The structure will vary.
I am not going to write a tutorial on installing Splunk, there are plenty of those online.
I'm going to give you specific examples for dashboards and alerts that you can create for your own environment.
Today's example will be creating a query for detecting new services that are installed on a machine.
Why is this useful?
- If you have a Systems Engineering team, they *should* know what is being installed on the servers.
- If something gets installed and they don't know what it is, it could be malicious.
- If it is not malicious, it could simply be unintentional, which is another problem.
- You can detect if malware is being installed on multiple machines, and stop a small problem from turning into a big problem.
- After a certain sample size, you can compile a pseudo-white list of approved services, so you gain a better understand of what actually exists on your servers and network.
How do I prepare?
- Splunk needs to be on all servers.
- GPO settings for Advanced Auditing needs to be enabled for "Security System Extension" so that Event ID 4697 is being logged by the Windows Servers.
- Install a driver on the machine and verify within Windows Event Viewer that a message "A service was installed in the system." is populated.
I am going to show you the way I do this, you can craft your own that works within your environment.
First, I create a button that will indicate the number of services installed, and will change colors depending on the severity.
First, I create a button that will indicate the number of services installed, and will change colors depending on the severity.
If this is not lighting up, I don't even have to think about services being installed.
You create this panel within a dashboard by utilizing the "Single" function w/in Splunk's dashboard XML.
My XML looks like this:
<row><single><searchString>index="Windows" sourcetype=WinEventLog:System "Message=A service was installed in the system." | stats count by Service_File_Name | stats sum(count) as total_count | fillnull value=0 AS total_count | rangemap field=total_count low=0-0 elevated=1-3 severe=4-10000</searchString><title>Number of unauthorized services installed</title><earliestTime>-24h@h</earliestTime><latestTime>now</latestTime><option name="afterLabel">services.</option><option name="beforeLabel"/><option name="charting.chart.nullValueMode">gaps</option><option name="charting.chart.rangeValues">[0,1,5,100]</option><option name="charting.chart.stackMode">default</option><option name="charting.chart.style">minimal</option><option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option><option name="charting.layout.splitSeries">false</option><option name="charting.legend.placement">right</option><option name="charting.secondaryAxis.maximumNumber">""</option><option name="charting.secondaryAxis.minimumNumber">""</option><option name="charting.secondaryAxis.scale">""</option><option name="classField">range</option><option name="count">50</option><option name="displayRowNumbers">true</option></single></row>
Then, I create an additional dashboard panel that gives me the details of the installed services.
 |
| Click to View Larger Image |
My XML for this panel looks like this:
<row><table><searchString>index="Windows" sourcetype=WinEventLog:System "Message=A service was installed in the system." | table _time, User, Service_File_Name, host, Message</searchString><title>Detailed view of unauthorized services installed .</title><earliestTime>-24h@h</earliestTime><latestTime>now</latestTime><option name="charting.axisTitleX.text">File Name</option><option name="charting.chart.rangeValues">[-1,0,1,15]</option><option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option><option name="charting.primaryAxisTitle.text"/><option name="count">10</option><option name="dataOverlayMode">highlow</option><option name="displayRowNumbers">true</option></table></row>
In the next post we will talk about using lookup lists.
awful piece of information, I had come to know about your blog from my friend vimal, mumbai,i have read atleast 3 posts of yours by now, and let me tell you, your blog gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a million once again, Regards,splunk training in hyderabad
ReplyDelete