Security data source in Splunk:

  • Proxy logs : It’s better for C2 analysis of files, domains, downloads of DLL/EXE files.
  • Anti‐virus logs : It’s good for analysis of malware, vulnerabilities of hosts, laptops, servers, monitor for suspicious file paths.
  • Server Operating System logs : These logs are good for analysis of server activities such as users, runaway services, security logs.
  • Firewall logs : Logs for network traffic of source/destination ip addresses, ports, protocols.
  • Mail logs : Logs for inbound/outbound mail for malicious links, targeted recipients, unauthorized file out bound, data loss, bad attachments.
  • Custom apps logs : Logs could be analyze for possible buffer overflow, code injection, SQL injection analyses.
  • Intrusion Prevention System logs : To alert on signatures firing off, COTS signatures, threat analysis of bad network packets.
  • Database logs : It’s can be capture for authorized access to critical data tables, authorized logons, op ports, admin accounts.
  • Virtual Private Network(VPN) logs : Capture logs to analyze users coming into network for situational awareness, monitored foreign ip subnets, compliance monitoring of browsers/apps of connected hosts.
  • Authentication logs : To monitor authorized/unauthorized users, times of day of connection, how often, logons/logoffs, BIOS analysis.
  • Vulnerability Scan Data : Import data about assets, vulnerabilities, patch data, etc.
  • Web Application logs : External facing logs to monitor suspicious SQL keywords, text patterns, REGEX for threats coming in through browser.
  • DNS logs: To relate IP address what domain in a client level.
  • DHCP logs : To monitor what systems are assign what IP address and how long, how often.
Security data source in Splunk
  • Active Directory/Domain Controller logs : Monitor user accounts for AD admins, privilege accounts, remote access, multiple admins across the domain, new account creation, event ID’s.
  • Badge Access logs : Logs to capture to correlate insider threat, situational awareness, correlate data with authentication logs.
  • Router/Switch data (net-‐flow) : Capture this critical data source for APT monitoring, network monitoring, data exfiltration, flow analysis are very important data source.
  • Packet Capture logs(PCAP): Very difficult data source to capture for Advanced Persistent Threats, packet analysis, deep packet inspection, malware analysis, etc.
  • FW + AV : Will help detect and respond to viruses, worm propagation.
  • IPS + AV + FW : Detect/alert on network based attacks such as buffer overflow, reconnaissance scans, code injection.
  • PROXY : The web based/application layer is a majority attacks to monitor like: cross-site scripting, session hacking, browse redirects.
  • AV + PROXY : Monitor/detect/respond to download of bad files, remote code execution…web-based attacks.
  • FW + PROXY : Detect outbound data exfiltration, detect potentially misconfig fw rules.
  • IPS + FW : Network packet of signature threats to be monitored.
  • AD Server : All user/group modifications, deletes, updates for administrators to be monitored.
  • AD + PROXY : Monitor/Detect/Alert on post compromise analysis, lateral movement.

Categorized in:

Splunk

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,