Building Windows Security Monitoring Capabilities on the Splunk Universal Forwarder - cfloquetprojects/homelab GitHub Wiki

Introduction:

• Endpoints are a major concern for any security specialist in the modern-era of remote work and thus remote network access. Todays lab covers steps to more effectively monitor and log Windows 10 endpoints in particular, since these are most often used by employees and thus extremely common targets for malware.
• The following is not an exhaustive list of notable events to monitor, but for our use cases is what will be covered:
  • Local & Domain Authentication Audit Logs
  • Printer Activity
  • USB Device Activity
  • Audit Logs Cleared

Resources:

• Splunkbase: Splunk Add-on for Microsoft Windows
• Splunk Blog: Securing a New Way of Working: Monitoring Those Endpoints
• Malware Archeology: Cheat Sheets
• Splunkbase: Splunk Security Essentials
• Splunk .Conf 2016: Universal Forwarder Security: Don't Input More Than Data Into Your Splunk Environment
• Splunk .Conf 2020: How to Mitigate Insider Threat With Splunk UBA
• Splunk Blog: ATT&CK-ing The Adversary: Episode 1 - A New Hope
• Splunk Blog: ATT&CK-ing The Adversary: Episode 2 - Hunting with ATT&CK in Splunk
• Splunk Blog: ATT&CK-ing The Adversary: Episode 3 - Operationalizing ATT&CK with Splunk

Pre-Flight Check

It's essential that we have already installed/configured Splunk Enterprise on a RHEL 7 (or any Linux based host), as well as have at least one Windows and Linux host to be able to populate and test our server classes, if you are unsure how to install the Universal Forwarder give the guide I wrote a try.

💡 Every Splunk Enterprise instance can be configured to be a deployment/license server, while it is recommended in larger environments to have a dedicated server for both/each of these functions.

Each host should have the Splunk Universal Forwarder installed on that host, without the configuration completed since that requires a deployment server to connect to, while this isn't critical to the success of this lab it will be required for future ones that build off of it.

Creating Basic Splunk Deployment App:

I've mentioned above that all it takes to activate the deployment server functionality on a Splunk Enterprise instance is simply placing an app within the $SPLUNK_HOME/etc/deployment-apps/ folder on the target instances' filesystem.

💡 The bare minimum file structure required for a Splunk app is simply a named folder within the aforementioned deployment-apps folder, and a subfolder to store the configurations named either local or default, I tend to use local for custom apps.

Let's kick off the process of creating/configuring a Splunk Deployment Server by creating our first deployment app within the correct folder path (shown below), which will be called win_client_inputs:

$ pwd
/opt/splunk/etc/deployment-apps
$ mkdir -p win_client_inputs/local

Now that we have our first deployment app created within the proper directory, let's store an inputs.conf file within the local directory of that app, which will act as the configuration file dictating which files/folders we'd like to monitor on the clients where that app is deployed.

💡 It's important to remember that not all of the clients we will be administrating/managing from this deployment server will have identical apps, with the appropriate apps being assigned to their associated clients/servers through the use of server classes, which we will explore later in the lab.

$ pwd
/opt/splunk/etc/deployment-apps/win_client_inputs/local
$ vi inputs.conf
[WinEventLog://Security]
disabled=0
index=wineventlog
current_only=1

$