All Apps and Add-ons

How correctly interpret soucetype for Security log from Domain Controllers?


this one may be a bit weird question, more for DC admins and datamodel builders, but a conceptual one:)
Using the add-on for MS Windows (Splunk_TA_Windows) for parsing Domain Controller's Security eventlog brings us several questions:
is it correct, that field "dest" is aliased from a ComputerName (ComputerName_as_dest) - which is always actual name of Domain Controller, and "src" - is a machine-server, where user has authenticated.
Thus in many cases "src" is a service server (Exchange, Remote Desktop, RADIUS etc), which obviously should be destination. This fact results numerous notable events for rules like "Brute force behavior detected" or "Excessive failures", as hundreds of people may authenticate to the server.
Right now I think it's better to restrict eventtype with authentication events in DCs with only combination "EventCode=4624 Logon_Type=2" or exclude all public servers.
I'd like to ask for any recomendations, if someone faced the same thoughts and revised knowledge approach - what is source what is dest... How to not affect rules in ES with alike customizations.
And is it possible to get real (first hop) source from AD (maybe some other logs exists) in case we can't correlate with service and endpoint logs?

0 Karma



When you see a service server in src is right because in this event the service server is acting as a client. We have exclusions in our alerts to avoid false positives than from these servers. If you want to get the real ip address from a client, in that case (service servers) you need to get logs from that services (for example, in our case we are getting logs from ADFS to get client real ip address).

Best regards,

0 Karma


Hi apezuela,

that's true, but here's another concern - for broad user activity analysis (e.g. using tag=authentication and standard eventtypes) , when I need to investigate sources and destinations for user, we'll have both src=Exchsrvr (for DC log) and dest=Exchsrvr (for Exchsrvr logs), this can be confusing for Exchange admin accounts, because he might authenticated interactively and you can't separate it here.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...