Splunk Search

How to monitor smbv1 access on a domain via splunk ?

darphboubou
Explorer

Hi,

 

We wonder how to monitor the smbV1 access in a domain.

 

We are already enabled the eventcode 3000 log on windows log.

 

Now we want to know who use smbV1 to access on every host:

 

to start we use this request:

 

 

 

index=windows EventCode=3000   source="WinEventLog:Microsoft-Windows-SMBServer/Audit"

 

 

 

 

but now we want to display in a table / stats ... foreach host each computers / users access to them.

 

 

Could you help us please

Labels (2)
0 Karma

darphboubou
Explorer

Hi,

Hello,


thank you for your answer.


I want to determine the active use of the old SMBv1 protocol.


Because as you may know, SMBv1 is not secure at all.


So we want to analyze all the servers in the AD with event ID 3000 and sort them according to the number of events corresponding to event code 3000 that occurred on each of them.

thanks for the reply.

 

I want to determine using actively the old protocol SMBv1.

 

Because as you may know smbv1 is not secure at all.

 

so we want to scan all servers in AD with event id 3000. and sort then bye tne number of event matching event code 3000 taht occure on each of them.

 

Regards

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou ,

I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search 

index=windows EventCode=3000   source="WinEventLog:Microsoft-Windows-SMBServer/Audit"

which fields do you have in Interesting Fields panel?

Choose the ones to use for stats searches: e.g. if you want the number for user or for host, you could run something like:

index=windows EventCode=3000   source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
| stats count BY user

or 

index=windows EventCode=3000   source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
| chart count OVER user BY host

then choose the fields to display in a table search:

index=windows EventCode=3000   source="WinEventLog:Microsoft-Windows-SMBServer/Audit"
| table _time host user domain action ...

As I said the most valuable job is to know what to search, then you can learn how to search in Splunk using the Search Tutorial.

Saving these searches in different dashboard's panels, you'll have your dashboard, to monitor your Use Case

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

you have to do two actions:

  • exactly identify and list in a document what you need to display: e.g. stats for users, table displaying a list of fields (e.g. timestamp, user, host, ip, etc...)
  • create  some searches to execute your requirements.

the most difficoult action is the first (usually a job in Splunk requires 70% of target technology knowledge and 30% of Splunk knowledge).

Abour Splunk knowledge, I hint to follow the Splunk Search Tutorial ( http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial ) that teach you how to search in Splunk.

So, please, describe your use cases.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...