Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lateral Movement Windows Logs

splunkcol
Builder
‎09-28-2021 05:03 PM

Hello there,

I have spent a good time researching lateral movement in Splunk, unfortunately I have not found much.

I have only seen answers suggesting to review the use cases of the Splunk Security Essentials APP but this use case on said app is based on Sysmon logs and I am only collecting the Security and Application logs using the Agent.

I also see very old responses where fields mention fields as "user" when currently called "Account_Name"

I would appreciate if someone can give me any suggestions to try to identify possible Lateral movements.

i found this

index=main sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON"

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 12:10 AM

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 12:10 AM

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2021 11:43 PM

Hi @splunkcol,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...