Splunk Use Case: IIS Configuration Changes on Windows Server

by Jimbo on Apr 17, 2023

First and foremost, this isn't a use case I've provisioned before, but it's one I've identified through researching the many log sources on windows.

It is surprising what we can obtain from this use case, the fact that an IIS config has changed may be alarming but also being provided the change itself in the events is beyond a dream, in XML too! :)

Let's take a closer look at this hidden gem...

There it is, Event Code 29.  I opened IIS Manager and went to my default website, changed custom errors for a 404 and sent it to some phoney place.  Then we check back in Event Viewer to see the results.

I got a total of 4 events for this act, 3 x code 29's and 1 x code 50.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-IIS-Configuration" Guid="{dc0b8e51-4863-407a-bc3c-1b479b2978ac}" /> 
  <EventID>29</EventID> 
  <Version>0</Version> 
  <Level>5</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-04-17T18:50:04.0591248Z" /> 
  <EventRecordID>109</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="31412" ThreadID="1632" /> 
  <Channel>Microsoft-IIS-Configuration/Operational</Channel> 
  <Computer>DESKTOP-RM9DD5S</Computer> 
  <Security UserID="S-1-5-21-326179885-1229199145-3314288161-1001" /> 
  </System>
- <EventData>
  <Data Name="PhysicalPath">\\?\C:\inetpub\wwwroot\web.config</Data> 
  <Data Name="ConfigPath">MACHINE/WEBROOT/APPHOST/Default Web Site</Data> 
  <Data Name="EffectiveLocationPath" /> 
  <Data Name="Configuration">/system.web/customErrors/error[@statusCode="404"]</Data> 
  <Data Name="EditOperationType">1</Data> 
  <Data Name="OldValue" /> 
  <Data Name="NewValue" /> 
  </EventData>
  </Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-IIS-Configuration" Guid="{dc0b8e51-4863-407a-bc3c-1b479b2978ac}" /> 
  <EventID>29</EventID> 
  <Version>0</Version> 
  <Level>5</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-04-17T18:50:04.0591296Z" /> 
  <EventRecordID>110</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="31412" ThreadID="1632" /> 
  <Channel>Microsoft-IIS-Configuration/Operational</Channel> 
  <Computer>DESKTOP-RM9DD5S</Computer> 
  <Security UserID="S-1-5-21-326179885-1229199145-3314288161-1001" /> 
  </System>
- <EventData>
  <Data Name="PhysicalPath">\\?\C:\inetpub\wwwroot\web.config</Data> 
  <Data Name="ConfigPath">MACHINE/WEBROOT/APPHOST/Default Web Site</Data> 
  <Data Name="EffectiveLocationPath" /> 
  <Data Name="Configuration">/system.web/customErrors/error[@statusCode="404"]/@redirect</Data> 
  <Data Name="EditOperationType">1</Data> 
  <Data Name="OldValue" /> 
  <Data Name="NewValue">dfgd</Data> 
  </EventData>
  </Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-IIS-Configuration" Guid="{dc0b8e51-4863-407a-bc3c-1b479b2978ac}" /> 
  <EventID>29</EventID> 
  <Version>0</Version> 
  <Level>5</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-04-17T18:50:04.0591306Z" /> 
  <EventRecordID>111</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="31412" ThreadID="1632" /> 
  <Channel>Microsoft-IIS-Configuration/Operational</Channel> 
  <Computer>DESKTOP-RM9DD5S</Computer> 
  <Security UserID="S-1-5-21-326179885-1229199145-3314288161-1001" /> 
  </System>
- <EventData>
  <Data Name="PhysicalPath">\\?\C:\inetpub\wwwroot\web.config</Data> 
  <Data Name="ConfigPath">MACHINE/WEBROOT/APPHOST/Default Web Site</Data> 
  <Data Name="EffectiveLocationPath" /> 
  <Data Name="Configuration">/system.web/customErrors/error[@statusCode="404"]/@statusCode</Data> 
  <Data Name="EditOperationType">1</Data> 
  <Data Name="OldValue" /> 
  <Data Name="NewValue">404</Data> 
  </EventData>
  </Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-IIS-Configuration" Guid="{dc0b8e51-4863-407a-bc3c-1b479b2978ac}" /> 
  <EventID>50</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-04-17T18:50:04.0591351Z" /> 
  <EventRecordID>112</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="31412" ThreadID="1632" /> 
  <Channel>Microsoft-IIS-Configuration/Operational</Channel> 
  <Computer>DESKTOP-RM9DD5S</Computer> 
  <Security UserID="S-1-5-21-326179885-1229199145-3314288161-1001" /> 
  </System>
- <EventData>
  <Data Name="ConfigPath">MACHINE/WEBROOT/APPHOST/Default Web Site</Data> 
  </EventData>
  </Event>

 

YES and we will be putting this in Splunk!


[WinEventLog://Microsoft-IIS-Configuration/Operational]
start_from = oldest
index = windows
disabled = 0
renderXml = true

Quick search in verbose mode: index=windows source="XmlWinEventLog:Microsoft-IIS-Configuration/Operational"

Lets do bad news, then good news.

The bad news: Field "OldValue" is called "Data".

The good news: Everything else is fine, it's pefect, absolutely no need to cry.

Not only do we know that the IIS config has changed but we know:

  • Who dunnit (user_id/UserID)
  • PID and TID (ProcessID & ThreadID)
  • What has changed.

Additionally, when we use appcmd to manage the site and make changes, the events are also logged:-

appcmd reset config -section:defaultDocument "Default Web Site"

Look there, ProcessID is 24980 - when we go look in our 4688 events, for hex code 0x27b0, we see the appcmd.exe spawn:-

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime='2023-04-17T19:33:09.7886386Z'/>
<EventRecordID>2606757030</EventRecordID>
<Correlation/>
<Execution ProcessID='4' ThreadID='21624'/>
<Channel>Security</Channel>
<Computer>DESKTOP-RM9DD5S</Computer>
<Security/>
</System>
<EventData>
<Data Name='SubjectUserSid'>DESKTOP-RM9DD5S\JimboSlice</Data><Data Name='SubjectUserName'>JimboSlice</Data>
<Data Name='SubjectDomainName'>DESKTOP-RM9DD5S</Data>
<Data Name='SubjectLogonId'>0x1c20d7b8</Data>
<Data Name='NewProcessId'>0x27b0</Data>
<Data Name='NewProcessName'>C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name='TokenElevationType'>%%1937</Data>
<Data Name='ProcessId'>0x1694</Data>
<Data Name='CommandLine'></Data>
<Data Name='TargetUserSid'>NULL SID</Data>
<Data Name='TargetUserName'>-</Data>
<Data Name='TargetDomainName'>-</Data>
<Data Name='TargetLogonId'>0x0</Data>
<Data Name='ParentProcessName'>C:\Windows\System32\cmd.exe</Data>
<Data Name='MandatoryLabel'>Mandatory Label\High Mandatory Level</Data>
</EventData>
</Event>

If / when the time arrives, it would be good to know beforehand that you have visibility of this sort of stuff.

This sort of use case can be quite a solid tripwire, assit with zero days or perhaps aid nicely with risk based alerting where you're looking for changes to your platforms during business hours, or even during a change freeze.

The additional data provided along side the fact that a change has been made is extremely useful for auditing, dashboards or reporting, as well as supplementing alerts.  Under no circumstances should these sort of events just be left out to dry, they need to be made use of.

I need to stress here too - there aren't many of these events, so the cost vs value of monitoring for this sort of stuff is off the scale, as is the ease of on-boarding these events.

Don't forget the next change to your inputs.conf on the windows TA:

[WinEventLog://Microsoft-IIS-Configuration/Operational]
start_from = oldest
index = windows
disabled = 0
renderXml = true

Add comment