All Apps and Add-ons

How and where to modify filtering for Active Directory data to acquire 4740 Account Lockout EventCode?

dseabury
Explorer

Hello, all

I have been researching and working on this for several hours across the past two days...but my only success so far is in not having broken anything for trying.

I currently have a heavy forwarder (Linux), dedicated indexer (Windows), search head(Windows) and separate deployment server(Windows). Because we just have a small starter environment right now, we wanted to only allow Windows Security Event log entries that had the Keywords=Audit Failure to be indexed initially. That is working fine. I now want to add events where the EventCode=4740 (Account Lockout) to the indexed data.

I see Splunk_TA_Windows resides on my Search Head, on the Indexer and on the Heavy Forwarder (the only one of the three that is getting its copy from the Deployment Server). I have examined Props and Transforms settings and see where there is a REGEX in Transforms for the Splunk_TA_Windows app that is set to Keywords=Audit Failure. I have made several changes to the REGEX line on both the Search Head and the Indexer, including replacing it with REGEX = EventCode=4740. I have restarted Splunk each time. Nothing seems to have any effect on the data coming through.

Several questions related to this topic (any answer to any of them will help):

  1. How does Splunk_TA_Windows interact on the three machines?
  2. Should I be using the deployment server to send Splunk_TA_Windows to all three servers?
  3. Do I need to modify all three sets of .conf files identically or just the Heavy Forwarder (the only one I haven't modified)?
  4. What is the best practice for allowing both Keywords=Audit Failure AND EventCode=4740 data to be indexed.

Thanks...

0 Karma

Masa
Splunk Employee
Splunk Employee

This is an very old question. But, I recently had a Support case for the same issue.
So, if you are still having the issue and would like to fix the issue before our app development team fix the issue, please follow the steps below. There were several issues required to fix to make the panel works. First I apologize for any typo, and I hope this info helps for your case.
If this does not help, please file a Support case for further troubleshooting.

1) Fix field extraction dest_nt_domain if they are not populated.
(ref: http://answers.splunk.com/answers/215946/splunk-add-on-for-microsoft-windows-why-am-i-getti.html )

  • transforms.conf

    [User_ID_as_dest_nt_domain]
    SOURCE_KEY = User_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Security_ID_as_dest_nt_domain]
    SOURCE_KEY = Security_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Target_Account_ID_as_dest_nt_domain]
    SOURCE_KEY = Target_Account_ID
    REGEX = ^([^\]+)
    FORMAT = dest_nt_domain::$1

    [Security_ID_as_src_nt_domain]
    SOURCE_KEY = Security_ID
    REGEX = ^([^\]+)
    FORMAT = src_nt_domain::$1

2) Make sure ldap.conf has a proper alias
Here is an example of alternatedomain properties;

  • ldap.conf

    [splunk.kom]
    alternatedomain = SPLUNK
    [support.splunk.kom]
    alternatedomain = SUPPORT

3) In $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local, add and edit palettesearches.conf
=> For Windows, a path separator is a back slash.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> find stanza named ldaprecord.nt_domain.search.
=> Change the search string in the stanza by replacing DomainDNSname with DomainNetBIOSName.
=> This will make displaying DomainNetBIOSName instead of DomainDNSname in drop-down.

Here is an example;

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ldaprecord.nt_domain.search]
    search = | inputlookup DomainSelector | eval nt_domain=DomainNetBIOSName | dedup nt_domain | table nt_domain

4) In the same palettesearches.conf, add and edit stanza name ActiveDirectory.UserAuditAccountLockoutActivity.Search.
=> First refer to $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/default/palettesearches.conf
=> Replace src_host with src_nt_host in "| eval actor=..." (Note: keep src_host in "| eval adminuser=..." )
=> This will set a proper Actor value

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
    search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$"
    | dedup consecutive=T EventCode \
    | eval adminuser=src_nt_domain."\".src_user \
    | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
    | table _time,signature,actor \
    |rename signature as "Action",actor as "Actor"

5) In Windows TA, for Caller_Computer_Name_as_src_nt_host, add and edit the following props.conf and transforms.conf entry.
=> This will add Caller_Computer_Name as src_nt_host which will be used as Actor value

  • $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/props.conf

    [source::*:Security]
    REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host, Caller_Computer_Name_as_src_nt_host

  • $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf

    [Caller_Computer_Name_as_src_nt_host]
    SOURCE_KEY = Caller_Computer_Name
    REGEX = ([^\]+)$
    FORMAT = src_nt_host::$1

6) Optional: To make the table result from single record to multiple records for Account Lockout Activity User

  • $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/local/palettesearches.conf

    [ActiveDirectory.UserAuditAccountLockoutActivity.Search]
    search = eventtype=msad-account-lockout user="$ldaprecord.user$" dest_nt_domain="$ldaprecord.nt_domain$" \
    | eval adminuser=src_nt_domain."\".src_user \
    | eval actor=if(EventCode==4767 OR EventCode==671,adminuser,src_nt_host) \
    | table _time, signature,actor, src_nt_host, user \
    | stats count max(_time) AS maxtime min(_time) AS mintime values(user) AS Users by signature actor src_nt_host \
    | convert ctime(*time) \
    | rename mintime AS "Earliest", maxtime AS "Latest", signature as "Action", src_nt_host as "Workstation", actor as "Actor" \
    | table Actor Users Action Earliest Latest count

0 Karma

Masa
Splunk Employee
Splunk Employee

Oh, I misunderstood your question. I was not a panel issue. You're saying that this you're not indexing EventCode=4740. It is odd unless Input stage filter them out.

0 Karma

dseabury
Explorer

Additional information - I am using Splunk Enterprise 6.2 and also have Splunk App for Windows Infrastructure installed. All this was set up by Splunk Prof Svcs a couple of weeks ago. I'm trying to learn as much as I can about how it all works before they return for another week May 11. I just saw in the docs where the Infrastructure App "supersedes" the TA_Windows app. I'm looking at my Infrastructure config files, but don't see any clue as to how they might be creating the filter condition.

0 Karma

dseabury
Explorer

I am still struggling to figure out which instance of Splunk_TA_Windows is doing the actual filtering.
Here's what I think I have learned so far:

  • Universal Forwarders can't/don't filter - so the Transforms file on the UF should be ignored.
  • Data can only be "cooked" once - so whatever is handling the filtering is only affecting one place.

So, I changed my regex to:

REGEX = Keywords=Audit Success

on the Universal Forwarder, the Heavy Forwarder and the Indexer. Restarted all. Still only getting Audit Failure events.

What am I missing?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!