SIEM Pull Service Queries

The SIEM Pull Service is a daemon that connects to Splunk and queries for specific risk-related event types, or risk altering events. The SIEM Pull Service is configured for four types of risk-altering event: Asset Discovery, Service Modification, Software Detection, and User Account Activity. These events are most likely to alter the risk profile of an asset, and therefore, Tenable Security Center or Tenable Vulnerability Management should re-scan the affected asset. The risk-altering event types, initial pull service queries to Splunk, and respective plugins are listed below.

Asset Discovery

The SIEM Pull Services uses DHCP logs to detect when assets connect to the network and provide an IP address. The discovered assets can then be used to target in scanning to collect the vulnerability data and establish a risk profile for the asset.

• DHCP Address Assignments

  Operating System	Plugins
  Linux	Linux Assets Discovery Linux DHCP Lease (via Splunk) [710023] Linux Assets Discovery Linux DHCP Expire (via Splunk) [710027] Linux Assets Discovery Linux DHCP Renew (via Splunk) [710024]
  Windows	Windows Assets Discovery Windows DHCP Lease (via Splunk) [710025] Windows Assets Discovery Windows DHCP Expire (via Splunk) [710028] Windows Assets Discovery Windows DHCP Renew (via Splunk) [710049]

  Core query:

  (sourcetype=*dhcp* OR *dhcpd*DHCP* OR source="*dhcp*") AND NOT ("*DNS Update*" OR "*DNS record*")

Service Modification

When services are changed, (added, removed, stopped or started) the risks of an asset are impacted. The assets should be scanned immediately to determine the impact to the risk profile.

• Service Start

  Operating System	Plugins
  Linux	Linux Service Modification service start (via Splunk): audit (SERVICE_START) [710020] Linux Service Modification service start (via Splunk): dbus [710038] Linux Service Modification service start (via Splunk): systemd (Starting) [710043] Linux Service Modification service start (via Splunk): systemd (executable .service file) [710044] Core query: (type=DAEMON_START" OR type="SERVICE_START" OR "systemd: Start*" OR "Successfully activated service" OR "service is marked executable")"
  Windows	Windows Service Modification service start (via Splunk): code 7036 [710009] Windows Service Modification service start (via Splunk): code 902 [710036] Core query: source=WinEventLog:*" AND (Message="*service*running state*" OR Message="*service*start*")"

• Service Stop

  Operating System	Plugins
  Linux	Linux Service Modification service stop (via Splunk) [710021] Core query: (type=DAEMON_END OR type="SERVICE_STOP" OR "systemd: Stop*" OR "normal halt")
  Windows	Windows Service Modification service stop (via Splunk): code 7036 [710010] Windows Service Modification service stop (via Splunk): code 7042 [710042] Windows Service Modification service stop (via Splunk): code 903 [710048] Core query: source=WinEventLog:* AND (Message="*service*stopped state*" OR Message="*service*stop*")

Software Detection

Software Detection events are the result of software installations or removals using common tools such as MSI files, YUM, and DPKG. When software is added to a system, the risk is altered and the system should be scanned using credentials to properly assess the change in risk.

• Application Removal

  Operating System	Plugins
  Linux	Linux Software Detection Application removal (via Splunk): non-yum [710018] Linux Software Detection Application removal (via Splunk): yum [710035] Core query: (sourcetype=dpkg* OR sourcetype="syslog*" OR sourcetype="yum*") AND (remove OR "yum* *rase*") AND NOT (systemd OR startup)
  Windows	Windows Software Detection Application removal (via Splunk): code 1001 [710007] Windows Software Detection Application removal (via Splunk): code 1034 [710046] Core query: ((sourcetype=WinEventLog:System OR sourcetype="WinEventLog:Application") AND remove*)

• Application Install

  Operating System	Plugins
  Linux	Linux Software Detection application install (via Splunk) [710017] Core query: (type=SOFTWARE_UPDATE OR sourcetype="dpkg*" OR sourcetype="syslog*" OR sourcetype="yum*") AND (Install* OR instal* OR rpm)
  Windows	Windows Software Detection application install (via Splunk): code 1033 [710006] Windows Software Detection application install (via Splunk): code 11707 [710041] Windows Software Detection application install (via Splunk): code 7045 [710047] Core query: (sourcetype=WinEventLog:System OR sourcetype="WinEventLog:Application") AND install*)

• Application Update

  Operating System	Plugins
  Linux	Linux Software Detection application update (via Splunk) [710040] Core query: (type=SOFTWARE_UPDATE OR sourcetype="dpkg*" OR sourcetype="syslog*" OR sourcetype="yum*") AND (Install* OR instal* OR rpm)

User Account Activity

User Account Activity events are related to system's user accounts. Each time an account is modified, the impact of that change is worth noting. Many compliance reports require the tracking of password changes, group memberships, and similar activities.

• Add User

  Operating System	Plugins
  Linux	Linux User Account Activity Add user (via Splunk): useradd, plain [710012] Linux User Account Activity Add user (via Splunk): audit (ADD_USER) [710037] Linux User Account Activity Add user (via Splunk): audit (USER_MGMT) [710045] Core query: (sourcetype=linux_audit OR sourcetype=linux_secure) AND (new* OR ADD) AND (user OR USER)
  Windows	Windows User Account Activity Add user (via Splunk) [710001] Core query: (sourcetype=WinEventLog:Security Message="*user*created*")

• Add User to Group

  Operating System	Plugins
  Linux	Linux User Account Activity Add User to a Group (via Splunk): audit (USER_MGMT) [710013] Linux User Account Activity Add User to a Group (via Splunk): audit (USER_CHAUTHTOK) [710029] Core query: (sourcetype=linux_audit OR sourcetype=linux_secure) AND (op=adding user to group OR add-user-to-group)
  Windows	Windows User Account Activity Add User to a Group (via Splunk) [710002] Core query: (sourcetype=WinEventLog:Security Message="A member was added*group*")

• Modify Password

  Operating System	Plugins
  Linux	Linux User Account Activity Modify Password (via Splunk): usermod, plain [710015] Linux User Account Activity Modify Password (via Splunk): audit (changing password) [710031] Linux User Account Activity Modify Password (via Splunk): audit (updating password) [710032] Core query: (sourcetype=linux_audit OR sourcetype=linux_secure OR type=USER_CHAUTHTOK) AND (updat* OR chang*) AND (password)
  Windows	Windows User Account Activity Modify Password (via Splunk) [710004] Core query: (sourcetype=WinEventLog:Security AND "Message=A user account was changed") | regex "(Password\sLast\sSet:\s+\d+\/\d+\/\d+\s\d+\:\d+\:\d+\s)(AM|PM)"

• Remove User

  Operating System	Plugins
  Linux	Linux User Account Activity remove user (via Splunk): userdel, plain [710016] Linux User Account Activity remove user (via Splunk): audit (DEL_USER, plain) [710033] Linux User Account Activity remove user (via Splunk): audit (DEL_USER, not found) [710034] Linux User Account Activity remove user (via Splunk): audit (DEL_USER, deleting user entries) [710039] Core query: (sourcetype=linux_audit OR sourcetype=linux_secure) AND (op=delete-user OR delet* user)
  Windows	Windows User Account Activity remove user (via Splunk) [710005] Core query: (sourcetype=WinEventLog:Security AND Message="A user account was deleted*")

• Remove User from Group

  Operating System	Plugins
  Linux	Linux User Account Activity Remove User from a group (via Splunk): audit (USER_MGMT) [710014] Linux User Account Activity Remove User from a group (via Splunk): audit (USER_ACCT) [710030] Core query: (sourcetype=linux_audit OR sourcetype=linux_secure) AND (op=user * removed by * from group OR op=delete-user-from-group)
  Windows	Windows User Account Activity Remove User from a Group (via Splunk) [710003] Core query: (sourcetype=WinEventLog:Security Message="A member was removed*group*")