Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it better to enrich the data from UF Windows Log Data with Scripts?

elaborateGecko
Explorer
‎03-14-2022 09:06 PM

Hello all, 

Thank you for taking the time to consider my question, I'm mainly seeking to find if it's possible to better enrich the data that is obtained from Windows hosts running Splunk UF v8.2.5, namely [WinEventLog:Security] and [WinNetMon] capabilities. 

Currently we monitor for all new process run, as well as collect logs for unfamiliar IPv4 addresses reached out to by creating a inputs.conf blacklist for internal IPv4s and common websites. I'm curious if we can further enrich this data by using powershell scripts to lookup these IPv4s according to that hosts DNS resolution, (not retroactively resolving them at the point of analysis, which can lead to different results if the endpoint's DNS cache was compromised). 

Additionally, I'm wondering if it's possible to use something like a powershell script to retrieve the SHA256 file hash of new processes run with the parsed log. It could be that what I need to do is just run Sysmon and monitor that, and I'm very much for that, but I've heard from more veteran employees at the company I'm currently at that sysmon killed performance and isn't feasible on endpoints. I'm very much a rookie and wasn't in a position to argue otherwise, but as far as I know sysmon has a rather light footprint in comparison to it's robust capabilities. 

Any advice on these topics is greatly appreciated, and will be rewarded with karma!

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-15-2022 06:20 AM

About IPv4 blacklist

* Yeah for sure you can write a custom PowerShell script that reads the EventViewer and does filtration. But you have to take that into account how much time you would need to build that capability from scratch.

* That to say the option of using [WinEventLog:Security] and combining that with PowerShell script is not possible directly today.

* One other option you have is to filter the logs before it reaches the EventLog. (I'm not a Windows expert so don't know how to do it, but I'm sure there is a way you can write rules.)

 

About Sysmon

* I kinda agree that Sysmon is light weight comparitive to its capability.

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...