- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lateral Movement Windows Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there,
I have spent a good time researching lateral movement in Splunk, unfortunately I have not found much.
I have only seen answers suggesting to review the use cases of the Splunk Security Essentials APP but this use case on said app is based on Sysmon logs and I am only collecting the Security and Application logs using the Agent.
I also see very old responses where fields mention fields as "user" when currently called "Account_Name"
I would appreciate if someone can give me any suggestions to try to identify possible Lateral movements.
i found this
index=main sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @splunkcol,
In Splunk Security Essentials App, there's a sample of how to find lateral movements.
You should translate the example on your real data, in other words:
- You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
- than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.
Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @splunkcol,
In Splunk Security Essentials App, there's a sample of how to find lateral movements.
You should translate the example on your real data, in other words:
- You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
- than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.
Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @splunkcol,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
Observability Highlights | January 2023 Newsletter
Security Highlights | January 2023 Newsletter
Platform Highlights | January 2023 Newsletter
