Solved: admon and alerting

tfaria · ‎06-06-2018

Hi all,

I've Google'd a bit but couldn't find an answer that allowed me to understand something about the way the native AD monitor works. My Splunk instance is running on Windows, which allowed me to quickly create a monitor for AD.

What I see, however, is that I'm limited in the events that I can search for. They are either incomplete or just have fields completely missing. For example, when trying to find about event ID 4728 for group membership, I have no events related to this ID.

What I was able to figure out is that this is because I don't have SUF in the domain controllers. I would like, if possible, for this to be confirmed.

If SUF in the DCs is the recommended way to go (they would get SUF either way, but I thought I wouldn't need them for AD monitoring) is there any special inputs.conf configuration for filtering AD events for changes and security? My goal is to implement most of what is described in the "Active Directory Change and Security Event IDs" cheat sheet.

Thank you!

danielransell · ‎06-06-2018

Your text is going down two different paths I believe. AD monitoring ingests the AD infrastructure - but not Windows Security Events. With AD monitoring, you can search against your domain objects - for example, show me all useres who are members of Domain Admins.

When you want to view Event ID 4728, you need to get that from the Windows Security Log on the system that processed the action. So in your instance, you need the security log from the domain controller(s).

Generally, the best way to accomplish this is to install a Universal Forwarder on the system and send those logs to your indexer.

If your Splunk instance is not installed on your domain controller, I'm not sure that AD monitoring is pulling in any events.

View solution in original post

danielransell · ‎06-06-2018

Your text is going down two different paths I believe. AD monitoring ingests the AD infrastructure - but not Windows Security Events. With AD monitoring, you can search against your domain objects - for example, show me all useres who are members of Domain Admins.

When you want to view Event ID 4728, you need to get that from the Windows Security Log on the system that processed the action. So in your instance, you need the security log from the domain controller(s).

Generally, the best way to accomplish this is to install a Universal Forwarder on the system and send those logs to your indexer.

If your Splunk instance is not installed on your domain controller, I'm not sure that AD monitoring is pulling in any events.

tfaria · ‎06-12-2018

That's great info! Thank you very much. Makes sense. Any special configurations for the SUF inputs.conf on the AD controller? Thank you!

danielransell · ‎06-13-2018

You won't need anything special for the inputs.conf, something simple such as the line below should get you started. In mine, I specify the index, and I've also blacklisted events that are high volume with no value.

[WinEventLog://Security] disabled = 0

In addition to enabling the input, you should verify that the audit policy is set correctly on the domain controller so that it is logging group membership changes.

References:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/MonitorWindowseventlogdata
https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter2

That second link is probably one of the better introductions I've seen to Windows Audit Policy to include covering both the traditional audit policy and the advanced audit policy. If you're new to the Windows auditing and the security log, I would take a little time looking at that second link.

tfaria · ‎06-14-2018

Thank you so much for your help! Much appreciated!

admon and alerting

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life