splunk enterprise security data sources

Security data source in Splunk:

Proxy logs : It’s better for C2 analysis of files, domains, downloads of DLL/EXE files.
Anti‐virus logs : It’s good for analysis of malware, vulnerabilities of hosts, laptops, servers, monitor for suspicious file paths.
Server Operating System logs : These logs are good for analysis of server activities such as users, runaway services, security logs.
Firewall logs : Logs for network traffic of source/destination ip addresses, ports, protocols.
Mail logs : Logs for inbound/outbound mail for malicious links, targeted recipients, unauthorized file out bound, data loss, bad attachments.
Custom apps logs : Logs could be analyze for possible buffer overflow, code injection, SQL injection analyses.

Intrusion Prevention System logs : To alert on signatures firing off, COTS signatures, threat analysis of bad network packets.
Database logs : It’s can be capture for authorized access to critical data tables, authorized logons, op ports, admin accounts.
Virtual Private Network(VPN) logs : Capture logs to analyze users coming into network for situational awareness, monitored foreign ip subnets, compliance monitoring of browsers/apps of connected hosts.
Authentication logs : To monitor authorized/unauthorized users, times of day of connection, how often, logons/logoffs, BIOS analysis.
Vulnerability Scan Data : Import data about assets, vulnerabilities, patch data, etc.
Web Application logs : External facing logs to monitor suspicious SQL keywords, text patterns, REGEX for threats coming in through browser.
DNS logs: To relate IP address what domain in a client level.
DHCP logs : To monitor what systems are assign what IP address and how long, how often.

Active Directory/Domain Controller logs : Monitor user accounts for AD admins, privilege accounts, remote access, multiple admins across the domain, new account creation, event ID’s.
Badge Access logs : Logs to capture to correlate insider threat, situational awareness, correlate data with authentication logs.
Router/Switch data (net-‐flow) : Capture this critical data source for APT monitoring, network monitoring, data exfiltration, flow analysis are very important data source.
Packet Capture logs(PCAP): Very difficult data source to capture for Advanced Persistent Threats, packet analysis, deep packet inspection, malware analysis, etc.
FW + AV : Will help detect and respond to viruses, worm propagation.
IPS + AV + FW : Detect/alert on network based attacks such as buffer overflow, reconnaissance scans, code injection.
PROXY : The web based/application layer is a majority attacks to monitor like: cross-site scripting, session hacking, browse redirects.
AV + PROXY : Monitor/detect/respond to download of bad files, remote code execution…web-based attacks.
FW + PROXY : Detect outbound data exfiltration, detect potentially misconfig fw rules.
IPS + FW : Network packet of signature threats to be monitored.
AD Server : All user/group modifications, deletes, updates for administrators to be monitored.
AD + PROXY : Monitor/Detect/Alert on post compromise analysis, lateral movement.

]]>