Solved: Need use case query for firewall configuration cha...

ADCW7TQ · ‎07-19-2017

Hi,

I am working on creating a use case for changes made in firewall configuration. Whenever a firewall admin making changes in a configuration, it should trigger an alert.

sourcetype=firewall action=accept user=admin login=(success OR failure)

Looking for better use case query options?

DalJeanis · ‎07-19-2017

Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.

For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.

On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.

Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.

View solution in original post

DalJeanis · ‎07-19-2017

Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.

For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.

On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.

Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.

ADCW7TQ · ‎07-28-2017

Thanks Dal for the information and guidance.

DalJeanis · ‎07-28-2017

@ADCW7TQ - Sure! Let us know how it comes out, and especially please tag me if you find your shop is significantly different from the above or if you learn anything significant that I didn't know.

This whole splunk thing is a learning process, and if there's one thing I've completely learned, it is that there are a LOT of ways to do anything in tech.

Need use case query for firewall configuration changes in a network

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation