Hi,
I am working on creating a use case for changes made in firewall configuration. Whenever a firewall admin making changes in a configuration, it should trigger an alert.
sourcetype=firewall action=accept user=admin login=(success OR failure)
Looking for better use case query options?
Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.
For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.
On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.
Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.
Okay, your best bet is to find out when (ie at what exact time) someone most recently changed your firewall, and look at all the traffic around then to identify the records that document the change.
For Windows, that would be EventIDs 849-860, 2002-2011, and 4949-4956. Now, these events will only be present if your operating systems are set to log them and your splunk is set to ingest them, rather than sending them to the null queue.
On Unix, as near as I can figure out, there isn't any standard process that automatically logs such changes, so you'd need to monitor the firewall configurations. In a large shop, you'd identify the changes by monitoring the automated process that periodically distributes configuration files. In my experience, that process usually runs daily (off hours) whether or not there are any changes.
Contact your network security group for assistance. If there is no network security group, per se, then contact your network admin, LAN admin, or IT group liaison -- or Spike, the guy who fixes your desktops when they go wonky -- and ask how the firewall update process works, then go from there.
Thanks Dal for the information and guidance.
@ADCW7TQ - Sure! Let us know how it comes out, and especially please tag me if you find your shop is significantly different from the above or if you learn anything significant that I didn't know.
This whole splunk thing is a learning process, and if there's one thing I've completely learned, it is that there are a LOT of ways to do anything in tech.