Windows Security Operations Center

A long time ago our CTO, Bojan Ždrnja, made a Splunk app that monitored and analyzed Windows logs called Windows Security Operations Center (WSOC from now on). It was a time before Splunk Enterprise Security existed, so it was a real visionary project. It was a success story, a great free app that many people used.

As the years passed, Splunk built its own SIEM, we built our own SIEM, so WSOC became obsolete for us. But we realized that it was useful for people who don’t have our set of tools or expertise. That is why we made version 2.0, made sure it’s compatible with the modern systems but also kept what made it good and useful. We decided to keep the support for, now old, Windows Server 2003 logs because through our internal research with lots of different clients, we found that we’re still coming up with good old 2003… Of course, newer, and latest Windows Servers are supported.

OK, so what is it exactly?

WSOC is a Splunk app that ingests and analyses Windows logs (especially authentication logs); it supports wineventlog and xmlwineventlog log formats.
You need Splunk from versions 7.x to 9.x (Enterprise or Cloud) and you have to get a free Splunk Add-on for Microsoft Windows (made by Splunk Inc.).

After you set everything up, you should see an app with 19 dashboards divided into four categories – Login Events, User Management, Change Control, and Windows Firewall.

Login Events generates data from authentication logs, and you can see Active Directory, NTLM, and RDP (successful and unsuccessful attempts).
User Management will show user and group management changes (add, remove, change for users and groups). It will be easy to see users who were added, deleted, locked, unlocked, disabled, and so on. For the groups, besides the basic stuff, you can also see Security Enabled Global Group Members Added, Security Enabled Universal Group Members Added, and Security Enabled Local Group Members Added.
Change Control shows time synchronization, process tracking, patch status overview, Windows installations overview, and activity monitor that also tracks Windows domain policy changes, log deletion, system restart, and new services installation.
Windows Firewall tracks changes in the firewall configuration – adding and removing rules, allowed and blocked connections, allowed and blocked binds.

Although WSOC won’t, and can’t, replace a full-blown modern SIEM, it is a great way to start experimenting with (Windows) log analysis and visualization in general. The best thing is, all of this is free – Splunk can be run in the free version, Splunk Add-on for Microsoft Windows is free, WSOC is free, so there is nothing stopping you from dipping your fingers into this, hone your Splunk skills, and get a better understanding about your server environment.