Wednesday, June 19, 2019

Parsing and Displaying Windows Firewall data in Splunk

By Tony Lee

Have you ever wondered what it would be like to harness all of the Windows firewall data in your environment and crunch that activity using big data analytics?  What you find might shock you.

Fortunately for us Splunk heads, Andreas Roth has already completed most of the work to send the logs to Splunk and even parse them.  https://splunkbase.splunk.com/app/3300/#/details

Figure 1:  TA to collect and parse the logs already exists!

Big shout out to Andreas for the jump start.  However, we added some parsing to get the layer 4 transport protocol and then created a dashboard (shown below) that we are going to share here.

Figure 2:  Dashboard provided in this article

Prerequisites

There are some things you will need to do before we can make use of the Windows Firewall logs:
1)  Enable Windows Firewall Logging 
   Tip:  Use the link in the Log Location section below to enable and configure the firewall via GPO

2)  Forward the logs (written to disk) to Splunk via a Splunk UF, beats agent, etc.
   Tip:  This is made "easy" by installing the TA mentioned above on your forwarders

3)  Parse the logs
   Tip:  This is made easy by installing the TA mentioned above on your indexers

4)  Display the logs
   Tip:  This is made easy by using our dashboard code found at the end of this article

Log Location

The first thing we need to do is discover where those logs are located. After a bit of research, you will find that by default they should be located here:

%systemroot%\Windows\system32\LogFiles\Firewall\pfirewall.log

However, when I tried searching my machine for any sign of the logs, I discovered that they were turned off.  In fact, Windows does not log these to disk by default.

Figure 1:  Windows Firewall Logs off by default

To enable Windows Firewall logging, see the following article:  https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log#to-configure-the-windows-firewall-log


Raw Log

What do these logs look like once they are written to disk? Well, they are short sweet and to the point.  See the example log below:

2018-07-03 14:19:55 DROP UDP 192.168.2.1 224.0.0.252 50859 5355 56 - - - - - - - RECEIVE

There are a lot of fields there, but Microsoft kindly places a header in the log file to indicate the field names:

date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsym tcpack tcpwin icmptype icmpcode info path

As mentioned before, if you installed the TA-winfw on your search head and universal forwarders most of the parsing will be performed for you.  Although, there was one field which did not seem to be parsed for us.  No biggie, we don't have to do the real heavy lifting.

Parsing

Using our example event from earlier, the transport field did not seem to be parsed for us which typically indicates if the packet was UDP or TCP, etc..  Instead the protocol field just displayed "ip".

2018-07-03 14:19:55 DROP UDP 192.168.2.1 224.0.0.252 50859 5355 56 - - - - - - - RECEIVE


To correct this, we added the following regex generated from the Splunk field extractor for our sourcetype of winfw:

^(?:[^ \n]* ){3}(?P<transport>\w+)

Search String

After parsing out the "transport" field, we can now form our search string:

index=winfw | table _time, dvc, direction, action, transport, src_ip, src_port, dest_ip, dest_port

Taking this a step farther, we created a dashboard which is provided at the bottom of the article.

Conclusion

Using the dashboard code below I bet you can find some interesting events in your network. Even if you don't find something malicious, you can probably find a misconfiguration or two. Correcting these issues will not only save on host performance and network performance, but now Splunk performance too.  Happy Splunking!

Great  resource:
https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/

Dashboard Code

The following dashboard assumes that the appropriate logs are being collected and sent to Splunk. Additionally, the dashboard code assumes an index of winfw and a sourcetype of winfw. Feel free to adjust as necessary. Splunk dashboard code provided below:


<form>
  <label>Windows Firewall</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" searchWhenChanged="false" token="time">
      <label>Time Range</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" searchWhenChanged="false" token="wild">
      <label>Wildcard Search</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Event Count</title>
        <search>
          <query>| tstats count where index=winfw by host</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <chart>
        <title>Top Action</title>
        <search>
          <query>index=winfw $wild$ | table _time, action | top action</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <table>
        <title>Top Source IP</title>
        <search>
          <query>index=winfw $wild$ | table _time, src_ip | top limit=0 src_ip</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top Dest IP</title>
        <search>
          <query>index=winfw  $wild$ | table _time, dest_ip | top limit=0 dest_ip</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top Dest Port</title>
        <search>
          <query>index=winfw $wild$ | table _time, dest_port | top limit=0 dest_port</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Details</title>
        <search>
          <query>index=winfw $wild$ | table _time, dvc, direction, action, transport, src_ip, src_port, dest_ip, dest_port</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

No comments:

Post a Comment