Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionThis applications summarizes and visualizes all security relevant information in your Windows environment. It supports both Windows 2003 and Windows 2008, even in mixed environments.
Versions and Release Notes
Version 1.1 (current version - updated Aug 11, 2011)
release notes:
Windows Security Operations Center for Splunk v1.1
08/11/2011
New version adds a setup screen so you can easily configure the index that has your Windows event logs, as well as new dashboards for Windows Firewalls (Windows Vista/7/2008).
This application contains dozens of dashboards that visualize all security relevant information about your Windows environment.
Special care has been taken to make sure that the application works with both Windows 2003 and 2008 systems, even in mixed environments!
Enjoy and send comments/reports/bugs to splunk@infigo.hr.
Version 1.0
(updated May 16, 2011)
|
Got it set up and running but it doesnt seem to pickup up any of my 2008 security events
Using it for a a couple of days and looks like a great app!
Only glitch I found so far is that "Deleted groups" don't show (using Windows 2k8R2 AD) unless EventCode=4730 (security-enabled groups) is included in the search.
hi, can it work if i send my windows logs via snare? Must it work with wmi?
it can not get and show domain account! can you help me, please
I have just installed your app and think that it is wonderful! I have spent the last two weeks developing searches, dashboards and reports only to find that you have just released this app that does all that and more. Great App!.
One modification I’d like to make is to add an additional selection in the time picker. In between 24 hours and last 7 days I would like the option of 1 day. This would report on items from the previous day.
Can you please post how to modify the dashboard and search without changing the index where the logs are kept?
Sure - here's what needs to be changed.
1) First find out where your Windows logs are. If you are collecting logs through WMI, the sourcetype will be "WMI:Wineventlog:Security".
2) Now you'll have to edit the application's searches in XML files. Go to the $SPLUNK_HOME/etc/apps/infigo_windows_soc/default/data/ui/views Open the files and find the searches. For every search you will have to modify the index (if it's not windows) and sourcetype parts (if using WMI)
For example, if index is main, make sure the search starts like this:
index="main" sourcetype="*wineventlog:security"
Any time on release date of v1.1? I don't want to change my index and I have only been using the product for about a week so editing dashboards and searches will take awhile to learn.
Hi Hebertdp,
v1.1 should be released next week, we're aiming for 27th of July as release date.
As the main addon it will move certain things to macros and should allow editing through Splunk's manager. It will also include some minor bug fixes.
doesn't work at all for me in a 2008 r2 environment, will it be updated?
jdlee, the application works without any problems on Windows 2008 R2 environments, please make sure that you checked the following:
-
Windows logs are stored in the "windows" index (otherwise you'll have to modify searches manually; this will be fixed in v1.1 to use a macro)
-
Your Windows servers actually create proper logs, so check the domain group policy you have applied for Account logon events and Logon events (both should log Successful/Failed events).
Very nice, exactly what I was looking for.
However, I collect the Windows event logs on a Universal Forwarder installed on a Windows host, and use WMI to collect the eventlogs of all other Windows systems in the domain. Therefore, the source and sourcetype of the eventlogs start with the WMI: prefix, except for the event logs on the system on which the forwarder is running.
Therefore, I had to change all occurrences of "wineventlog..." to *wineventlog...", and since there are about 100 of them, it was quite a job.
Could you therefore please use "*WinEventlog..." everywhere for source and sourcetype?
Chris van Engelen, Police Netherlands
Chris, thanks for your review and comments, we'll release a new version next week including the fix you proposed and some other minor tweaks.
Using configurable eventtypes or macros would be even better IMHO. You could even create a link in the navigation menu pointing to the manager page to edit the value.
Hi,
Can you please e-mail us at splunk@infigo.hr with details about what you think is incorrect so we can take a look. Windows 2003 actually use Type=Failure Audit, while Windows 2008 use Keywords=Audit Failure so the dashboards/searches should work correctly on all Windows versions.
Regards,
Bojan
