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.
On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.
Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.
For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.
On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.
Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dal for the information and guidance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ADCW7TQ - Sure! Let us know how it comes out, and especially please tag me if you find your shop is significantly different from the above or if you learn anything significant that I didn't know.
This whole splunk thing is a learning process, and if there's one thing I've completely learned, it is that there are a LOT of ways to do anything in tech.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
