You are on page 1of 18

1

Security Use Cases with Splunk


This article focuses on security use cases that can be created and managed within Splunk. For this article
we will be using Splunk Free Enterprise version as it gives me indexing of 500MB free every day. Also this
will be standalone architecture to collect, parse and extract events rather a distributed architecture
where multiple components are required to collect, parse, extract and display event in Splunk.

Software Used: Splunk (Free Enterprise Version)

Version: 6.3.2

Log Source: Windows Event Logs, Registry logs

Splunk Indexer, Splunk Search Head: Local System (Windows 7)

Install Splunk
1. Down Splunk latest release from Splunk.com
2. Run the downloaded exe.
3. Below screen will come. Accept the agreement

4. Provide the splunk installation directory and install it.

Use Cases

Use Case: 1 Detection of Possible Brute Force Attack


With the evolution of faster and more efficient password cracking tools, brute force attacks are on a
high against the services of an organization. As a best practice, every organization should configure
logging practices for security events such as invalid number of login attempts, any modification to

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
2

system files, etc., so that any possible attack underway will get noticed and treated before the attack
succeeds. Organizations generally apply these security policies via a Group Policy Object (GPO) to all the
hosts in their network.

Problem Statement: Alert in real time whenever a user failed to do a successful login for more than 2
times.

Log Source: Windows Security Logs

Splunk Query: sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") | stats


count by Account_Name | where count > 2

How to read this query: We are monitoring windows security even logs and looking for EventCode 4625
which is “Failed Logins”. Every space in splunk is a AND operator. Then we are performing a statically
search of count variable on Account_Name and report where count is greater than 2 i.e. it will report
when a user(Account_Name) has performed more than 2(count) failed logins.

Steps to simulate the Use-Case:


1. First make sure your local machine is logging local logon events. Check it via
a. Click Start, type “local Security Policy”. Below Screen will come

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
3

b. Click Local Policies > Audit Policies. Make sure Auditing for failure, success event is
turned on. If it is not double click and select failure events.Below should be the final
screen for this:

2. Start Splunk: Navigate to Splunk directory > bin and execute command : splunk start.

3. Open Splunk Web . usually It will be at localhost:8000. If 8000 is occupied it will be 8001.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
4

4. Provide the credentials


a. Username: admin
b. Password: changeme(default)
5. Change the default password.
6. Feed the data into splunk
a. Click on Settings > Data Inputs

b. Click on “Local event log collection”

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
5

c. Click on Security Logs. Logs from Windows events will go to splunk default index which is
called as “main”.

d. Click Save. Below Screen should appear


search

7. Click on Splunk > Search and Reporting(App).


8. Copy the Splunk search: sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit
Failure") earliest=-30m@m | stats count by Account_Name | where count > 2

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
6

9. You might get 0 results here. Not to worry we still have to do unsuccessful logins.
10. Click on Save As> Alerts , to save this search as a alert.

11. Fill in details for Alert definition:


a. Title: Alert Name
b. Alert Type: Real Time
c. Permissions: Private
d. Trigger Condition: Per Result
e. Add Throttle Action for Account_Name and suppress it for 30 minutes: This means that
alert will suppress the events with same Account_Name for next 30 minutes.
f. Trigger Actions: Add to Triggered Alerts
g. Severity: High

12. Log off your System. Perform 3 invalid login attempts.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
7

13. Open Splunk. Navigate to Activity>Triggered Alert. There you can see the alert triggered. You
will see a lot of alerts because alert is configured to run in real time so it will continue to run

14. Click on the View Results on the top most alert which actually resulted from unsuccessful logins
to see results.

Use Case 2: Acceptable Use Monitoring


Acceptable Use Monitoring covers a basic questions, i.e. what resource is being accessed by
whom and when. Organizations generally publish policies for users to understand how they can
use the organization’s resources in the best way. Organizations should develop a baseline
document to set up threshold limits, critical resources information, user roles, and policies, and
use that baseline document to monitor user activity, even after business hours, with the help of
the SIEM solution.

Problem Statement: Alert in real time whenever a user access a file.

Log Source: Windows Security Logs

Splunk Query: sourcetype="WinEventLog:Security" EventCode=4663 | stats count by Account_Name


,Object_Name ,Accesses| rename Account_Name as UserName,Object_Name as FileName,Accesses as
Action | table UserName,FileName,Action

How to read this query: we are collection windows security event logsand will moitor EventCode 46663
which throws back actions being taken on the file. Space in splunk is a AND operator. Then we are
performing a statistical operation on files with username and action. Finally I am just renaming the fields
to make them more understandable.

Steps to simulate the Use-Case:


1. Open Local Security Policy and Enable Auditing for Object Access as shown below.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
8

2. Create new file on desktop names “Test_Access”.


3. Enable Auditing for everyone on this. CRight click on File >Properties >Advanced >Auditing
4. Enter “Everyone” as the Object Name.

5. Enable all type of controls on this.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
9

6. Open Splunk. We do not need to add new data for this use. Windows Security Event logs will be
good enough. IF you have not followed Use Case 1, please see above on how to feed splunk.
7. Open Splunk And write this query: sourcetype="WinEventLog:Security" EventCode=4663 | stats
count by Account_Name ,Object_Name ,Accesses| rename Account_Name as
UserName,Object_Name as FileName,Accesses as Action | table UserName,FileName,Action

8. Hit enter to run. You might not see the results.


9. Save this as an alert. Click on Save as >Alert.
10. Fill in below Alert definition.
a. Name:File Access
b. Alert Type: Scheduled and configured to run it every hour (at oth minute past every
hour).
c. Set Triger Condition to: Fire this alert whenever number of results are greater than 0
and for each result
d. Set Trigger Action to ‘Add to Triggered Alerts’

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
10

11. Open Test _Access file and the see the triggered alert under Activity>Triggered Alert. Most
probably you will not see anything. Why? Because your alert is configured to run at 0th minute
past every hour.
12. To run this alert now, navigate to Settings >’Searches, reports and Alerts’.
13. There you will see all the alerts. Find Alert Name File Access and Click on Run

14. Below result screen will come to tell you that who(Username) has performed what Action on
what Resouce(FileName).

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
11

Use Case 3: Registry Monitoring


Usually whenever an executable install it made some changes to registry. So it is worth monitoring
registry events/actions like set, delete etc.

Problem Statement: Alert in schedule time whenever a registry SetAction event took place

Log Source: Windows Registry Logs

Splunk Query: index=main sourcetype=WinRegistry | stats values(data) by key_path,registry_type,host


| rename host as "Machine Name" registry_type as Action values(data) as "New Value" key_path as
"Path to Subkey"

How to read this query: We are collection registry events in splunk default index main and monitoring
for Action Values (which is set in this case) and performing a statisctics over the values as shown in.
Remember every space in splunk is converted into an AND operator and | is a pipeline. At the end we
are just renaming the fields to make them more understandable.

Steps to simulate the Use-Case:


1. Open Splunk, Navigate to Settings >Data Inputs.
2. Click on Registry Monitoring

3. Click New

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
12

4. Enter the definition of this registry monitoring like below


a. Enter a name for this monitoring
b. Click Browse to monitor any hive for this among following:
i. HKEY_USERS
ii. HKEY_LOCAL_MACHINE
iii. HKEY_CURRENT_USER
iv. HKEY_CURRENT_CONFIG

c. For demonstrative purpose I have selected HKEY_LOCAL_MACHINE\SOFTWARE\Splunk.


d. Enter the Action that you want to monitor on this hive
i. Create
ii. Delete
iii. Open
iv. Rename
v. Set
For this exercise, select Action=set
e. Click Next
f. Confirm the setting

g. Click Submit and its done.


5. Reconfirm the monitoring of this registry setting by clicking on tings >Data Inputs >Registry
Monitoring >Reg_Mon and see the action selected. Make sure that ‘set’ action is selected.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
13

‘Set’ action will generate a Set event when a program executes a SetValue method on a Registry
subkey, thus setting a value or overwriting an existing value on an existing Registry entry.

6. Now Click on Windows Start button and type ‘regedit’ to open registry. Navigate to HKLM
>Software >Splunk .
7. On the right hand pane, double click on ProductName and Change the value from ‘Splunk
Enterprise’ to ‘Splunk Use Case Infosec Institute’and click OK.

8. Now open search app in splunk and type this query


index=main sourcetype=WinRegistry | stats values(data) by key_path,registry_type,host |
rename host as "Machine Name" registry_type as Action values(data) as "New Value" key_path
as "Path to Subkey"
9. Set this to alert in Splunk as Save As > Alert and enter below alert definitions as shown in
screenshot below.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
14

10. Since this is also a scheduled alert, navigate to Settings >’Searches, reports and Alerts’.
11. There you will see all the alerts. Find Alert Name Reg_Mon_Alert and Click on Run

12. Below is the result screen which states the following parameter:
a. Path to subkey: Path to subkey which has changed
b. Action: What sort of action has taken place.In this case it will be SetAction
c. Host: On which host this has changed.
d. New Value: What the value of this subkey. I have taken values(data) to concatenate all
changed values for this subkey. You can see the changed value “Splunk Use Case Infosec
Institute” in the result.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
15

Other Use Cases which students can do on their own

Monitoring Rouge Name Servers


To monitor this type of activity, DNS, proxy and perimeter firewalls should be configured to send logs to
Splunk. Inside Splunk creation of SIEM rule will actually monitor these logs:

index=perimeter_firewall or index=dns (TCP=53 OR UDP=53) NOT [| inputlookup


internal_dns_list append =t dns ] | dedup dns | rename dns as rouge_dns | table
rouge_dns

This query will perform a lookup of perimeter_firewall logs for TCP/UDP 53 with all the known
local/internal DNS names and will list all other DNS names which can possibly is a rouge Name server.

Monitoring Rouge Proxy servers


Although bots have become more advanced and uses internal proxy server for outer communication,
there are still some versions which do not do this. So whenever the traffic that is hitting the
perimeter_firewall do not contain proxy ip, raise an alert. Below is a query that can be used to detect
this:

Index=perimeter_firewall NOT [inputlookup proxy_ip append =t ip] | dedup IP] | table IP

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
16

What this will do is to lookout for traffic at perimeter firewall for IP other than the mentioned
proxy ip addressee’s which might possible a rouge proxy server. In this also we can leverage the
splunk lookup feature.

Monitoring Insecure Ports and Services


We can monitor insecure ports and services being opened in the endpoints in splunk. To do this first we
have to feed the endpoint machine data in splunk. A script like

Netstat –ln| egrep “^tcp|^udp” and write the data to log file. If the resulting log file is local
to Splunk then we can take this file directly as an input into Splunk or if resulting log file is
remote it can be collected using Splunk Universal Forwarder. Then we can monitor for
insecure ports and services.

Index=endpoint_log [inputlookup insecure_list append =t port, services] | table hostname, port, service

I this the lookup list insecure_list contain the known insecure port and services which in turn gets
matched up the endpoint logs. If match found alert is raised.

Detection of possible Applications Attacks


Since now days insider threats are on the rise, it is very much possible for insiders to conduct attack on
applications like Cross Sit Scripting (XSS), SQL injection etc. We can detect these kinds of application
attack in Splunk. Log source in this case will be application logs and we will look out for known attack
pattern in logs. Please note that there can be various attack patterns in which these 2 attacks can be
done. I am not monitoring all of them. Also in this article I am showing only 2 types of attacks. Mostly all
sorts of attacks can be monitored in splunk.

Monitoring of XSS
One of the famous payload used to carry out XSS attack is to <script>alert(‘XSS attack’)</script>. If all
the interactions with an application are logged then it is very easy to find such a payload in logs like
below

source=/var/log/myapplication.log “<script>” OR “</script>” | table attacker_location, ip,


category

It will look out of “script” tag in a case insensitive fashion in the application logs. Now my
application logs has the attacker –location which states that it is insider or not, ip which will be

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
17

proxy one. These logs will then have to checked against proxy logs to look put for actual IP which
has the payload containing script tag.

Monitoring for SQL Injection


Another famous application attack which have been there for decades is the SQL injection attack. The
most common payload of SQL injection is to use:

 Id=’ or ‘1’=’1
 employee’; drop table employee;--

Now these payloads can be monitored in splunk provided all the interaction are being logged.

Index=/var/log/application.log (‘ AND =) OR (‘ AND ;) OR drop OR -- | table ip

This query will look out for quote and = sign OR quote or semicolon. In some cases when
attackers exploit sql injection to drop tables at the backend , this query will look out for drop
keyword OR – sign which is used to ignore the rest of SQL statement.

Missing Log Source/Host


Log sources are the feeds for any SIEM solution. Most of the SIEM solution these days comes
with an agent-manager deployment model, which means that on all the log sources, light weight
SIEM agent software is installed to collect logs and pass them to a manager for analysis. An
attacker, after gaining control over a compromised machine/account, tends to stop all such
agent services, so that their unauthorized and illegitimate behavior goes unnoticed.

To counter such malformed actions, SIEM should be configured to raise an alert if a host stops
forwarding logs after a threshold limit. For example, the below search query (SPL) in Splunk will
raise an alert if a host has not forwarded the logs for more than one hour.

| metadata type=hosts| where recentTime < now() -3600 | convert cTime(recentTime) as "Last
time the log source reported" | rename host as "Log Sources" | table " Log Sources" "Last time
the log source reported"

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |
18

As soon as an alert is received with the IP address of the machin under attack, the Incident
Response Team (IRT) can start mitigating this issue.

So as you can see virtually almost every type of data can be monitored in Splunk. Even what came to
rescue to lot of developers is lot of new apps which actually parse the data for the proprietary log
format and you just have to run commands.

http://www.infosecinstitute.com/courses/incident_respone_network_forensics.html
SECURITY USE CASES USING SPLUNK |