If you read my previous post in regards to Configuring Audit Logging you will know that I am about to make a series of blog posts about improving visibility in your network for Security Operations. If you haven't seen it then it is here. http://mickeysecurity.blogspot.com.au/2016/08/my-recommended-windows-active-directory.html
The ugliest Buzzword I could come up with is SVIP - (Security Visibility Improvement Program) With an aim to improve your visibility and awareness in Security Operations.
I think the hardest thing to achieve, is a total understanding of your network. A person who understands their network can determine good from bad and understand what is a false positive an what is a threat.
So how are these posts going to be delivered?
- Small nuggets of information.
- Every week (work permitting). This will enforce the continual service improvement methodology that I am aiming to achieve.
- Have a low level of entry. (Any level can do it)
- Will be all in Splunk (more news why on this soon).
Why?
These events can help you identify of any anomalous user creations, deletions or enables.
The Threat?
There is a potential for external threat to establish persistence through a new account or an internal threat to mask their own actions.
What Events?
The event codes that we are interested in are:
Event Code 4722 - User account enabled (This includes new users). - Security Event Log
Event Code 4725 - User account was disabled. - Security Event Log
Event Code 4726 - User account as deleted. - Security Event Log
How Frequent do we want to see these alerts / reports?
Once a day with a period of the last 24hrs.
Additional Notes?
To improve on user creation enforce a policy in your organisation that stipulates that each new account has to be created with an associated incident/service request in your helpdesk application. This provides a way to track down each user to an incident and the reason that it was created. It also helps the SOC quickly identify any user changes that don't follow the organisations processes.
The search?
index=wineventlog sourcetype=wineventlog:security (EventCode=4722 OR EventCode=4725 OR EventCode=4726) | fields _time, Security_ID, name | eval actioner=mvindex(Security_ID,0) | eval destination_account = mvindex(Security_ID,1) | table _time, actioner, destination_account, name
Example:
As you can see we now have a search that we can now convert to a report.
Detailed Steps:
- Logon to your Splunk server. I am running off a Windows Server so I am opening up 'http://localhost:8000/en-GB/'
- Click Search and Reporting
- Copy in the search as detailed above, select last 24hrs. Once the search has completed click 'Save As'.
- Click 'Report'
- Enter Title - 'New - Disabled - Deleted Users - Last 24 Hours'
- Enter Description - 'This report is generated daily to notify the Administrators of the environment of any New Users, Disabled users or Deleted Users in the last 24 hours.'
- Time Range Picker - 'Yes'
- Click Save.
- Click 'Schedule'
- Tick 'Schedule Report' and fill out as below.
- Click next.
- Tick Send email, fill out the to address (SMTP will need to be
configured for email to successfully send), then tick 'inline Table'
- Click Save
Your done!! One more step to improving your visibility. Keep watching this blog for a plethora of tips that will help you understand your network and detect threats. As always if you want to have your finger on the pulse you can change the search to be more frequent. I like once a day because your team members will not get alert fatigue.
Hope this helps. Let me know if you need any more information.
