Security data source in Splunk:
- Proxy logs : It’s better for C2 analysis of files, domains, downloads of DLL/EXE files.
- Anti‐virus logs : It’s good for analysis of malware, vulnerabilities of hosts, laptops, servers, monitor for suspicious file paths.
- Server Operating System logs : These logs are good for analysis of server activities such as users, runaway services, security logs.
- Firewall logs : Logs for network traffic of source/destination ip addresses, ports, protocols.
- Mail logs : Logs for inbound/outbound mail for malicious links, targeted recipients, unauthorized file out bound, data loss, bad attachments.
- Custom apps logs : Logs could be analyze for possible buffer overflow, code injection, SQL injection analyses.
- Intrusion Prevention System logs : To alert on signatures firing off, COTS signatures, threat analysis of bad network packets.
- Database logs : It’s can be capture for authorized access to critical data tables, authorized logons, op ports, admin accounts.
- Virtual Private Network(VPN) logs : Capture logs to analyze users coming into network for situational awareness, monitored foreign ip subnets, compliance monitoring of browsers/apps of connected hosts.
- Authentication logs : To monitor authorized/unauthorized users, times of day of connection, how often, logons/logoffs, BIOS analysis.
- Vulnerability Scan Data : Import data about assets, vulnerabilities, patch data, etc.
- Web Application logs : External facing logs to monitor suspicious SQL keywords, text patterns, REGEX for threats coming in through browser.
- DNS logs: To relate IP address what domain in a client level.
- DHCP logs : To monitor what systems are assign what IP address and how long, how often.
- Active Directory/Domain Controller logs : Monitor user accounts for AD admins, privilege accounts, remote access, multiple admins across the domain, new account creation, event ID’s.
- Badge Access logs : Logs to capture to correlate insider threat, situational awareness, correlate data with authentication logs.
- Router/Switch data (net-‐flow) : Capture this critical data source for APT monitoring, network monitoring, data exfiltration, flow analysis are very important data source.
- Packet Capture logs(PCAP): Very difficult data source to capture for Advanced Persistent Threats, packet analysis, deep packet inspection, malware analysis, etc.
- FW + AV : Will help detect and respond to viruses, worm propagation.
- IPS + AV + FW : Detect/alert on network based attacks such as buffer overflow, reconnaissance scans, code injection.
- PROXY : The web based/application layer is a majority attacks to monitor like: cross-site scripting, session hacking, browse redirects.
- AV + PROXY : Monitor/detect/respond to download of bad files, remote code execution…web-based attacks.
- FW + PROXY : Detect outbound data exfiltration, detect potentially misconfig fw rules.
- IPS + FW : Network packet of signature threats to be monitored.
- AD Server : All user/group modifications, deletes, updates for administrators to be monitored.
- AD + PROXY : Monitor/Detect/Alert on post compromise analysis, lateral movement.
