With my recent installation of Splunk in my HomeLab, I have been getting more and more comfortable with the query language it uses and parsing through logs. I have made multiple dashboards that are very useful for tracking user logons, general security events, and the duration of those logons. These dashboards are very useful, but I wanted to create a dashboard for only the highest-level threats on my Windows computers. I also want to add automated security alerts through email, so I can be notified if any of these critical events are triggered.
Well, this is a great idea, who wouldn’t want a dashboard for monitoring critical threats with automated alerts? But where to start? My first course of action was to identify the Event ID numbers related to common critical vulnerabilities for a Windows environment. In Windows terminology, an event ID is a number that is assigned to a type of log, useful for grouping logs together and parsing through a large number of logs. For example, the log file for “An attempt was made to reset an account’s password” has an Event ID of 4724.
With this knowledge of Event IDs, I needed to find a source of common critical Event IDs online, and who better than Microsoft themselves. I found an article called “Events to Monitor” and it had just the information I was looking for. It listed a very large number of logs that they recommended monitoring, from critical to informational, but for this dashboard I just wanted to monitor the critical events.
As you can see from the chart above, Microsoft lists 11 Event IDs as critical, but one of these events only pertains to legacy systems, bringing the number down to 10 for me. Now that I had this information, I started on creating the dashboard.
The first thing I did was create the search query I would use for my dashboard. I created a search that would find any events with the previously mentioned critical Event IDs. That query is below.
As you can see above, the search brough back zero results (which is a very good thing I might add). While it is good there are no critical threats, I want to know this dashboard is going to work. To test it out I am going to clear the audit logs on my Windows PC, as clearing these logs is related to Event ID of 1102, and should add an event to my search.
And it worked! With the query tested it was time to implement it into a dashboard that I can quickly access whenever I need it. I started by giving naming it “WINDOWS CRITICAL” and making a table. I then pasted the search I created into the table and hit apply.
This was great a great start, and from here I added a line in the search to remove a few sections in the table to really clean it up and make it easier to read.
To complete the dashboard, I added a table to visualize event occurrences and their corresponding dates. With only one event logged the table is very empty, but it could provide useful metrics in an enterprise environment.
Finally, I configured an alert related to this search that will automatically send me an email to notify me if any of these security events occur.
This dashboard has been a great addition to my HomeLab environment, greatly increasing my security posture, substantially increasing my incidence response time and providing me much more in-depth coverage of the Windows computers in my environment.