ABC’s of Splunk Part Nine: Reduction of Attack Surface Area

For this post, we take a little side trip to explore Splunk as a tool for early identification of areas vulnerable to attacks so we can reap the benefits of all our learnings and extract valuable information as to what makes Splunk powerful from a SIEM perspective. Please revisit our previous posts if you would like to learn more

As more clients move on-prem technology systems to the cloud, the attack surface area increases tremendously because instead of utilizing a local provider or their own computer room (small surface area) for hosting, they migrate to bigger systems and workloads that can dynamically move from one data center to another, with scalability the primary focus over security. In at least three scenarios I witnessed this year alone, the ability to access the necessary logs in less than 24 hours was almost impossible, which led me to begin identifying the actions we must take to reduce our attack surface area – or at least have better logs and controls to reduce exposure.

Let’s discuss how to collect the logs from Microsoft Office 365 (O365) in nearly real time (expect 5 to 25-minute delays) and how to set up alerts for when a successful login occurs outside a user’s normal geographic region. In a default manner, Splunk will sometimes in error detect a failed login as successful because the logs from O365 will show “successful” for an account that doesn’t exist, but with proper filtering (follow below), you will be able to see the real logins.

Time to dig in!

How to collect the data

Two Add-ons must be installed for O365:

Splunk Add-on for O365 

Download from Splunkbase

Documentation

What data does it collect?

  • Service status (Historical and current service status)
  • Service messages
  • Management activity logs (Data Loss Prevention events)
  • Audit logs for Azure Active Directory, SharePoint Online and Exchange Online

Splunk Add-on for O365 Reporting

Download from Splunkbase

Documentation/Installation/Configuration

What data does it collect?

  • Message Trace (Summary information about the processing of email messages that have passed through the O365 system)

Index Configuration

For this blog, we have used index=o365.

How to visualize/understand the data

The Microsoft 365 App for Splunk or Microsoft Cloud App needs to be installed – Microsoft 365 App for Splunk

The App also has some dependent Apps that must be installed on your Search Head. These are custom visualization charts to better view the data.

 

Configuration

Though the App does not require any configuration, the recommendation is to update index-macro to increase search performance. As mentioned above, we have used index=o365.

  1. Navigate to Settings > Advanced search > Search macros
  2. Select “Microsoft 365 App for Splunk” in the App list
  3. Type “m365_default_index” in filter
  4. Click on m365_default_index from the list below
  5. Update the Definition from “index=*” to “index=0365”
  6. Save

Your Microsoft 365 App should display something like this:

Browse the App and all the different screens to develop a strong understanding of what information is being collected.

How to get alerts related to notable events occurring on the O365

We can also write alerts to get notified as early as possible with Splunk alerts. Added below are some of the examples (including search queries) that may give you a great start for your use-cases with O365 security with Splunk.

  1. Azure login failure outside the US due to multi-factor authentication

This alert will tell you if someone fails the two-factor authentication with Azure/O365 outside the US.

Query

index=o365 _index_earliest=-15m@s _index_latest=now sourcetype=”o365:management:activity”Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError=”DeviceAuthenticationRequired” OR LogonError=”UserStrongAuthClientAuthNRequiredInterrupt”) | stats count, latest(ClientIP) as ClientIP, values(_time) as _time by UserId | where count > 1 | eval _time=strftime(_time, “%F %T”) | iplocation ClientIP | search Country!=”United States” | makemv _time delim=”,”

Alert Type – Scheduled

Timerange – Last 24 Hours

Cron Expression – */15 * * * *

  1. Azure login from an unknown user

This alert will tell you if there are logins from unknown users on Azure/O365.

Query

index=o365 sourcetype=”o365:management:activity” Workload=AzureActiveDirectory Operation=UserLoggedIn UserId=Unknown | iplocation ClientIP | table _time, ClientIP, City, Region, Country, Operation, Region, UserId

Alert Type – Scheduled

Timerange – Last 5 Minutes

Cron Expression – */5 * * * *

  1. Azure success login outside the US

This alert will tell you if someone logs in from outside the US.

Query

index=o365 _index_earliest=-5m@s _index_latest=now sourcetype=”o365:management:activity” Workload=AzureActiveDirectory Operation=UserLoggedIn NOT LogonError=* |iplocation ClientIP | search Country!=”United States” | table _time, ClientIP, City, Region, Country, UserId

Alert Type – Scheduled

Timerange – Last 24 Hours

Cron Expression – */5 * * * *

If you know of different alerts that can benefit the community, please reply to this post and/or shoot me an email to be published in the comment section and/or in our next post. We’re all ears if there is a system you want us to tackle next, and we will make it happen as soon as possible.

Happy Splunking!

 

Written by Usama Houlila.

Any questions, comments, or feedback are appreciated! Leave a comment or send me an email to uhoulila@crossrealms.com for any questions you might have.

Leave a Reply

Your email address will not be published. Required fields are marked *