Microsoft
Microsoft helps your organization reach its full potential by relying on an integrated and open cloud platform that spans six critical areas—security, infrastructure, digital and app innovation, data and AI, business applications, and modern work. Azure can help you migrate, modernize, and maximize your cloud and on-premises investments. Microsoft 365 can help you reduce costs – but not productivity – and centralize your business. Additional services, such as Exchange, Hyper-V, and IIS Web Server help you keep your business running smoothly.
Getting data in
Source | Add-ons and Apps | Guidance |
---|---|---|
Windows |
Splunk platform |
Microsoft Windows security logs have over 400 loggable events. We recommend following Microsoft’s official guidance for “Stronger” security visibility. The Audit Policy Recommendations page from Microsoft TechNet provides detailed configuration settings per operating system from Windows 7 / Server 2008 and later. In the Common Information Model, Windows security log data can be mapped to any of the following data models, depending on the field: Authentication, Updates, Vulnerabilities, Endpoint, Event Signatures, Performance, and Change. Windows process launch logs are a subset of security audit logs that track program activation, process exit, handle duplication, and indirect object access. The most common events related to process launches are: Windows Event logs contain important events relating to applications, system services and the operating system. The events describe errors, warnings or information details about activity taking place on each system. This information is used to monitor and troubleshoot each system. In the Common Information Model, Windows event logs can be mapped to any of the following data models, depending on the field: Endpoint, Inventory, Updates, Change, and Performance. Configuration Use Cases
|
Active Directory |
Splunk platform Splunk SOAR |
Use Cases |
Azure |
Splunk SOAR |
Configuration
Use Cases |
Cloud Services |
Splunk platform |
Configuration |
Exchange |
Splunk platform Splunk SOAR |
Configuration |
Hyper-V |
Splunk platform |
Configuration |
IIS Web Server |
Splunk platform |
Microsoft Internet Information Services (IIS) is an extensible web server software with a large number of features. IIS can be:
In the Common Information Model, Microsoft IIS data is typically mapped to the Web data model. Configuration Use Cases |
Microsoft 365 |
Splunk platform Splunk SOAR |
Microsoft Office 365 produces service status, service messages, and management activity logs that are all useful for system administrators. In the Common Information Model, Microsoft O365 data can be mapped to any of the following data models: Authentication, Change, Data Access. Microsoft O365 reporting data allows you to determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status. These logs also provide the following information:
Configuration Use Cases |
SQL Server |
Splunk platform Splunk SOAR |
Configuration |
Sysmon |
Splunk platform |
Microsoft Sysmon, a component of Microsoft’s Sysinternals suite of Windows utilities, is a powerful host-level tool that can assist you in detecting advanced threats on your network by providing intricate host-operation details in real time. In contrast to common Antivirus/Host-Based Intrusion-detection (HIDS) solutions, Sysmon performs system activity deep monitoring and logs high-confidence indicators of advanced attacks. Sysmon is capable of producing extensive details that are useful in the early detection of malicious code execution or other nefarious behavior. These include:
Use Cases
|
System Center |
Splunk platform Splunk SOAR |
Configuration |
Teams |
Splunk platform |
Configuration |