Security use cases using splunk - InfoSec Resources

[Pages:18]1

Security Use Cases with Splunk

This article focuses on security use cases that can be created and managed within Splunk. For this article we will be using Splunk Free Enterprise version as it gives me indexing of 500MB free every day. Also this will be standalone architecture to collect, parse and extract events rather a distributed architecture where multiple components are required to collect, parse, extract and display event in Splunk. Software Used: Splunk (Free Enterprise Version) Version: 6.3.2 Log Source: Windows Event Logs, Registry logs Splunk Indexer, Splunk Search Head: Local System (Windows 7)

Install Splunk

1. Down Splunk latest release from 2. Run the downloaded exe. 3. Below screen will come. Accept the agreement

4. Provide the splunk installation directory and install it.

Use Cases

Use Case: 1 Detection of Possible Brute Force Attack

With the evolution of faster and more efficient password cracking tools, brute force attacks are on a high against the services of an organization. As a best practice, every organization should configure logging practices for security events such as invalid number of login attempts, any modification to



SECURITY USE CASES USING SPLUNK |

2

system files, etc., so that any possible attack underway will get noticed and treated before the attack succeeds. Organizations generally apply these security policies via a Group Policy Object (GPO) to all the hosts in their network.

Problem Statement: Alert in real time whenever a user failed to do a successful login for more than 2 times.

Log Source: Windows Security Logs

Splunk Query: sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") | stats count by Account_Name | where count > 2

How to read this query: We are monitoring windows security even logs and looking for EventCode 4625 which is "Failed Logins". Every space in splunk is a AND operator. Then we are performing a statically search of count variable on Account_Name and report where count is greater than 2 i.e. it will report when a user(Account_Name) has performed more than 2(count) failed logins.

Steps to simulate the Use-Case: 1. First make sure your local machine is logging local logon events. Check it via a. Click Start, type "local Security Policy". Below Screen will come



SECURITY USE CASES USING SPLUNK |

3

b. Click Local Policies > Audit Policies. Make sure Auditing for failure, success event is turned on. If it is not double click and select failure events.Below should be the final screen for this:

2. Start Splunk: Navigate to Splunk directory > bin and execute command : splunk start.

3. Open Splunk Web . usually It will be at localhost:8000. If 8000 is occupied it will be 8001.



SECURITY USE CASES USING SPLUNK |

4

4. Provide the credentials a. Username: admin b. Password: changeme(default)

5. Change the default password. 6. Feed the data into splunk

a. Click on Settings > Data Inputs

b. Click on "Local event log collection"



SECURITY USE CASES USING SPLUNK |

5

c. Click on Security Logs. Logs from Windows events will go to splunk default index which is called as "main".

d. Click Save. Below Screen should appear search

7. Click on Splunk > Search and Reporting(App). 8. Copy the Splunk search: sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit

Failure") earliest=-30m@m | stats count by Account_Name | where count > 2



SECURITY USE CASES USING SPLUNK |

6

9. You might get 0 results here. Not to worry we still have to do unsuccessful logins. 10. Click on Save As> Alerts , to save this search as a alert.

11. Fill in details for Alert definition: a. Title: Alert Name b. Alert Type: Real Time c. Permissions: Private d. Trigger Condition: Per Result e. Add Throttle Action for Account_Name and suppress it for 30 minutes: This means that alert will suppress the events with same Account_Name for next 30 minutes. f. Trigger Actions: Add to Triggered Alerts g. Severity: High

12. Log off your System. Perform 3 invalid login attempts.



SECURITY USE CASES USING SPLUNK |

7

13. Open Splunk. Navigate to Activity>Triggered Alert. There you can see the alert triggered. You will see a lot of alerts because alert is configured to run in real time so it will continue to run

14. Click on the View Results on the top most alert which actually resulted from unsuccessful logins to see results.

Use Case 2: Acceptable Use Monitoring

Acceptable Use Monitoring covers a basic questions, i.e. what resource is being accessed by whom and when. Organizations generally publish policies for users to understand how they can use the organization's resources in the best way. Organizations should develop a baseline document to set up threshold limits, critical resources information, user roles, and policies, and use that baseline document to monitor user activity, even after business hours, with the help of the SIEM solution. Problem Statement: Alert in real time whenever a user access a file. Log Source: Windows Security Logs Splunk Query: sourcetype="WinEventLog:Security" EventCode=4663 | stats count by Account_Name ,Object_Name ,Accesses| rename Account_Name as UserName,Object_Name as FileName,Accesses as Action | table UserName,FileName,Action How to read this query: we are collection windows security event logsand will moitor EventCode 46663 which throws back actions being taken on the file. Space in splunk is a AND operator. Then we are performing a statistical operation on files with username and action. Finally I am just renaming the fields to make them more understandable. Steps to simulate the Use-Case: 1. Open Local Security Policy and Enable Auditing for Object Access as shown below.



SECURITY USE CASES USING SPLUNK |

8

2. Create new file on desktop names "Test_Access". 3. Enable Auditing for everyone on this. CRight click on File >Properties >Advanced >Auditing 4. Enter "Everyone" as the Object Name.

5. Enable all type of controls on this.



SECURITY USE CASES USING SPLUNK |

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download