Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lateral Movement Windows Logs

splunkcol
Builder
‎09-28-2021 05:03 PM

Hello there,

I have spent a good time researching lateral movement in Splunk, unfortunately I have not found much.

I have only seen answers suggesting to review the use cases of the Splunk Security Essentials APP but this use case on said app is based on Sysmon logs and I am only collecting the Security and Application logs using the Agent.

I also see very old responses where fields mention fields as "user" when currently called "Account_Name"

I would appreciate if someone can give me any suggestions to try to identify possible Lateral movements.

i found this

index=main sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON"

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 12:10 AM

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 12:10 AM

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 11:43 PM

Hi @splunkcol,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...