Splunk app with security alerts to generate detections via Microsoft Sysmon and Windows Event Logs
This app provides alerts built with splunk search macros to detect a wide variety of suspicious activity in Windows environment. It is designed for 'blue-team' team members to identify suspicious activity in Windows environment.
The app consists of a number of search macros which for detection of various Windows threats. The macros are listed in Advanced Search > Search Macros with sysmon_detect_* being the detection rules leveraging Sysmon and Windows Event logs
Other macros include:
sysmon_search - Base search used to search Sysmon logs. Used across most detection rules. winlog_search - Base search used to search Windows Event logs. Used across most detection rules.sysmon_rename_fields - Search used to rename/create new fields in Sysmon. Used across most detection rules.sysmon_rename_fields - Search used to rename/create new fields in Windows Event Logs. Used across most detection rules.sysmon_create_alert - Search used to add an alert to a lookup table. The fields in lookup table are based on Mitre Attack Frameworksysmon_tabulate - Tabulates the sysmon fields when searching sysmon event logswinlog_tabulate_fields - Tabulates the sysmon fields when searching windows event logsOut of the box, the splunk alerts are not currently triggered. However, it is quite easy to customize and setup appropriate alerts based on the search macros. Example alert is already created called sysmon_detect_nopac_computer_account_creation_cve_2021_42278 which is based on search macro sysmon_detect_nopac_computer_account_creation_cve_2021_42278
Install the app via Splunk Manage App.
Ensure that the Sysmon logs and Windows Event logs are enabled on the platform to be monitored for the relevant universal forwarder to forward logs to Splunk App.
For this Splunk App, the rules built typically use the following logs: -
Sysmon - Via customised version of SwiftOnSecurity's sysmon config to generate the relevant event logs to Splunk. This config is available here.
Windows Event Logs - Enabled via Local Security Policy > Security Settings > Local Policies > Audit Policy. The following settings are recommended to be turned on for Success, Failure:
Disable Windows Network Filtering Connections - Disable the Windows Network Filtering Connections as these logs can be very verbose
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable
To configure the Splunk Universal Forwarder in Windows, the inputs.conf file available here was used to forward logs to Splunk
Refer to this guide on how to forward Sysmon Logs to Splunk.
Refer to this guide on how to forward Windows Event Logs to Splunk.
By default, the app searches index=main for sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational (Sysmon logs) and sourcetype=WinEventLog:* (Windows Event logs).
If that is not the case, update the sysmon_search and winlog_search search macros with the log locations.
A list of all alerts categorized by the MITRE ATT&CK MATRIX built in this app are provided here and is also listed in Appendix below.
The link above additionally describes the steps to emulate the various alerts built in this app.
To list all the splunk alerts included in this app, simply download and extract the Splunk app from splunkbase, and use grep to search list all the unique alert names:
cd /opt/splunksysmonsecurity/default
grep -rhioE "\[sysmon_detect_[a-zA-Z0-9_]+" savedsearches.conf | sort | uniq
To extract a specific splunk alert definition, utilize this grep search for the alert name:
cd /opt/splunksysmonsecurity/default
grep -r -n -i -A 20 sysmon_detect_lsass_memory_dumps_temp_folder macros.conf savedsearches.conf
These are notes for this app developer's reference
Refer to the steps here
Added new alerts:
sysmon_detect_shadow_credentials_creation
sysmon_detect_execution_filename_mismatch
sysmon_detect_lolbin_network_connection
sysmon_detect_rdp_hijacking_lastloggedon_user_hide_attempt
sysmon_detect_rdp_portnumber_change
Added 2 alerts - sysmon_detect_chrome_credentials_read, sysmon_detect_firefox_credentials_read
Added Windows Sysmon alert (sysmon_detect_localpotato_lpe_storsvc)
Added alerting for attempt to steal ntlm hashes using masky (sysmon_detect_ntlm_hashes_extraction_masky)
Added 3 new alerts:
sysmon_detect_dotnet_assembly_execution_unusual_locations
sysmon_detect_powershell_assembly_invoked_unusual
sysmon_detect_powershell_execution_non_windows_po
Added 2 new alerts - sysmon_detect_lsass_memory_werfault_rtlreportsilentprocessExit, sysmon_detect_domain_enumeration_bloodhound
Initial release
Currently, the following detections (as search macros / alerts) have been been added to this app:
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.