Microsoft

Splunk platform

• Splunk Add-on for Microsoft Windows

Microsoft Windows security logs have over 400 loggable events. We recommend following Microsoft’s official guidance for “Stronger” security visibility. The Audit Policy Recommendations page from Microsoft TechNet provides detailed configuration settings per operating system from Windows 7 / Server 2008 and later. In the Common Information Model, Windows security log data can be mapped to any of the following data models, depending on the field: Authentication, Performance, Updates, Vulnerabilities, Endpoint, Event Signatures, and Change.

Windows process launch logs are a subset of security audit logs that track program activation, process exit, handle duplication, and indirect object access. The most common events related to process launches are:

• 4688(S): A new process has been created.
• 4696(S): A primary token was assigned to process.

Windows Event logs contain important events relating to applications, system services and the operating system. The events describe errors, warnings or information details about activity taking place on each system. This information is used to monitor and troubleshoot each system. In the Common Information Model, Windows event logs can be mapped to any of the following data models, depending on the field: Endpoint, Inventory, Updates, Change, Performance.

Configuration

• Splunk Add-on for Microsoft Windows
• Splunk Add-on for Microsoft Security

Use Cases

• Maintaining Microsoft Windows systems
• Monitoring Windows account access
• Detecting the use of randomization in cyberattacks
• Detecting Netsh attacks
• Creating a timebound picture of network activity
• Investigating a ransomware attack
• Recovering lost visibility of IT infrastructure
• Managing printers in a Windows environment
• Identifying new Windows local admin accounts
• Running common General Data Protection Regulation (GDPR) compliance searches
• Detecting brute force access behavior
• Visualizing processes and their parent/child relationships
• Detecting print spooler attacks with Splunk Enterprise Security
• Recognizing improper use of system administration tools with Splunk Security Essentials
• Using ingest actions to filter Windows event logs

Splunk platform

• Splunk Supporting Add-on for Active Directory

Splunk SOAR

• AD LDAP
• MS Graph for Active Directory

Use Cases

• Detecting password spraying attacks within Active Directory environments
• Detecting cloud federated credential abuse in Microsoft Office and Azure Active Directory

Splunk SOAR

• Microsoft Azure SQL
• Microsoft Azure Compute

Configuration

• Microsoft Azure Services in Splunk Observability Cloud
• Getting started with Microsoft Azure Event Hub data

Use Cases

• Managing Azure cloud infrastructure

Splunk platform

• Splunk Add-on for Microsoft Cloud Services

Configuration

• Splunk Add-on for Microsoft Cloud Services

Splunk platform

• Splunk Add-on for Microsoft Exchange
• Splunk Add-on for Microsoft Exchange Indexes

Splunk SOAR

• Microsoft Exchange On-Premise EWS

Configuration

• Splunk Add-on for Microsoft Exchange

Splunk platform

• Splunk Add-on for Microsoft Hyper-V

Configuration

• Splunk Add-on for Microsoft Hyper-V

Splunk platform

• Splunk Add-on for Microsoft IIS
• Inputs generator for the Add-on for IIS

Microsoft Internet Information Services (IIS) is an extensible web server software with a large number of features. IIS can be:

• used to host ASP.NET web applications and static websites.
• used as an FTP server, host WCF services.
• extended to host web applications built on other platforms such as PHP.
• used with built-in authentication options such as Basic, ASP.NET, and Windows auth.
• managed via the CLI or using PowerShell. 
• used to produce IIS websites with a number of tools, including WebDav and Microsoft Visual Studio.

In the Common Information Model, Microsoft IIS data is typically mapped to the Web data model. 

Configuration

• Splunk Add-on for Microsoft IIS
• Collecting Microsoft Windows IIS data in Splunk Observability Cloud

Use Cases

• Reconstructing a website defacement
• Managing web server performance
• Monitoring web application performance
• Monitoring NIST SP 800-53 rev5 control families
• Identifying slowly loading web pages
• Identifying web users by country

Splunk platform

• Splunk Add-on for Microsoft Office 365
• Splunk Add-on for Microsoft Security

Splunk SOAR

• Microsoft 365 Defender
• Microsoft Teams
• Microsoft OneDrive

Microsoft Office 365 produces service status, service messages, and management activity logs that are all useful for system administrators. In the Common Information Model, Microsoft O365 data can be mapped to any of the following data models: Authentication, Change, Data Access. 

Microsoft O365 reporting data allows you to determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status. These logs also provide the following information:

• Message size
• Message ID
• To IP
• From IP
• Date

Configuration

• Splunk Add-on for Microsoft Office 365

Use Cases

• Detecting Office 365 attacks
• Managing O365 workloads
• Detecting cloud federated credential abuse in Microsoft Office and Azure Active Directory
• Verifying multifactor authentication usage with Splunk Enterprise Security

Splunk platform

• Splunk Add-on for Microsoft SQL Server
• Splunk DBX Add-on for Microsoft SQL Server JDBC

Splunk SOAR

• Microsoft SQL Server

Configuration

• Splunk Add-on for Microsoft SQL Server

Splunk platform

• Splunk Add-on for Sysmon

Microsoft Sysmon, a component of Microsoft’s Sysinternals suite of Windows utilities, is a powerful host-level tool that can assist you in detecting advanced threats on your network by providing intricate host-operation details in real time. In contrast to common Antivirus/Host-Based Intrusion-detection (HIDS) solutions, Sysmon performs system activity deep monitoring and logs high-confidence indicators of advanced attacks. 

Sysmon is capable of producing extensive details that are useful in the early detection of malicious code execution or other nefarious behavior. These include:

• Process executions, including parent/child relationships, user that launched process, and hash data
• File creations
• File creation time changes
• Network activity, down to the process level
• Image loads
• Creation of  remote threads
• Interprocess accesses
• Windows registry modifications
• NTFS alternate data stream (ADS) creations
• Pipe creations and connections
• WMI event monitoring

Use Cases

• Reconstructing a website defacement
• Investigating a ransomware attack
• Detecting Netsh attacks
• Checking for files created on a system
• Monitoring DNS queries
• Visualizing processes and their parent/child relationships
• Detecting indicators of Remcos RAT malware
• Detecting print spooler attacks with Splunk Enterprise Security
• Monitoring for signs of a Windows privilege escalation attack with Splunk Enterprise Security
• Monitoring command line interface actions with Splunk Enterprise Security

Splunk platform

• Splunk Add-on for Microsoft System Center Operations Manager

Splunk SOAR

• Microsoft SCOM
• Microsoft SCCM

Configuration

• Splunk Add-on for Microsoft SCOM

Splunk platform

Microsoft Teams Add-on for Splunk

Configuration

• Getting started with the Microsoft Teams Add-on for Splunk
• Getting started with Microsoft Teams call record data
• Getting started with Microsoft Teams call record data and Azure Functions