All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How correctly interpret soucetype for Security log from Domain Controllers?

evelenke
Contributor
‎12-14-2018 10:40 AM

this one may be a bit weird question, more for DC admins and datamodel builders, but a conceptual one:)
Using the add-on for MS Windows (Splunk_TA_Windows) for parsing Domain Controller's Security eventlog brings us several questions:
is it correct, that field "dest" is aliased from a ComputerName (ComputerName_as_dest) - which is always actual name of Domain Controller, and "src" - is a machine-server, where user has authenticated.
Thus in many cases "src" is a service server (Exchange, Remote Desktop, RADIUS etc), which obviously should be destination. This fact results numerous notable events for rules like "Brute force behavior detected" or "Excessive failures", as hundreds of people may authenticate to the server.
Right now I think it's better to restrict eventtype with authentication events in DCs with only combination "EventCode=4624 Logon_Type=2" or exclude all public servers.
I'd like to ask for any recomendations, if someone faced the same thoughts and revised knowledge approach - what is source what is dest... How to not affect rules in ES with alike customizations.
And is it possible to get real (first hop) source from AD (maybe some other logs exists) in case we can't correlate with service and endpoint logs?

0 Karma
Reply

apezuela
Explorer
‎12-17-2018 07:11 AM

Hi,

When you see a service server in src is right because in this event the service server is acting as a client. We have exclusions in our alerts to avoid false positives than from these servers. If you want to get the real ip address from a client, in that case (service servers) you need to get logs from that services (for example, in our case we are getting logs from ADFS to get client real ip address).

Best regards,

0 Karma
Reply

evelenke
Contributor
‎12-19-2018 04:19 AM

Hi apezuela,

that's true, but here's another concern - for broad user activity analysis (e.g. using tag=authentication and standard eventtypes) , when I need to investigate sources and destinations for user, we'll have both src=Exchsrvr (for DC log) and dest=Exchsrvr (for Exchsrvr logs), this can be confusing for Exchange admin accounts, because he might authenticated interactively and you can't separate it here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...