Microsoft recommended application log events

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

A solid event log monitoring system is a crucial part of any secure Windows environment or Active Directory design. Many computer security compromises could be discovered early if the victims enacted appropriate event log monitoring and alerting. This search leverages application monitoring recommendations provided by Microsoft to identify whether an event should be considered of low, medium, or high criticality in detecting attacks and errors.

Data required

Microsoft: Windows update logs

Procedure

In Splunk Enterprise or Splunk Cloud Platform, verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and universal forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=WinEventLog  
    [| inputlookup app_log_evt_code_desc WHERE LogName=""Application"" 
    | stats values(EventCode) AS EventCode BY LogName 
    | format] 
| fields _time,host,LogName,EventCode,signature,signature_severity 
| stats max(_time) AS l_time, dc(host) AS host_count,last(host) AS l_host,count BY LogName,EventCode,signature,signature_severity 
| table count,LogName,EventCode,signature,signature_severity 
| append 
    [| inputlookup ms_ad_obj_evt_code_desc 
    | eval count=0 
    | table LogName,EventCode,signature,signature_severity] 
| stats max(count) AS Total_Events BY LogName,EventCode,signature_severity,signature 
| fillnull value=""0"" Total_Events 
| sort -Total_Events

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`sourcetype=WinEventLog`	Search only Windows event logs.
`[\| inputlookup app_log_evt_code_desc WHERE LogName=""Application"" \| stats values(EventCode) AS EventCode BY LogName \| format]`	Get a list of recommended EventCode IDs from a lookup table and match the codes to the events. You can add IDs to the table if needed. The lookup is then leveraged in a subsearch against your Windows events across multiple dashboards, reports, and alerts. By leveraging this approach, you can easily create scheduled reports or alerts for when any of the recommended event IDs appear in your data. For example, if you want to create an alert for high severity events, such as Application Error, Application Hang, or Update Failures, you can add (`WHERE severity="High"`) to the lookup table in the search: `\| inputlookup app_log_evt_code_desc WHERE LogName="Application" AND severity="High"`.
`\| fields _time,host,LogName,EventCode,signature,signature_severity`	Include only the fields shown in the results.
`\| stats max(_time) AS l_time, dc(host) AS host_count,last(host) AS l_host,count BY LogName,EventCode,signature,signature_severity`	Return times and distinct counts that these events occurred on your hosts.
`\| table count,LogName,EventCode,signature,signature_severity`	Display the results in a table with columns in the order shown.
`\| append [\| inputlookup ms_ad_obj_evt_code_desc \| eval count=0 \| table LogName,EventCode,signature,signature_severity]`	Append data from any related lookup files for the same event code IDs.
`\| stats max(count) AS Total_Events BY LogName,EventCode,signature_severity,signature`	Provide a count for each event and sort the results first by `LogName` and then by other fields.
`\| fillnull value=""0"" Total_Events`	Set the `Total_Events` field to 0 if null. This will be a rare occurrence.
`\| sort -Total_Events`	Sort with the event with the highest count first.

Next steps

The following table shows sample search results. It shows what events took place, ordered by count of events (Total_Events). The other columns give descriptions of the events. From the table, you can decide what to further summarize or pay attention to.

`LogName`	`EventCode`	`severity`	`Event_Type`	`signature`	`Total_Events`
`Security`	`4624`	`informational`	`Information`	`An account was successfully logged on`	`52480`
`Security`	`4625`	`informational`	`Information`	`An account failed to log on`	`24504`
`Application`	`1001`	`informational`	`Information`	`Windows Error Reporting`	`9856`
`Security`	`5136`	`informational`	`Active Directory Domain Services`	`A directory service object was modified`	`8024`
`Application`	`1001`	`medium`	`Warning`	`Windows Error Reporting`	`1696`

While the search provided above gives a full picture of event codes that occur in your network, you might find a targeted search for risky errors more useful. After understanding the general state of your applications, you could run the following search to identify specific computers and users who are linked to application logs that can benefit from further investigation:

sourcetype=wineventlog Type=ERROR OR severity=high 
|stats count BY Type severity ComputerName User

You can save the search and results as a dashboard, a report (saved search), or as an alert and associate an action with the event, such as opening a ticket or sending a notification to the on call help desk for rapid action.

Finally, you might be interested in other processes associated with the Maintaining Microsoft Windows systems use case.