Skip to main content
 
Splunk Lantern

Microsoft

 

Microsoft helps your organization reach its full potential by relying on an integrated and open cloud platform that spans six critical areas—security, infrastructure, digital and app innovation, data and AI, business applications, and modern work. Azure can help you migrate, modernize, and maximize your cloud and on-premises investments. Microsoft 365 can help you reduce costs – but not productivity – and centralize your business. Additional services, such as Exchange, Hyper-V, and IIS Web Server help you keep your business running smoothly.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Getting data in

Source Add-ons and Apps Guidance
Windows

Splunk platform

Microsoft Windows security logs have over 400 loggable events. We recommend following Microsoft’s official guidance for “Stronger” security visibility. The Audit Policy Recommendations page from Microsoft TechNet provides detailed configuration settings per operating system from Windows 7 / Server 2008 and later. In the Common Information Model, Windows security log data can be mapped to any of the following data models, depending on the field: AuthenticationPerformanceUpdatesVulnerabilitiesEndpointEvent Signatures, and Change.

Windows process launch logs are a subset of security audit logs that track program activation, process exit, handle duplication, and indirect object access. The most common events related to process launches are:

Windows Event logs contain important events relating to applications, system services and the operating system. The events describe errors, warnings or information details about activity taking place on each system. This information is used to monitor and troubleshoot each system. In the Common Information Model, Windows event logs can be mapped to any of the following data models, depending on the field: EndpointInventoryUpdatesChangePerformance.

Configuration

Use Cases

Active Directory

Splunk platform

Splunk SOAR

Configuration

Use Cases

Azure

Splunk SOAR

Configuration

Use Cases

Cloud Services

Splunk platform

Configuration

Exchange

Splunk platform

Splunk SOAR

Configuration

Hyper-V

Splunk platform

Configuration

IIS Web Server

Splunk platform

Microsoft Internet Information Services (IIS) is an extensible web server software with a large number of features. IIS can be:

  • used to host ASP.NET web applications and static websites.
  • used as an FTP server, host WCF services.
  • extended to host web applications built on other platforms such as PHP.
  • used with built-in authentication options such as Basic, ASP.NET, and Windows auth.
  • managed via the CLI or using PowerShell. 
  • used to produce IIS websites with a number of tools, including WebDav and Microsoft Visual Studio.

In the Common Information Model, Microsoft IIS data is typically mapped to the Web data model. 

Configuration

Use Cases

Microsoft 365

Splunk platform

Splunk SOAR

Microsoft Office 365 produces service status, service messages, and management activity logs that are all useful for system administrators. In the Common Information Model, Microsoft O365 data can be mapped to any of the following data models: AuthenticationChangeData Access

Microsoft O365 reporting data allows you to determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status. These logs also provide the following information:

  • Message size
  • Message ID
  • To IP
  • From IP
  • Date

Configuration

Use Cases

SQL Server

Splunk platform

Splunk SOAR

Configuration

Sysmon

Splunk platform

Microsoft Sysmon, a component of Microsoft’s Sysinternals suite of Windows utilities, is a powerful host-level tool that can assist you in detecting advanced threats on your network by providing intricate host-operation details in real time. In contrast to common Antivirus/Host-Based Intrusion-detection (HIDS) solutions, Sysmon performs system activity deep monitoring and logs high-confidence indicators of advanced attacks. 

Sysmon is capable of producing extensive details that are useful in the early detection of malicious code execution or other nefarious behavior. These include:

  • Process executions, including parent/child relationships, user that launched process, and hash data
  • File creations
  • File creation time changes
  • Network activity, down to the process level
  • Image loads
  • Creation of  remote threads
  • Interprocess accesses
  • Windows registry modifications
  • NTFS alternate data stream (ADS) creations
  • Pipe creations and connections
  • WMI event monitoring

Use Cases

System Center

Splunk platform

Splunk SOAR

Configuration

Teams

Splunk platform

Microsoft Teams Add-on for Splunk

Configuration