Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search for net-logon with less false positive

cyberfan
Explorer
‎09-21-2020 11:44 PM

we want to check any zero-logon exploit in the environment, is there splunk search available? how to detect malicious rpc connection? thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

cyberfan
Explorer
‎10-05-2020 02:00 AM

Hi, we patch the AD server Aug.11 monthly rollup, we test the exploit, the exploit is not successful , but no 5827-5831 event is generated, do I need to setup windows server, so these event code will be generated

0 Karma
Reply

nadine_wondem
New Member
‎10-02-2020 01:18 PM

You'll need to enable the logging of the eventcodes associated with the vulnerabilities on the domain controllers. Please speak to your Windows team. Or you can take a look at this documentation. 

https://docs.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-debug-logging-n...

https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-c...

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-22-2020 12:26 AM
  • event IDs 5827 and 5828 in the System event log, if connections are denied.
  • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
  • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

you should monitor the above mentioned events from Domain controllers. 

you can schedule this search for every 15 minutes or 30 minutes or as per your requirement.

 

index=<windowsindexlogs> host=<yourdomaincontroller> EventCode IN (5827,5828,5829,5830,5831)
| stats earliest(_time) as earliestTime latest(_time) as latestTime by EventCode, host
| convert ctime("*Time") timeformat="%d/%m/%Y %T"

 

 

————————————
If this helps, give a like below.
0 Karma
Reply

cyberfan
Explorer
‎09-22-2020 02:06 AM

Hi, thanks, but we did not incorporate windows Event into splunk, how to detect ?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...