Skip to main content

 

Splunk Lantern

Microsoft recommended application log events

 

A solid event log monitoring system is a crucial part of any secure Windows environment or Active Directory design. Many computer security compromises could be discovered early if the victims enacted appropriate event log monitoring and alerting. This search leverages application monitoring recommendations provided by Microsoft to identify whether an event should be considered of low, medium, or high criticality in detecting attacks and errors.

Data required 

Windows update logs

Procedure

  1. Verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=WinEventLog  
    [| inputlookup app_log_evt_code_desc WHERE LogName=""Application"" 
    | stats values(EventCode) AS EventCode BY LogName 
    | format] 
| fields _time,host,LogName,EventCode,signature,signature_severity 
| stats max(_time) AS l_time, dc(host) AS host_count,last(host) AS l_host,count BY LogName,EventCode,signature,signature_severity 
| table count,LogName,EventCode,signature,signature_severity 
| append 
    [| inputlookup ms_ad_obj_evt_code_desc 
    | eval count=0 
    | table LogName,EventCode,signature,signature_severity] 
| stats max(count) AS Total_Events BY LogName,EventCode,signature_severity,signature 
| fillnull value=""0"" Total_Events 
| sort -Total_Events

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=WinEventLog 

Search only Windows event logs.

[| inputlookup app_log_evt_code_desc WHERE LogName=""Application"" 
    | stats values(EventCode) AS EventCode BY LogName 
    | format] 
 

Get a list of recommended EventCode IDs from a lookup table and match the codes to the events.

You can add IDs to the table if needed. The lookup is then leveraged in a subsearch against your Windows events across multiple dashboards, reports, and alerts. By leveraging this approach, you can easily create scheduled reports or alerts for when any of the recommended event IDs appear in your data.
For example, if you want to create an alert for high severity events, such as Application Error, Application Hang, or Update Failures, you can add (WHERE severity="High") to the lookup table in the search:
| inputlookup app_log_evt_code_desc WHERE LogName="Application" AND severity="High".

| fields _time,host,LogName,EventCode,signature,signature_severity  Include only the fields shown in the results.
| stats max(_time) AS l_time, dc(host) AS host_count,last(host) AS l_host,count BY LogName,EventCode,signature,signature_severity Return times and distinct counts that these events occurred on your hosts. 
| table count,LogName,EventCode,signature,signature_severity  Display the results in a table with columns in the order shown.
| append 
    [| inputlookup ms_ad_obj_evt_code_desc 
    | eval count=0 
    | table LogName,EventCode,signature,signature_severity] 
Append data from any related lookup files for the same event code IDs.
| stats max(count) AS Total_Events BY LogName,EventCode,signature_severity,signature  Provide a count for each event and sort the results first by LogName and then by other fields.
| fillnull value=""0"" Total_Events  Set the Total_Events field to 0 if null. This will be a rare occurrence.
| sort -Total_Events Sort with the event with the highest count first.

Next steps

The following table shows sample search results. It shows what events took place, ordered by count of events (Total_Events). The other columns give descriptions of the events. From the table, you can decide what to further summarize or pay attention to.  

LogName EventCode severity Event_Type signature Total_Events

Security

4624

informational

Information

An account was successfully logged on

52480

Security

4625

informational

Information

An account failed to log on

24504

Application

1001

informational

Information

Windows Error Reporting

9856

Security

5136

informational

Active Directory Domain Services

A directory service object was modified

8024

Application

1001

medium

Warning

Windows Error Reporting

1696

While the search provided above gives a full picture of event codes that occur in your network, you might find a targeted search for risky errors more useful. After understanding the general state of your applications, you could run the following search to identify specific computers and users who are linked to application logs that can benefit from further investigation:

sourcetype=wineventlog Type=ERROR OR severity=high 
|stats count BY Type severity ComputerName User

You can save the search and results as a dashboard, a report (saved search), or as an alert and associate an action with the event, such as opening a ticket or sending a notification to the on call help desk for rapid action. 

Finally, you might be interested in other processes associated with the Maintaining Microsoft Windows systems use case.