Security use cases using splunk · SECURITY USE CASES USING SPLUNK | Security Use Cases with Splunk This article focuses on security use cases that can be created and managed within

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html

1

SECURITY USE CASES USING SPLUNK |

Security Use Cases with Splunk

This article focuses on security use cases that can be created and managed within Splunk. For this article

we will be using Splunk Free Enterprise version as it gives me indexing of 500MB free every day. Also this

will be standalone architecture to collect, parse and extract events rather a distributed architecture

where multiple components are required to collect, parse, extract and display event in Splunk.

Software Used: Splunk (Free Enterprise Version)

Version: 6.3.2

Log Source: Windows Event Logs, Registry logs

Splunk Indexer, Splunk Search Head: Local System (Windows 7)

Install Splunk 1. Down Splunk latest release from Splunk.com

2. Run the downloaded exe.

3. Below screen will come. Accept the agreement

4. Provide the splunk installation directory and install it.

Use Cases

Use Case: 1 Detection of Possible Brute Force Attack With the evolution of faster and more efficient password cracking tools, brute force attacks are on a

high against the services of an organization. As a best practice, every organization should configure

logging practices for security events such as invalid number of login attempts, any modification to



2


system files, etc., so that any possible attack underway will get noticed and treated before the attack

succeeds. Organizations generally apply these security policies via a Group Policy Object (GPO) to all the

hosts in their network.

Problem Statement: Alert in real time whenever a user failed to do a successful login for more than 2

times.

Log Source: Windows Security Logs

Splunk Query: sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") | stats

count by Account_Name | where count > 2

How to read this query: We are monitoring windows security even logs and looking for EventCode 4625

which is “Failed Logins”. Every space in splunk is a AND operator. Then we are performing a statically

search of count variable on Account_Name and report where count is greater than 2 i.e. it will report

when a user(Account_Name) has performed more than 2(count) failed logins.

Steps to simulate the Use-Case:

1. First make sure your local machine is logging local logon events. Check it via

a. Click Start, type “local Security Policy”. Below Screen will come



3


b. Click Local Policies > Audit Policies. Make sure Auditing for failure, success event is

turned on. If it is not double click and select failure events.Below should be the final

screen for this:

2. Start Splunk: Navigate to Splunk directory > bin and execute command : splunk start.

3. Open Splunk Web . usually It will be at localhost:8000. If 8000 is occupied it will be 8001.



4


4. Provide the credentials

a. Username: admin

b. Password: changeme(default)

5. Change the default password.

6. Feed the data into splunk

a. Click on Settings > Data Inputs

b. Click on “Local event log collection”



5


c. Click on Security Logs. Logs from Windows events will go to splunk default index which is

called as “main”.

d. Click Save. Below Screen should appear

search

7. Click on Splunk > Search and Reporting(App).

8. Copy the Splunk search: sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit

Failure") earliest=-30m@m | stats count by Account_Name | where count > 2



6


9. You might get 0 results here. Not to worry we still have to do unsuccessful logins.

10. Click on Save As> Alerts , to save this search as a alert.

11. Fill in details for Alert definition:

a. Title: Alert Name

b. Alert Type: Real Time

c. Permissions: Private

d. Trigger Condition: Per Result

e. Add Throttle Action for Account_Name and suppress it for 30 minutes: This means that

alert will suppress the events with same Account_Name for next 30 minutes.

f. Trigger Actions: Add to Triggered Alerts

g. Severity: High

12. Log off your System. Perform 3 invalid login attempts.



7


13. Open Splunk. Navigate to Activity>Triggered Alert. There you can see the alert triggered. You

will see a lot of alerts because alert is configured to run in real time so it will continue to run

14. Click on the View Results on the top most alert which actually resulted from unsuccessful logins

to see results.

Use Case 2: Acceptable Use Monitoring Acceptable Use Monitoring covers a basic questions, i.e. what resource is being accessed by

whom and when. Organizations generally publish policies for users to understand how they can

use the organization’s resources in the best way. Organizations should develop a baseline

document to set up threshold limits, critical resources information, user roles, and policies, and

use that baseline document to monitor user activity, even after business hours, with the help of

the SIEM solution.

Problem Statement: Alert in real time whenever a user access a file.

Log Source: Windows Security Logs

Splunk Query: sourcetype="WinEventLog:Security" EventCode=4663 | stats count by Account_Name

,Object_Name ,Accesses| rename Account_Name as UserName,Object_Name as FileName,Accesses as

Action | table UserName,FileName,Action

How to read this query: we are collection windows security event logsand will moitor EventCode 46663

which throws back actions being taken on the file. Space in splunk is a AND operator. Then we are

performing a statistical operation on files with username and action. Finally I am just renaming the fields

to make them more understandable.


1. Open Local Security Policy and Enable Auditing for Object Access as shown below.



8


2. Create new file on desktop names “Test_Access”.

3. Enable Auditing for everyone on this. CRight click on File >Properties >Advanced >Auditing

4. Enter “Everyone” as the Object Name.

5. Enable all type of controls on this.



9


6. Open Splunk. We do not need to add new data for this use. Windows Security Event logs will be

good enough. IF you have not followed Use Case 1, please see above on how to feed splunk.

7. Open Splunk And write this query: sourcetype="WinEventLog:Security" EventCode=4663 | stats

count by Account_Name ,Object_Name ,Accesses| rename Account_Name as

UserName,Object_Name as FileName,Accesses as Action | table UserName,FileName,Action

8. Hit enter to run. You might not see the results.

9. Save this as an alert. Click on Save as >Alert.

10. Fill in below Alert definition.

a. Name:File Access

b. Alert Type: Scheduled and configured to run it every hour (at oth minute past every

hour).

c. Set Triger Condition to: Fire this alert whenever number of results are greater than 0

and for each result

d. Set Trigger Action to ‘Add to Triggered Alerts’



10


11. Open Test _Access file and the see the triggered alert under Activity>Triggered Alert. Most

probably you will not see anything. Why? Because your alert is configured to run at 0th minute

past every hour.

12. To run this alert now, navigate to Settings >’Searches, reports and Alerts’.

13. There you will see all the alerts. Find Alert Name File Access and Click on Run

14. Below result screen will come to tell you that who(Username) has performed what Action on

what Resouce(FileName).



11


Use Case 3: Registry Monitoring Usually whenever an executable install it made some changes to registry. So it is worth monitoring

registry events/actions like set, delete etc.

Problem Statement: Alert in schedule time whenever a registry SetAction event took place

Log Source: Windows Registry Logs

Splunk Query: index=main sourcetype=WinRegistry | stats values(data) by key_path,registry_type,host

| rename host as "Machine Name" registry_type as Action values(data) as "New Value" key_path as

"Path to Subkey"

How to read this query: We are collection registry events in splunk default index main and monitoring

for Action Values (which is set in this case) and performing a statisctics over the values as shown in.

Remember every space in splunk is converted into an AND operator and | is a pipeline. At the end we

are just renaming the fields to make them more understandable.


1. Open Splunk, Navigate to Settings >Data Inputs.

2. Click on Registry Monitoring

3. Click New



12


4. Enter the definition of this registry monitoring like below

a. Enter a name for this monitoring

b. Click Browse to monitor any hive for this among following:

i. HKEY_USERS

ii. HKEY_LOCAL_MACHINE

iii. HKEY_CURRENT_USER

iv. HKEY_CURRENT_CONFIG

c. For demonstrative purpose I have selected HKEY_LOCAL_MACHINE\SOFTWARE\Splunk.

d. Enter the Action that you want to monitor on this hive

i. Create

ii. Delete

iii. Open

iv. Rename

v. Set

For this exercise, select Action=set

e. Click Next

f. Confirm the setting

g. Click Submit and its done.

5. Reconfirm the monitoring of this registry setting by clicking on tings >Data Inputs >Registry

Monitoring >Reg_Mon and see the action selected. Make sure that ‘set’ action is selected.



13


‘Set’ action will generate a Set event when a program executes a SetValue method on a Registry

subkey, thus setting a value or overwriting an existing value on an existing Registry entry.

6. Now Click on Windows Start button and type ‘regedit’ to open registry. Navigate to HKLM

>Software >Splunk .

7. On the right hand pane, double click on ProductName and Change the value from ‘Splunk

Enterprise’ to ‘Splunk Use Case Infosec Institute’and click OK.

8. Now open search app in splunk and type this query

index=main sourcetype=WinRegistry | stats values(data) by key_path,registry_type,host |

rename host as "Machine Name" registry_type as Action values(data) as "New Value" key_path

as "Path to Subkey"

9. Set this to alert in Splunk as Save As > Alert and enter below alert definitions as shown in

screenshot below.



14


10. Since this is also a scheduled alert, navigate to Settings >’Searches, reports and Alerts’.

11. There you will see all the alerts. Find Alert Name Reg_Mon_Alert and Click on Run

12. Below is the result screen which states the following parameter:

a. Path to subkey: Path to subkey which has changed

b. Action: What sort of action has taken place.In this case it will be SetAction

c. Host: On which host this has changed.

d. New Value: What the value of this subkey. I have taken values(data) to concatenate all

changed values for this subkey. You can see the changed value “Splunk Use Case Infosec

Institute” in the result.



15


Other Use Cases which students can do on their own

Monitoring Rouge Name Servers

To monitor this type of activity, DNS, proxy and perimeter firewalls should be configured to send logs to

Splunk. Inside Splunk creation of SIEM rule will actually monitor these logs:

index=perimeter_firewall or index=dns (TCP=53 OR UDP=53) NOT [| inputlookup

internal_dns_list append =t dns ] | dedup dns | rename dns as rouge_dns | table

rouge_dns

This query will perform a lookup of perimeter_firewall logs for TCP/UDP 53 with all the known

local/internal DNS names and will list all other DNS names which can possibly is a rouge Name server.

Monitoring Rouge Proxy servers

Although bots have become more advanced and uses internal proxy server for outer communication,

there are still some versions which do not do this. So whenever the traffic that is hitting the

perimeter_firewall do not contain proxy ip, raise an alert. Below is a query that can be used to detect

this:

Index=perimeter_firewall NOT [inputlookup proxy_ip append =t ip] | dedup IP] | table IP



16


What this will do is to lookout for traffic at perimeter firewall for IP other than the mentioned

proxy ip addressee’s which might possible a rouge proxy server. In this also we can leverage the

splunk lookup feature.

Monitoring Insecure Ports and Services

We can monitor insecure ports and services being opened in the endpoints in splunk. To do this first we

have to feed the endpoint machine data in splunk. A script like

Netstat –ln| egrep “^tcp|^udp” and write the data to log file. If the resulting log file is local

to Splunk then we can take this file directly as an input into Splunk or if resulting log file is

remote it can be collected using Splunk Universal Forwarder. Then we can monitor for

insecure ports and services.

Index=endpoint_log [inputlookup insecure_list append =t port, services] | table hostname, port, service

I this the lookup list insecure_list contain the known insecure port and services which in turn gets

matched up the endpoint logs. If match found alert is raised.

Detection of possible Applications Attacks

Since now days insider threats are on the rise, it is very much possible for insiders to conduct attack on

applications like Cross Sit Scripting (XSS), SQL injection etc. We can detect these kinds of application

attack in Splunk. Log source in this case will be application logs and we will look out for known attack

pattern in logs. Please note that there can be various attack patterns in which these 2 attacks can be

done. I am not monitoring all of them. Also in this article I am showing only 2 types of attacks. Mostly all

sorts of attacks can be monitored in splunk.

Monitoring of XSS

One of the famous payload used to carry out XSS attack is to <script>alert(‘XSS attack’)</script>. If all

the interactions with an application are logged then it is very easy to find such a payload in logs like

below

source=/var/log/myapplication.log “<script>” OR “</script>” | table attacker_location, ip,

category

It will look out of “script” tag in a case insensitive fashion in the application logs. Now my

application logs has the attacker –location which states that it is insider or not, ip which will be



17


proxy one. These logs will then have to checked against proxy logs to look put for actual IP which

has the payload containing script tag.

Monitoring for SQL Injection

Another famous application attack which have been there for decades is the SQL injection attack. The

most common payload of SQL injection is to use:

Id=’ or ‘1’=’1

employee’; drop table employee;--

Now these payloads can be monitored in splunk provided all the interaction are being logged.

Index=/var/log/application.log (‘ AND =) OR (‘ AND ;) OR drop OR -- | table ip

This query will look out for quote and = sign OR quote or semicolon. In some cases when

attackers exploit sql injection to drop tables at the backend , this query will look out for drop

keyword OR – sign which is used to ignore the rest of SQL statement.

Missing Log Source/Host

Log sources are the feeds for any SIEM solution. Most of the SIEM solution these days comes

with an agent-manager deployment model, which means that on all the log sources, light weight

SIEM agent software is installed to collect logs and pass them to a manager for analysis. An

attacker, after gaining control over a compromised machine/account, tends to stop all such

agent services, so that their unauthorized and illegitimate behavior goes unnoticed.

To counter such malformed actions, SIEM should be configured to raise an alert if a host stops

forwarding logs after a threshold limit. For example, the below search query (SPL) in Splunk will

raise an alert if a host has not forwarded the logs for more than one hour.

| metadata type=hosts| where recentTime < now() -3600 | convert cTime(recentTime) as "Last

time the log source reported" | rename host as "Log Sources" | table " Log Sources" "Last time

the log source reported"



18


As soon as an alert is received with the IP address of the machin under attack, the Incident

Response Team (IRT) can start mitigating this issue.

So as you can see virtually almost every type of data can be monitored in Splunk. Even what came to

rescue to lot of developers is lot of new apps which actually parse the data for the proprietary log

format and you just have to run commands.


Documents

Security use cases using splunk · SECURITY USE CASES USING SPLUNK | Security Use Cases with Splunk This article focuses on security use cases that can be created and managed within