Microsoft recommended application log events
A solid event log monitoring system is a crucial part of any secure Windows environment or Active Directory design. Many computer security compromises could be discovered early if the victims enacted appropriate event log monitoring and alerting. This search leverages application monitoring recommendations provided by Microsoft to identify whether an event should be considered of low, medium, or high criticality in detecting attacks and errors.
Data required
Microsoft: Windows update logs
Procedure
- In Splunk Enterprise or Splunk Cloud Platform, verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and universal forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=WinEventLog [| inputlookup app_log_evt_code_desc WHERE LogName=""Application"" | stats values(EventCode) AS EventCode BY LogName | format] | fields _time,host,LogName,EventCode,signature,signature_severity | stats max(_time) AS l_time, dc(host) AS host_count,last(host) AS l_host,count BY LogName,EventCode,signature,signature_severity | table count,LogName,EventCode,signature,signature_severity | append [| inputlookup ms_ad_obj_evt_code_desc | eval count=0 | table LogName,EventCode,signature,signature_severity] | stats max(count) AS Total_Events BY LogName,EventCode,signature_severity,signature | fillnull value=""0"" Total_Events | sort -Total_Events
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|
Search only Windows event logs. |
|
Get a list of recommended EventCode IDs from a lookup table and match the codes to the events. You can add IDs to the table if needed. The lookup is then leveraged in a subsearch against your Windows events across multiple dashboards, reports, and alerts. By leveraging this approach, you can easily create scheduled reports or alerts for when any of the recommended event IDs appear in your data. |
| fields _time,host,LogName,EventCode,signature,signature_severity |
Include only the fields shown in the results. |
| stats max(_time) AS l_time, dc(host) AS host_count,last(host) AS l_host,count BY LogName,EventCode,signature,signature_severity |
Return times and distinct counts that these events occurred on your hosts. |
| table count,LogName,EventCode,signature,signature_severity |
Display the results in a table with columns in the order shown. |
| append |
Append data from any related lookup files for the same event code IDs. |
| stats max(count) AS Total_Events BY LogName,EventCode,signature_severity,signature |
Provide a count for each event and sort the results first by LogName and then by other fields. |
| fillnull value=""0"" Total_Events |
Set the Total_Events field to 0 if null. This will be a rare occurrence. |
| sort -Total_Events |
Sort with the event with the highest count first. |
Next steps
The following table shows sample search results. It shows what events took place, ordered by count of events (Total_Events
). The other columns give descriptions of the events. From the table, you can decide what to further summarize or pay attention to.
LogName |
EventCode |
severity |
Event_Type |
signature |
Total_Events |
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
While the search provided above gives a full picture of event codes that occur in your network, you might find a targeted search for risky errors more useful. After understanding the general state of your applications, you could run the following search to identify specific computers and users who are linked to application logs that can benefit from further investigation:
sourcetype=wineventlog Type=ERROR OR severity=high |stats count BY Type severity ComputerName User
You can save the search and results as a dashboard, a report (saved search), or as an alert and associate an action with the event, such as opening a ticket or sending a notification to the on call help desk for rapid action.
Finally, you might be interested in other processes associated with the Maintaining Microsoft Windows systems use case.