Security data source in Splunk:

  • Proxy logs : It’s better for C2 analysis of files, domains, downloads of DLL/EXE files.
  • Anti‐virus logs : It’s good for analysis of malware, vulnerabilities of hosts, laptops, servers, monitor for suspicious file paths.
  • Server Operating System logs : These logs are good for analysis of server activities such as users, runaway services, security logs.
  • Firewall logs : Logs for network traffic of source/destination ip addresses, ports, protocols.
  • Mail logs : Logs for inbound/outbound mail for malicious links, targeted recipients, unauthorized file out bound, data loss, bad attachments.
  • Custom apps logs : Logs could be analyze for possible buffer overflow, code injection, SQL injection analyses.
  • Intrusion Prevention System logs : To alert on signatures firing off, COTS signatures, threat analysis of bad network packets.
  • Database logs : It’s can be capture for authorized access to critical data tables, authorized logons, op ports, admin accounts.
  • Virtual Private Network(VPN) logs : Capture logs to analyze users coming into network for situational awareness, monitored foreign ip subnets, compliance monitoring of browsers/apps of connected hosts.
  • Authentication logs : To monitor authorized/unauthorized users, times of day of connection, how often, logons/logoffs, BIOS analysis.
  • Vulnerability Scan Data : Import data about assets, vulnerabilities, patch data, etc.
  • Web Application logs : External facing logs to monitor suspicious SQL keywords, text patterns, REGEX for threats coming in through browser.
  • DNS logs: To relate IP address what domain in a client level.
  • DHCP logs : To monitor what systems are assign what IP address and how long, how often.
Security data source in Splunk
  • Active Directory/Domain Controller logs : Monitor user accounts for AD admins, privilege accounts, remote access, multiple admins across the domain, new account creation, event ID’s.
  • Badge Access logs : Logs to capture to correlate insider threat, situational awareness, correlate data with authentication logs.
  • Router/Switch data (net-‐flow) : Capture this critical data source for APT monitoring, network monitoring, data exfiltration, flow analysis are very important data source.
  • Packet Capture logs(PCAP): Very difficult data source to capture for Advanced Persistent Threats, packet analysis, deep packet inspection, malware analysis, etc.
  • FW + AV : Will help detect and respond to viruses, worm propagation.
  • IPS + AV + FW : Detect/alert on network based attacks such as buffer overflow, reconnaissance scans, code injection.
  • PROXY : The web based/application layer is a majority attacks to monitor like: cross-site scripting, session hacking, browse redirects.
  • AV + PROXY : Monitor/detect/respond to download of bad files, remote code execution…web-based attacks.
  • FW + PROXY : Detect outbound data exfiltration, detect potentially misconfig fw rules.
  • IPS + FW : Network packet of signature threats to be monitored.
  • AD Server : All user/group modifications, deletes, updates for administrators to be monitored.
  • AD + PROXY : Monitor/Detect/Alert on post compromise analysis, lateral movement.

Categorized in:

Splunk

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Share Article:

Leave a Reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Powered By
Best Wordpress Adblock Detecting Plugin | CHP Adblock