Add Windows events to Splunk UBA

Windows security events from endpoints such as desktop systems or laptops are used by Splunk UBA to provide insight into system activity. You can also use Windows event data to associate IP addresses to device names and human users. See Which Windows events are used by Splunk UBA?

CAUTION: For Windows events, an account name that ends with a trailing $ suffix is classified by UBA as a service account, not a user account. Consequently, UBA treats the account name as the source device and skips HR resolution for those events.

Windows events can be logged in many formats, with native multiline or XML being the most command formats. Splunk UBA can ingest Windows logs in both multiline and XML formats. A different method of ingestion is required for each, described as follows:

Multiline format is the native format for Windows event logs. For instructions, see How to get multiline Windows events into Splunk UBA .
XML format is commonly found when interacting with Splunk Enterprise Security (ES), the Common Information Model (CIM), or later versions of the Splunk Add-on for Microsoft Windows. For instructions, see How to get XML Windows events into Splunk UBA .

How to get multiline Windows events into Splunk UBA

Perform the following steps to get multiline Windows events into Splunk UBA:

Verify that your Windows events are in multiline format. See What does a multiline Windows event look like?
Follow the steps in Use the Splunk Raw Events connector to get multiline Windows events into Splunk UBA.

What does a multiline Windows event look like?

The following is an example multiline Windows event:

11/18/2020 2:49:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=ubanode.exampledomain.local
TaskCategory=Logon
OpCode=Info
RecordNumber=989284571
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0
Logon Type:         3
Impersonation Level:        Impersonation
New Logon:
    Security ID:        EXAMPLEDOMAIN\ad_user1
    Account Name:       ad_user1
    Account Domain:     EXAMPLEDOMAIN
    Logon ID:       0xF13AE
    Logon GUID:     {3134bb44-1592-fc31-6404-b4b820e7507e}
Process Information:
    Process ID:     0x0
    Process Name:       -
Network Information:
    Workstation Name: 
    Source Network Address: -
    Source Port:        -
Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

Use the Splunk Raw Events connector to get multiline Windows events into Splunk UBA

Perform the following steps to get your multiline Windows events into Splunk UBA. For detailed instructions on adding data sources using the Splunk Raw Events connector, see Add raw events from the Splunk platform to Splunk UBA .

In Splunk UBA, select Manage > Data Sources.
Click New Data Source.
Select Splunk as the data source type.
Click Next.
Specify a name for the data source, such as Splunk.
Type a connection URL that matches the URL for your Splunk platform search head and management port.
For example, https://splunksearchhead.splunk.com:8089.
If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer.
Type the user name and password for the Splunk platform account.
Select a Connector Type of Splunk Raw Events.
Click Next.
Select a time range, such as Live and All time.
Click Next.
Click Splunk Query and add the name of your index as the query. For example:
```
index=<your_multiline_Windows_index_name>
```
Select Single Format, then click in the drop-down list and select Windows Event Log (Multiline).
Click Next.
To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
Click OK.

How to get XML Windows events into Splunk UBA

Perform the following steps to get multiline Windows events into Splunk UBA:

Verify that your Windows events are in XML format. See What does an XML Windows event look like?
Use the Splunk Direct connector type or the Splunk Raw Events connector type to get XML Windows events into UBA:
- See Use the Splunk Direct connector to get XML Windows events into Splunk UBA.
- See Use the Splunk Raw Events connector to get XML Windows events into Splunk UBA.

What does an XML Windows event look like?

Note: An XML event can have different tags depending on the Event ID.

The following is an example XML Windows event 4624:

<?xml version="1.0"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4624</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z"/>
    <EventRecordID>211</EventRecordID>
    <Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}"/>
    <Execution ProcessID="716" ThreadID="760"/>
    <Channel>Security</Channel>
    <Computer>WIN-GG82ULGC9GO</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
    <Data Name="SubjectDomainName">WORKGROUP</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
    <Data Name="TargetUserName">Administrator</Data>
    <Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
    <Data Name="TargetLogonId">0x8dcdc</Data>
    <Data Name="LogonType">2</Data>
    <Data Name="LogonProcessName">User32</Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x44c</Data>
    <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
    <Data Name="IpAddress">127.0.0.1</Data>
    <Data Name="IpPort">0</Data>
    <Data Name="ImpersonationLevel">%%1833</Data>
    <Data Name="RestrictedAdminMode">-</Data>
    <Data Name="TargetOutboundUserName">-</Data>
    <Data Name="TargetOutboundDomainName">-</Data>
    <Data Name="VirtualAccount">%%1843</Data>
    <Data Name="TargetLinkedLogonId">0x0</Data>
    <Data Name="ElevatedToken">%%1842</Data>
  </EventData>
</Event>

The following is an example PowerShell event 4688:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
  <System>
    <Provider Name='Microsoft-Windows-Security-Auditing'
      Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}' />
    <EventID>4688</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>13312</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime='2024-03-28T10:04:41.803456200Z' />
    <EventRecordID>29595</EventRecordID>
    <Correlation />
    <Execution ProcessID='4' ThreadID='1160' />
    <Channel>Security</Channel>
    <Computer>ar-win-2.attackrange.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name='SubjectUserSid'>ATTACKRANGE\poweru</Data>
    <Data Name='SubjectUserName'>poweru</Data>
    <Data Name='SubjectDomainName'>ATTACKRANGE</Data>
    <Data Name='SubjectLogonId'>0x208952</Data>
    <Data Name='NewProcessId'>0xddc</Data>
    <Data Name='NewProcessName'>C:\Windows\System32\notepad.exe</Data>
    <Data Name='TokenElevationType'>%%1936</Data>
    <Data Name='ProcessId'>0xd4c</Data>
    <Data Name='CommandLine'>"C:\Windows\System32\notepad.exe"
      "C:\Users\poweru\Desktop\PowerCat-master\PowerCat2.psd1"</Data>
    <Data Name='TargetUserSid'>NULL SID</Data>
    <Data Name='TargetUserName'>-</Data>
    <Data Name='TargetDomainName'>-</Data>
    <Data Name='TargetLogonId'>0x0</Data>
    <Data Name='ParentProcessName'>C:\Windows\explorer.exe</Data>
    <Data Name='MandatoryLabel'>Mandatory Label\Medium Mandatory Level</Data>
  </EventData>
</Event>

The following is an example PowerShell event 4104:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}' />
        <EventID>4104</EventID>
        <Version>1</Version>
        <Level>5</Level>
        <Task>2</Task>
        <Opcode>15</Opcode>
        <Keywords>0x0</Keywords>
        <TimeCreated SystemTime='2024-08-27T19:46:00.783014500Z' />
        <EventRecordID>36623</EventRecordID>
        <Correlation ActivityID='{DAFBF16F-508F-0000-9E35-FCDA8F50DA01}' />
        <Execution ProcessID='3772' ThreadID='3404' />
        <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
        <Computer>ar-win-2.attackrange.local</Computer>
        <Security UserID='S-1-5-21-479942415-1663538239-638512776-500' />
    </System>
    <EventData>
        <Data Name='MessageNumber'>1</Data>
        <Data Name='MessageTotal'>1</Data>
        <Data Name='ScriptBlockText'>function Load-Assembly {
            $libDir = Join-Path $here "lib"
            $assemblies = @{
            "core" = Join-Path $libDir "netstandard2.1\YamlDotNet.dll";
            "net45" = Join-Path $libDir "net45\YamlDotNet.dll";
            "net35" = Join-Path $libDir "net35\YamlDotNet.dll";
            }
            if ($PSVersionTable.Keys -contains "PSEdition") {
            if ($PSVersionTable.PSEdition -eq "Core") {
            return [Reflection.Assembly]::LoadFrom($assemblies["core"])
            } elseif ($PSVersionTable.PSVersion.Major -ge 4) {
            return [Reflection.Assembly]::LoadFrom($assemblies["net45"])
            } else {
            return [Reflection.Assembly]::LoadFrom($assemblies["net35"])
            }
            } else { # Powershell 4.0 and lower do not know "PSEdition" yet
            return [Reflection.Assembly]::LoadFrom($assemblies["net35"])
            }
            }</Data>
        <Data Name='ScriptBlockId'>51a70419-4efb-45d2-9138-4b16df3741d1</Data>
        <Data Name='Path'>
            C:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.7\Load-Assemblies2.ps1</Data>
    </EventData>
</Event>

The following is an example PowerShell event 4103:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}' />
        <EventID>4103</EventID>
        <Version>1</Version>
        <Level>4</Level>
        <Task>106</Task>
        <Opcode>20</Opcode>
        <Keywords>0x0</Keywords>
        <TimeCreated SystemTime='2024-02-26T23:44:50.851958200Z' />
        <EventRecordID>292835</EventRecordID>
        <Correlation ActivityID='{DAFBF16F-508F-0000-7AE9-FDDA8F50DA01}' />
        <Execution ProcessID='3952' ThreadID='4516' />
        <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
        <Computer>ar-win-2.attackrange.local</Computer>
        <Security UserID='S-1-5-21-3439685396-888644006-1318033084-1105' />
    </System>
    <EventData>
        <Data Name='ContextInfo'> Severity = Informational
            Host Name = ConsoleHost
            Host Version = 5.1.14393.2879
            Host ID = 39c09746-0947-4b3f-9023-2380134ce111
            Host Application = powershell
            Engine Version = 5.1.14393.2879
            Runspace ID = 3377c49c-5d4a-454c-853f-98d4a720dc5e
            Pipeline ID = 43
            Command Name = Add-Type
            Command Type = Cmdlet
            Script Name = C:\Users\poweru\Desktop\PowerSploit-master\Privesc\PowerUp.ps1
            Command Path =
            Sequence Number = 24
            User = ATTACKRANGE\poweru
            Connected User =
            Shell ID = Microsoft.PowerShell
</Data>
        <Data Name='UserData'></Data>
        <Data Name='Payload'>CommandInvocation(Add-Type): "Add-Type"
            ParameterBinding(Add-Type): name="AssemblyName"; value="System.Core"
</Data>
    </EventData>
</Event>

Use the Splunk Direct connector to get XML Windows events into Splunk UBA

Perform the following steps to get your XML Windows events into Splunk UBA using the Splunk Direct connector. For detailed instructions on adding data sources using the Splunk Direct connector, see Add CIM-compliant data from the Splunk platform to Splunk UBA. The procedure for adding XML Windows events into Splunk UBA is the same as adding a CIM-compliant data source, except that you will not select the CIM Compliant checkbox during the procedure.

In Splunk UBA, select Manage > Data Sources.
Click New Data Source.
Select a data source type of Splunk.
Click Next.
Specify a name for the data source, such as Splunk.
Type a connection URL that matches the URL for your Splunk platform search head and management port.
For example, https://splunksearchhead.splunk.com:8089.
If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer.
Type the user name and password for the Splunk platform account.
Leave or select Splunk Direct as the connector type.
CAUTION: Do not select the CIM Compliant check box.
Click Next.
Select a time range, such as Live and All time.
Click Next.

Select Splunk Query and enter the following search in the field. Replace <YOUR_INDEX_NAME> with the name of your XML Windows events index.

index="<YOUR_INDEX_NAME>" 
| spath output='Event.System.Computer' path=Event.System.Computer 
| spath output='Event.System.Level' path=Event.System.Level 
| spath output='Event.System.Version' path=Event.System.Version 
| rex "\<Provider Name=\'(?<SourceName>[^\']+)\'" 
| rex "\<EventID.*?\>(?<EventCode>[^\<]+)\<"

| eval 
Application_Name=if(isnotnull(Application), Application, app),  
Caller_Computer_Name=if(isnotnull(TargetDomainName), TargetDomainName, CallerComputerName),
Caller_Process_ID=if(isnotnull(CallerProcessId), CallerProcessId, ProcessId),
Caller_Process_Name=if(isnotnull(CallerProcessName), CallerProcessName, ProcessName), 
EventType=if(isnotnull(EventType),EventType, "0"), 
Logon_ID=if(isnotnull(SubjectLogonId), SubjectLogonId, TargetLogonId), 
Source_Port=if(isnotnull(IpPort), IpPort, SourcePort), 
Workstation_Name=if(isnotnull(WorkstationName), WorkstationName, Workstation_Name), 
ComputerName=Computer,
Server=Computer,
Creator_Process_ID=ProcessId,
Process_ID=ProcessId,
Error_Code=Status,
Failure_Code=Status,
Result_Code=Status,
Group_Domain=TargetUserName,
New_Account_Name=TargetUserName,
Logon_Account=TargetUserName,
Group_Name=TargetDomainName,
Supplied_Realm_Name=TargetDomainName,
Client_Address=IpAddress,
Network_Address=IpAddress,
Source_Network_Address=IpAddress,
Privileges=PrivilegeList,
Privileges_Used_for_Access_Check=PrivilegeList

| rename 
SubjectDomainName as Account_Domain, 
SubjectUserName as Account_Name,
IpPort as Client_Port,
FailureReason as Failure_Reason, 
HandleId as Handle_ID, 
ImpersonationLevel as Impersonation_Level, 
Channel as LogName, 
LogonGuid as Logon_GUID, 
LogonProcessName as Logon_Process, 
LogonType as Logon_Type, 
NewProcessId as New_Process_ID, 
NewProcessName as New_Process_Name, 
TargetUserSid as New_Security_ID, 
ObjectName as Object_Name, 
ObjectServer as Object_Server, 
ObjectType as Object_Type, 
OperationType as Operation_Type, 
CommandLine as Process_Command_Line, 
ProcessName as Process_Name,
SubjectUserSid as Security_ID,
ServiceSid as Service_ID, 
ServiceName as Service_Name,
ShareLocalPath as Share_Path,   
SourceAddress as Source_Address, 
Workstation as Source_Workstation, 
SubStatus as Sub_Status, 
TargetServerName as Target_Server_Name, 
TicketEncryptionType as Ticket_Encryption_Type, 
TicketOptions as Ticket_Options, 
TokenElevationType as Token_Elevation_Type, 
TransactionId as Transaction_ID, 
TargetSid as User_ID

Click Next.
Select Single Format as the data format, then click in the drop-down list and select AD.
Click Next.
A Splunk Query is automatically generated that you can optionally review.
Click Next.
To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
Click OK to save the data source.

Use the Splunk Raw Events connector to get XML Windows events into Splunk UBA

Perform the following steps to get your XML Windows events into Splunk UBA. For detailed instructions on adding data sources using the Splunk Raw Events connector, see Add raw events from the Splunk platform to Splunk UBA .

In Splunk UBA, select Manage > Data Sources.
Click New Data Source.
Select Splunk as the data source type.
Click Next.
Specify a name for the data source, such as Splunk.
Type a connection URL that matches the URL for your Splunk platform search head and management port.
For example, https://splunksearchhead.splunk.com:8089.
If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer.
Type the user name and password for the Splunk platform account.
Select a Connector Type of Splunk Raw Events.
Click Next.
Select a time range, such as Live and All time.
Click Next.
Click Splunk Query and add the name of your index as the query. For example:
```
index=<your_xml_Windows_index_name
```
Select Single Format, then click in the drop-down list and select Windows Event Log (EVTX).
Click Next.
To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
Click OK.