Welcome to SecKit for Splunk TA Windows’s documentation!¶

This Success enablement content kit provides ready to deploy configuration for Windows Data Collection in a typical organization. The approach to deployment is modular designed to allow deployment of collection in such a way that valuable insights while making optimal use of your Splunk License.

The files referenced in this kit are available in our bitbucket repo

Objectives¶ Collect Windows Security Events from All Windows systems

Collect Performance metrics from important systems such as Active Directory and DNS servers

Collect Critical Registry key change events from all Windows systems

Collect DHCP Lease information from Windows DHCP Servers

Deploy the Splunk Add on (on prem)¶ Deploy the Splunk TA Windows to each appropriate instance of Splunk, in the following order Splunk Search Head¶ Download version Splunk TA Windows 6.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/742/

Expand and copy to $SPLUNK_HOME/etc/apps.

Restart the Search Head Splunk Search Head Cluster¶ Download version Splunk TA Windows 6.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/742/

Remove the Splunk_TA_Windows folder from $SPLUNK_HOME/etc/shcluster/apps and push to the cluster using the appropriate command non ES SHC splunk apply shcluster-bundle ES SHC splunk apply shcluster-bundle -preserve-lookups true

Expand and copy Splunk_TA_Windows to $SPLUNK_HOME/etc/shcluster/apps

Push to the cluster using the appropriate command non ES SHC splunk apply shcluster-bundle ES SHC splunk apply shcluster-bundle -preserve-lookups true

Splunk Index time data processing (optional)¶ Optionally Splunk can be configured to process the raw logs to remove extraneous information reducing the total license consumption and in some cases improving search performance at the expense of increased CPU utilization in the indexing pipeline. See Splunk Docs create/update local/props.conf in the folder to be used in the following steps: [source::WinEventLog:System] SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r

]+$//g [source::WinEventLog:Security] SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ SEDCMD-remove_ffff = s/::ffff://g SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r

]+$//g SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r

]+$//g SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r

]+$//g ## For XmlWinEventLog:Security SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/ SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/ [source::WinEventLog:ForwardedEvents] SEDCMD-remove_ffff = s/::ffff://g SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/ SEDCMD-cleansrcportxml = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/ SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>// [WMI:WinEventLog:System] SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r

]+$//g [WMI:WinEventLog:Security] SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ SEDCMD-remove_ffff = s/::ffff://g SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r

]+$//g SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r

]+$//g SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r

]+$//g Splunk Non Clustered Indexers, Windows Heavy Forwarders, Intermediate Forwarders¶ Download version Splunk TA Windows 6.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/742/

Copy to $SPLUNK_HOME/etc/apps. Splunk Clustered Indexers¶ Download version Splunk TA Windows 6.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/742/

Expand and Copy to $SPLUNK_HOME/etc/apps.

Create the following indexes in accordance to the standard practices for index definition in your organization by added to or created an indexes.conf file in the most appropriate app in master-apps. If no standard location we suggest $SPLUNK_HOME/master-apps/Splunk_TA_windows_SecKit_Indexes/local/indexes.conf appmsadmon : Used for Active Directory change data capture. oswin : Windows OS events generally used by IT operations and Application Support some events may have security relevance. oswinreg : Windows OS registry key changes captured by the Windows UF oswinsec : Windows OS Security Event log, may also be used for additional event log types primarily used by Security Monitoring oswinscript : Windows Scripted inputs used to collect additional information about the Windows OS, useful to many types of users oswinperf : Windows Performance data as events oswinmetrics : Windows Performance Metrics data, ** This must be a metrics index ** epintel : Endpoint Intelligence index contains information which can be used to identify the behaviors of malicious code and users.

Splunk Deployment Server¶ Download version Splunk TA Windows 6.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/742/

Expand and Copy to $SPLUNK_HOME/etc/deployment-apps

Download src/Splunk_TA_windows_SecKit_DS and copy to $SPLUNK_HOME/etc/apps

Download src/Splunk_TA_windows_SecKit_<n>* and copy to $SPLUNK_HOME/etc/deployment-apps

Restart the deployment server

Deploy the Splunk Add on (Splunk Cloud)¶ Request installation of version 6.0.0 of Splunk_TA_windows on all appropriate search heads

Manually create the indexes prescribed above

Deploy to intermediate forwarders and Windows heavy forwarders as prescribed above

Configure deployment server as prescribed above.