Security data source in Splunk:<\/h2>\n<\/div>\n<\/div>\n

\n

\n

\n
• Proxy logs :\u00a0<\/b>It’s better for C2 analysis of files, domains, downloads of DLL\/EXE files.<\/li>\n
• Anti\u2010virus logs :\u00a0<\/b>It’s good for analysis of malware, vulnerabilities of hosts, laptops, servers, monitor for suspicious file paths.<\/li>\n
• Server Operating System logs :\u00a0<\/b>These logs are good for analysis of server activities such as users, runaway services, security logs.<\/li>\n
• Firewall logs :\u00a0<\/b>Logs for network traffic of source\/destination ip addresses, ports, protocols.<\/li>\n
• Mail logs :\u00a0<\/b>Logs for inbound\/outbound mail for malicious links, targeted recipients, unauthorized file out bound, data loss, bad attachments.<\/li>\n
• Custom apps logs :\u00a0<\/b>Logs could be analyze for possible buffer overflow, code injection, SQL injection analyses.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
  \n

  \n

  \n
  • Intrusion Prevention System logs :\u00a0<\/b>To alert on signatures firing off, COTS signatures, threat analysis of bad network packets.<\/li>\n
  • Database logs :\u00a0<\/b>It’s can be capture for authorized access to critical data tables, authorized logons, op ports, admin accounts.<\/li>\n
  • Virtual Private Network(VPN) logs :\u00a0<\/b>Capture logs to analyze users coming into network for situational awareness, monitored foreign ip subnets, compliance monitoring of browsers\/apps of connected hosts.<\/li>\n
  • Authentication logs :\u00a0<\/b>To monitor authorized\/unauthorized users, times of day of connection, how often, logons\/logoffs, BIOS analysis.<\/li>\n
  • Vulnerability Scan Data :\u00a0<\/b>Import data about assets, vulnerabilities, patch data, etc.<\/li>\n
  • Web Application logs :\u00a0<\/b>External facing logs to monitor suspicious SQL keywords, text patterns, REGEX for threats coming in through browser.<\/li>\n
  • DNS logs:\u00a0<\/b>To relate IP address what domain in a client level.<\/li>\n
  • DHCP logs :\u00a0<\/b>To monitor what systems are assign what IP address and how long, how often.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    \n

    <\/div>\n<\/div>\n

    \n

    \n

    \n
    • Active Directory\/Domain Controller logs :\u00a0<\/b>Monitor user accounts for AD admins, privilege accounts, remote access, multiple admins across the domain, new account creation, event ID’s.<\/li>\n
    • Badge Access logs :\u00a0<\/b>Logs to capture to correlate insider threat, situational awareness, correlate data with authentication logs.<\/li>\n
    • Router\/Switch data (net-\u2010flow) :\u00a0<\/b>Capture this critical data source for APT monitoring, network monitoring, data exfiltration, flow analysis are very important data source.<\/li>\n
    • Packet Capture logs(PCAP):\u00a0<\/b>Very difficult data source to capture for Advanced Persistent Threats, packet analysis, deep packet inspection, malware analysis, etc.<\/li>\n
    • FW + AV :\u00a0<\/b>Will help detect and respond to viruses, worm propagation.<\/li>\n
    • IPS + AV + FW :\u00a0<\/b>Detect\/alert on network based attacks such as buffer overflow, reconnaissance scans, code injection.<\/li>\n
    • PROXY :\u00a0<\/b>The web based\/application layer is a majority attacks to monitor like: cross-site scripting, session hacking, browse redirects.<\/li>\n
    • AV + PROXY :\u00a0<\/b>Monitor\/detect\/respond to download of bad files, remote code execution\u2026web-based attacks.<\/li>\n
    • FW + PROXY :\u00a0<\/b>Detect outbound data exfiltration, detect potentially misconfig fw rules.<\/li>\n
    • IPS + FW :\u00a0<\/b>Network packet of signature threats to be monitored.<\/li>\n
    • AD Server :\u00a0<\/b>All user\/group modifications, deletes, updates for administrators to be monitored.<\/li>\n
    • AD + PROXY :\u00a0<\/b>Monitor\/Detect\/Alert on post compromise analysis, lateral movement.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

      Answer : Proxy logs :\u00a0It’s better for C2 analysis of files, domains, downloads of DLL\/EXE files…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"passster_activate_protection":false,"passster_protect_child_pages":"","passster_protection_type":"password","passster_password":"","passster_activate_overwrite_defaults":"","passster_headline":"","passster_instruction":"","passster_placeholder":"","passster_button":"","passster_id":"","passster_activate_misc_settings":"","passster_redirect_url":"","passster_hide":"no","passster_area_shortcode":"","gtb_hide_title":false,"gtb_wrap_title":false,"gtb_class_title":"","gtb_remove_headerfooter":false,"footnotes":""},"categories":[8678],"tags":[195,201,1119,360,7383,203,199,2676,8706,205,2936,484,3054,196,207,202,208,367,206,8215,8687,8690,8708,8713,8710,8707,8688,8709,8712,8711,8689,200,197,2938,8705,280,364,216,8651,8704],"class_list":["post-1184","post","type-post","status-publish","format-standard","hentry","category-splunk","tag-accenture-interview-questions-and-answers","tag-allstate-solutions-pvt-ltd-interview-questions-and-answers","tag-att-interview-questions-and-answers","tag-atos-interview-questions-and-answers","tag-brillio-technologies-pvt-ltd-interview-questions-and-answers","tag-capgemini-interview-questions-and-answers","tag-casting-networks-india-pvt-limited-interview-questions-and-answers","tag-cvent-interview-questions-and-answers","tag-damco-solutions-pvt-ltd-interview-questions-and-answers","tag-dell-international-services-india-pvt-ltd-interview-questions-and-answers","tag-fis-global-business-solutions-india-pvt-ltd-interview-questions-and-answers","tag-genpact-interview-questions-and-answers","tag-globallogic-india-pvt-ltd-interview-questions-and-answers","tag-ibm-interview-questions-and-answers","tag-mphasis-interview-questions-and-answers","tag-photon-interactive-pvt-ltd-interview-questions-and-answers","tag-prokarma-softech-pvt-ltd-interview-questions-and-answers","tag-rbs-india-development-centre-pvt-ltd-interview-questions-and-answers","tag-sap-labs-india-pvt-ltd-interview-questions-and-answers","tag-sopra-steria-interview-questions-and-answers","tag-splunk-admin-interview-questions-and-answers","tag-splunk-admin-interview-questions-for-experienced","tag-splunk-data-source-assessment","tag-splunk-engineer-interview-questions","tag-splunk-enterprise-security-data-models","tag-splunk-enterprise-security-data-sources","tag-splunk-enterprise-security-interview-questions","tag-splunk-enterprise-security-release-notes","tag-splunk-enterprise-security-tutorial","tag-splunk-enterprise-security-upgrade","tag-splunk-software-engineer-interview-questions","tag-tech-mahindra-interview-questions-and-answers","tag-unitedhealth-group-interview-questions-and-answers","tag-us-technology-international-pvt-ltd-interview-questions-and-answers","tag-verizon-interview-questions-and-answers","tag-virtusa-consulting-services-pvt-ltd-interview-questions-and-answers","tag-wells-fargo-interview-questions-and-answers","tag-wipro-interview-questions-and-answers","tag-xavient-software-solutions-india-pvt-ltd-interview-questions-and-answers","tag-xinthe-technologies-interview-questions-and-answers"],"yoast_head":"\n