×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
achauhan2098
Engager
Member since: ‎01-19-2021
‎02-23-2021
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-19-2021
View All

Re: I've got my data in but I now need to get some...

by SplunkTrust in Security
‎01-28-2021 11:23 PM
‎01-28-2021 11:23 PM
Hi @achauhan2098, welcome in the Splunk Community! At first i hint to add some other EventCodes to complete your first windows analysis with the following: access 4634 Logout: it's useful to understand the session closing; then, if you have logs from the Domain Controllers, are very useful for Security monitoring: Group Change Monitoring: Event 4727         A Security-enabled Global Group was created Event 4737         A Security-enabled Global Group was changed Event 4728         A member was added to a security-enabled Global group Event 4729         A member was removed from a security-enabled Global group Event 4730         A Security-enabled Global Group was removed Event 4754         A Security-enabled Universal Group was created Event 4755         A Security-enabled Universal Group was changed Event 4756         A member was added to a security-enabled Universal group Event 4757         A member was removed from a security-enabled Universal group Event 4758         A Security-enabled Universal Group was removed Event 4731         A Security-enabled Local Group was created Event 4735         A Security-enabled Local Group was changed Event 4732         A member was added to a security-enabled Domain Local group Event 4733         A member was removed from a security-enabled Domain Local group Event 4734         A Security-enabled Domain Local Group was removed Event 4781         Group Rename Event 4764         Group Change Type User Change Monitoring: Event 4720         A user account was created Event 4724         An attempt was made to reset an account Password Event 4738         A User account was changed Event 4725         A user account was disabled Event 4722         A user account was enabled Event 4726         A user account was deleted Policy Change Monitoring: 4719 Policy Change To have these EventCodes from the Domain Controllers you have to enable them because, by default, they are disabled. Anyway, the EventCodes you're ingesting are: 4776: The domain controller attempted to validate the credentials for an account, 4720: A user account was created, 4723: An attempt was made to change an account's password, 1102: The audit log was cleared, 4624: Login, 4726: A user account was deleted, 4625: Logfail. So these are some immediate security Use Cases that you can develop: Brute force: many login in a period on the same server, audit logs deletion, User accounts managing (creation and deletion). If you're interested to Security Use Cases, I hint to install the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) that propose all the Use Case possible with your data. Ciao. Giuseppe ... View more

Re: Introducing Deployment Server Stops Data Getti...

by SplunkTrust in Getting Data In
‎01-25-2021 11:36 PM
‎01-25-2021 11:36 PM
Hi @achauhan2098, good for you. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Re: Specific Windows Events Only

by in Security
‎01-21-2021 03:37 AM
‎01-21-2021 03:37 AM
Hi @tscroggins  thanks for the reply. I think that was just my understanding of whitelisting.  do you know of an easy way to find what windows events would sit in which stanzas? most of the time it will be obvious but for some events they could legitimately sit in either camp.  Thanks!  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-23-2021 10:07 AM