soc30 / lms
connected
dashboard
WEEK_1 · DAY_06 · 1 HOUR

Operating System Logs

Windows Event Logs, Sysmon, Linux auth & auditd

Splunk Lab

Learning Objectives

  • Read Windows Security & Sysmon events
  • Memorize the top 10 high-value Event IDs
  • Parse Linux auth.log and auditd records
  • Understand the Splunk Universal Forwarder

Module 1 — Windows Event Logs

Channels: Security, System, Application, PowerShell/Operational, Sysmon/Operational.

Top Event IDs: 4624 logon, 4625 failed logon, 4634 logoff, 4672 special privs, 4688 process creation, 4697/7045 service install, 4720 user created, 4732 user added to group, 4768/4769 Kerberos.

Module 2 — Sysmon — The Analyst's Best Friend

Free Sysinternals tool. Provides rich endpoint telemetry that Windows Security log lacks.

Process creation w/ hash + command line, network connections, image loads, registry, file create, DNS query, raw access.

Key IDs: 1 process, 3 network, 7 image load, 10 process access, 11 file create, 13 reg set, 22 DNS query.

Deploy with SwiftOnSecurity sysmon-config or Olaf Hartong's modular config.

Module 3 — Linux Logs

/var/log/auth.log (Debian) or /var/log/secure (RHEL) — sshd, sudo, su.

auditd — rule-based syscall auditing. Key events: execve, connect, openat.

journalctl & /var/log/messages — systemd & legacy.

Module 4 — Splunk Universal Forwarder

Lightweight (~30 MB) Splunk agent installed on every host.

Collects local files, Windows Event channels, scripted inputs; forwards encrypted to indexers.

Configured via inputs.conf, outputs.conf. Managed centrally via Deployment Server.

SPL Queries

Failed logons by user
index=wineventlog EventCode=4625
| stats count by Account_Name, src_ip
| where count > 10
| sort - count
// Brute force candidates.
Office spawning shells
index=sysmon EventCode=1
  ParentImage IN ("*winword.exe","*excel.exe","*outlook.exe")
  Image IN ("*powershell.exe","*cmd.exe","*wscript.exe")
| table _time Computer User ParentImage Image CommandLine
// Macro-based execution chain — phishing payload.

Lab 6 — Hunt Office → PowerShell

  1. Open Splunk → Search.
  2. Run the pre-loaded Sysmon query for Office children.
  3. Decode any base64 in the CommandLine.
  4. Identify the user and host; recommend EDR isolation.
Launch Lab Workbench

Key Takeaways

  • EventCodes 4624 / 4625 / 4688 are non-negotiable
  • Sysmon turns Windows into a flight recorder
  • Universal Forwarder is the foundation of every Splunk deployment
← DAY_05
Networking for Defenders
DAY_07
ATT&CK & the Cyber Kill Chain