Splunk - Filter Unimportant/Unnecessary Windows Events
In this post, I will talk about which windows events should be ingested to Splunk instance, also how can we filter those unimportant or unnecessary events to save up our license quota.
Event IDs we want:
| Event ID | Description |
|---|---|
| 19-21 | WMI activity detected, generated by Sysmon |
| 576 | User logon with special privilege (applies to older version of Windows) |
| 577 | User called privileged service (applies to older version of Windows) |
| 578 | Privileged object accessed |
| 1102 | Security log is cleared |
| 4104 | PowerShell script block logging events |
| 4720 | Account created |
| 4624 | Successful logon (events with logon type 3 on domain controllers can be filtered) |
| 4625 | Failed Logon |
| 4648 | Process attempts to logon an account by explicitly specifying account credentials |
| 4634 | Successful logoff (events with logon type 3 on domain controllers can be filtered) |
| 4647 | User initiate to logoff |
| 4672 | Admin privileges are assigned to a new logon session |
| 4688 | Process executed (high volume, but very useful for process monitoring) |
| 4697 | Service created |
| 4698 | Scheduled task created |
| 4698 | Scheduled task deleted |
| 4700 | Schedule task enabled |
| 4701 | Schedule task disabled |
| 4702 | Schedule task updated |
| 4722 | User account was enabled |
| 4738 | User account was changed |
| 4740 | User account was locked |
| 4768 | TGT request user validation |
| 4769 | TGS request authentication |
| 4776 | NTLM authentication attempted |
| 4777 | Domain controller failed to authenticate an account |
| 4778 | RDP/Terminal Service logon |
| 4779 | RDP/Terminal Service logoff |
| 5140 | Network share object accessed |
| 5145 | Network share object access permission check |
unfinished…