topic Re: Active directory data input. in Getting Data In

Active directory data input.

clyde772 — Wed, 26 Jan 2011 02:07:38 GMT

What is the most suggested way to pull data from Active Diretory?

We need to input Active Directory's user information for event co-relations.

THanks Gurus~!

Re: Active directory data input.

ftk — Wed, 26 Jan 2011 02:16:16 GMT

A good starting point would be the documentation, specifically Monitor Active Directory in the Admin manual.

Re: Active directory data input.

ahall_splunk — Mon, 28 Sep 2020 11:32:57 GMT

Wow - answering a year old query.

Set up a temporal lookup based on the Windows Security Log (which you will need to ingest from the domain controllers). You can use http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j to figure out the EventCode that you need to read for the user logons.

Note that most windows systems use Kerberos "pre-authentication" to do authentication. So the logon events are not necessarily obvious. Just take a look at the events and extract the username and domain (preferenbly as the CIM compliant fields user and src_nt_domain.