Security

Need use case query for firewall configuration changes in a network

Explorer

Hi,

I am working on creating a use case for changes made in firewall configuration. Whenever a firewall admin making changes in a configuration, it should trigger an alert.

sourcetype=firewall action=accept user=admin login=(success OR failure)

Looking for better use case query options?

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.

For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.

On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.

Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.

For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.

On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.

Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.

View solution in original post

0 Karma

Explorer

Thanks Dal for the information and guidance.

SplunkTrust
SplunkTrust

@ADCW7TQ - Sure! Let us know how it comes out, and especially please tag me if you find your shop is significantly different from the above or if you learn anything significant that I didn't know.

This whole splunk thing is a learning process, and if there's one thing I've completely learned, it is that there are a LOT of ways to do anything in tech.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!