I attended the Austin ISSA-sponsored Advanced Splunk Training session on March 6.  As always, the ISSA chapter delivered meaty technical training, and it was free!  The event was co-sponsored by BSides and Splunk.


While all kinds of interesting Splunk technical info was presented, for me, the most interesting part was hearing from Michael Gough and some other security practitioners at the event about what people really monitor.  As a technology provider, we are not always privy to what people are really doing with our tools, so it was an eye-opener for me.

Splunk training.JPG


Here are some of the things security guys monitor.  Of course they monitor other stuff too, but this is what we can share in mixed company

  • Administrators / Root logins, successful or failed.  "Power corrupts, total power corrupts totally” - even IT administrators.
  • Login attempts to disabled accounts.  Makes sense - there's usually a pretty good reason they're disabled.
  • Successful logins for certain accounts, such as those with elevated privileges, or accounts given to partner personnel
  • https accesses, especially to weirdly long URLs, which can be SQL injections
  • FTP from servers and workstations
  • Group membership changes and elevation of privilege
  • Database alerts
  • Suspicious files being executed
  • VPN logins
  • Outlook Web App (OWA)  and Remote Desktop Protocol (RDP) logins – looking for suspicious remote access
  • Servers downloading .exes from the internet.  They look for admins surfing for open source tools to keep an eye that malware hasn’t been downloaded
  • Share drive accesses at workstations and at servers; access to particular, sensitive shares.  They watch for shares being seen and crawled inappropriately.
  • Net.exe use to map and unmap network drives in Windows
  • Cscript.exe use. Cscript.exe lets you run scripts via command line and can be used in exploits
  • Services being installed from servers; noisy workstations


And if you are a Security Guy, please check out our SIEM, SolarWinds Log & Event Manager.  It's an understated, affordable, full-function SIEM that can help you pwn the bad guys.