Splunk Query: Processes Created & Terminated

This morn­ing I installed and con­fig­ured Snare on my AWS EC2 Win­dows 2012 Server to ship logs to my SplunkStorm project.

Below is a basic query for chart­ing the top processes that have started on the sys­tem:
Even­tID 4688 — A new process has been cre­ated. (Details)

4688  | rex field=_raw “Process Name: (?<Process_Name>.*) Token Ele­va­tion Type:”  | sort Process_Name | top limit=10000 Process_Name

Here is a mod­i­fied ver­sion of the query for processes that have ter­mi­nated:
Even­tID 4689 — A process has exited. (Details)

4689  | rex field=_raw “Process Name: (?<Process_Name>.*) Exit Sta­tus:”  | sort Process_Name | top limit=10000 Process_Name

More to come.…

Annual Refresh

It seems that every year for the last six years, I refresh the web­site look with a dif­fer­ent theme, and make a renewed attempt to add con­tent. This year is no different.

This year I’m also tak­ing advan­tage of the free Cloud­Flare ser­vice to pro­vide secu­rity pro­tec­tion for the blog, any view­ers, and faster deliv­ery of the site via their CDN net­work. If you’re sus­pected of being infected with mal­ware, cloud­flare will notify you and per­haps require a captcha to access the site. Addi­tion­ally, they pro­vide Web Appli­ca­tion Fire­wall capa­bil­ity that pro­tects from com­mon attacks such as SQLi and XSS.

Some other recent tech­nolo­gies I’m tak­ing a look at include Ama­zon Web Ser­vices EC2 Win­dows 2012 Micro Instance and the cloud offer­ing from Splunk — Splunk Storm

So far the AWS instance seems to be a nice way to try out the lat­est server plat­form with­out hav­ing to obtain a copy of the OS Instal­la­tion mate­r­ial. Pre­vi­ously, this was eas­ily done through a cor­po­rate MSDN account to quickly try it out in a dev envi­ron­ment. My cur­rent posi­tion doesn’t afford me that lux­ury, so it’s nice to see that I can still try it through AWS EC2.

Until next time.