You might want to examine logs from high-frequency Microsoft application events when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Windows update logs
- Splunk Add-on for Microsoft Windows
Example
A solid event log monitoring system is a crucial part of any secure Windows environment or Active Directory design. Many computer security compromises could be discovered early if the victims enacted appropriate event log monitoring and alerting. This search leverages application monitoring recommendations provided by Microsoft to identify whether an event should be considered of low, medium, or high criticality in detecting attacks and errors.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Run the following search:
sourcetype=WinEventLog
|stats count BY EventCode LogName severity Type signature
|rename count AS Total_Events Type AS Event_Type
|fillnull value=0 Total_Events
|sort - Total_Events
|table LogName EventCode severity Event_Type signature Total_Events
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype=WinEventLog |
Search only Windows event logs. |
|
|stats count BY EventCode LogName severity Type signature |
Count the number of times each event combination occurred. |
|
|rename count AS Total_Events Type AS Event_Type |
Rename the fields as shown for better readability. |
|
|fillnull value=0 Total_Events |
Set the Total_Events field to 0 if null. This will be a rare occurrence. |
|
|sort - Total_Events |
Sort with the most frequently occurring result combination first. |
|
|table LogName EventCode severity Event_Type signature Total_Events |
Display the results in a table with columns in the order shown. |
Result
The following table shows sample search results. It shows what events took place, ordered by count of events (Total_Events). The other columns give descriptions of the events. From the table, you can decide what to further summarize or pay attention to.
|
LogName |
EventCode |
severity |
Event_Type |
signature |
Total_Events |
|
Security |
4624 |
informational |
Information |
An account was successfully logged on |
52480 |
|
Security |
4625 |
informational |
Information |
An account failed to log on |
24504 |
|
Application |
1001 |
informational |
Information |
Windows Error Reporting |
9856 |
|
Security |
5136 |
informational |
Active Directory Domain Services |
A directory service object was modified |
8024 |
|
Application |
1001 |
medium |
Warning |
Windows Error Reporting |
1696 |
While the search provided above gives a full picture of event codes that occur in your network, you might find a targeted search for risky errors more useful. After understanding the general state of your applications, you could run the following search to identify specific computers and users who are linked to application logs that can benefit from further investigation:
sourcetype=wineventlog Type=ERROR OR severity=high
|stats count by Type severity ComputerName User
You can save the search and results as a dashboard, a report (saved search), or as an alert and associate an action with the event, such as opening a ticket or sending a notification to the on call help desk for rapid action.
Comments
0 comments
Please sign in to leave a comment.