Security Use Cases Using Splunk - Infosec Resources

1 1 Security USE Cases Using Splunk | Security Use Cases with Splunk This article focuses on Security use Cases that can be created and managed within Splunk . For this article we will be Using Splunk Free Enterprise version as it gives me indexing of 500MB free every day. Also this will be standalone architecture to collect, parse and extract events rather a distributed architecture where multiple components are required to collect, parse, extract and display event in Splunk . Software Used: Splunk (Free Enterprise Version) Version: Log Source: Windows Event Logs, Registry logs Splunk Indexer, Splunk Search Head: Local System (Windows 7) Install Splunk 1. Down Splunk latest release from 2.

2 Run the downloaded exe. 3. Below screen will come. Accept the agreement 4. Provide the Splunk installation directory and install it. Use Cases Use case : 1 Detection of Possible Brute Force Attack With the evolution of faster and more efficient password cracking tools, brute force attacks are on a high against the services of an organization. As a best practice, every organization should configure logging practices for Security events such as invalid number of login attempts, any modification to 2 Security USE Cases Using Splunk | system files, etc., so that any possible attack underway will get noticed and treated before the attack succeeds. Organizations generally apply these Security policies via a Group Policy Object (GPO) to all the hosts in their network.

3 Problem Statement: Alert in real time whenever a user failed to do a successful login for more than 2 times. Log Source: Windows Security Logs Splunk Query: sourcetype="WinEventLog: Security " (EventCode=4625 AND "Audit Failure") | stats count by Account_Name | where count > 2 How to read this query: We are monitoring windows Security even logs and looking for EventCode 4625 which is Failed Logins . Every space in Splunk is a AND operator. Then we are performing a statically search of count variable on Account_Name and report where count is greater than 2 it will report when a user(Account_Name) has performed more than 2(count) failed logins. Steps to simulate the Use- case : 1. First make sure your local machine is logging local logon events.

4 Check it via a. Click Start, type local Security Policy . Below Screen will come 3 Security USE Cases Using Splunk | b. Click Local Policies > Audit Policies. Make sure Auditing for failure, success event is turned on. If it is not double click and select failure should be the final screen for this: 2. Start Splunk : Navigate to Splunk directory > bin and execute command : Splunk start. 3. Open Splunk Web . usually It will be at localhost:8000. If 8000 is occupied it will be 8001. 4 Security USE Cases Using Splunk | 4. Provide the credentials a. Username: admin b. Password: changeme(default) 5. Change the default password. 6. Feed the data into Splunk a. Click on Settings > Data Inputs b.

5 Click on Local event log collection 5 Security USE Cases Using Splunk | c. Click on Security Logs. Logs from Windows events will go to Splunk default index which is called as main . d. Click Save. Below Screen should appear search 7. Click on Splunk > Search and Reporting(App). 8. Copy the Splunk search: sourcetype="WinEventLog: Security " (EventCode=4625 AND "Audit Failure") earliest=-30m@m | stats count by Account_Name | where count > 2 6 Security USE Cases Using Splunk | 9. You might get 0 results here. Not to worry we still have to do unsuccessful logins. 10. Click on Save As> Alerts , to save this search as a alert. 11. Fill in details for Alert definition: a. Title: Alert Name b.

6 Alert Type: Real Time c. Permissions: Private d. Trigger Condition: Per Result e. Add Throttle Action for Account_Name and suppress it for 30 minutes: This means that alert will suppress the events with same Account_Name for next 30 minutes. f. Trigger Actions: Add to Triggered Alerts g. Severity: High 12. Log off your System. Perform 3 invalid login attempts. 7 Security USE Cases Using Splunk | 13. Open Splunk . Navigate to Activity>Triggered Alert. There you can see the alert triggered. You will see a lot of alerts because alert is configured to run in real time so it will continue to run 14. Click on the View Results on the top most alert which actually resulted from unsuccessful logins to see results.

7 Use case 2: Acceptable Use Monitoring Acceptable Use Monitoring covers a basic questions, what resource is being accessed by whom and when. Organizations generally publish policies for users to understand how they can use the organization s Resources in the best way. Organizations should develop a baseline document to set up threshold limits, critical Resources information, user roles, and policies, and use that baseline document to monitor user activity, even after business hours, with the help of the SIEM solution. Problem Statement: Alert in real time whenever a user access a file. Log Source: Windows Security Logs Splunk Query: sourcetype="WinEventLog: Security " EventCode=4663 | stats count by Account_Name ,Object_Name ,Accesses| rename Account_Name as UserName,Object_Name as FileName,Accesses as Action | table UserName,FileName,Action How to read this query: we are collection windows Security event logsand will moitor EventCode 46663 which throws back actions being taken on the file.

8 Space in Splunk is a AND operator. Then we are performing a statistical operation on files with username and action. Finally I am just renaming the fields to make them more understandable. Steps to simulate the Use- case : 1. Open Local Security Policy and Enable Auditing for Object Access as shown below. 8 Security USE Cases Using Splunk | 2. Create new file on desktop names Test_Access . 3. Enable Auditing for everyone on this. CRight click on File >Properties >Advanced >Auditing 4. Enter Everyone as the Object Name. 5. Enable all type of controls on this. 9 Security USE Cases Using Splunk | 6. Open Splunk . We do not need to add new data for this use. Windows Security Event logs will be good enough.

9 IF you have not followed Use case 1, please see above on how to feed Splunk . 7. Open Splunk And write this query: sourcetype="WinEventLog: Security " EventCode=4663 | stats count by Account_Name ,Object_Name ,Accesses| rename Account_Name as UserName,Object_Name as FileName,Accesses as Action | table UserName,FileName,Action 8. Hit enter to run. You might not see the results. 9. Save this as an alert. Click on Save as >Alert. 10. Fill in below Alert definition. a. Name:File Access b. Alert Type: Scheduled and configured to run it every hour (at oth minute past every hour). c. Set Triger Condition to: Fire this alert whenever number of results are greater than 0 and for each result d. Set Trigger Action to Add to Triggered Alerts 10 Security USE Cases Using Splunk | 11.

10 Open Test _Access file and the see the triggered alert under Activity>Triggered Alert. Most probably you will not see anything. Why? Because your alert is configured to run at 0th minute past every hour. 12. To run this alert now, navigate to Settings > Searches, reports and Alerts . 13. There you will see all the alerts. Find Alert Name File Access and Click on Run 14. Below result screen will come to tell you that who(Username) has performed what Action on what Resouce(FileName). 11 Security USE Cases Using Splunk | Use case 3: Registry Monitoring Usually whenever an executable install it made some changes to registry. So it is worth monitoring registry events/actions like set, delete etc.