All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to index Active Directory data?

dagar_ruralking
Loves-to-Learn
‎11-06-2019 07:35 AM

The SSE docs https://docs.splunksecurityessentials.com/data-onboarding-guides/windows-security-logs/ don't mention AD data. How should these be indexed?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎11-06-2019 07:51 AM

For security use cases, the most important data source is Windows Security Logs from the Active Directory Domain Controllers. The guide you linked (or found in the app) will absolutely cover those logs.

The second most significant data source is Active Directory itself, via admon. That is documented here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorActiveDirectory

The third data source that we often see from domain controllers is DNS and DHCP data, if your domain controller is serving as a DNS server for external resolution, or serving as a DHCP server for production use cases. For those, we recommend pulling in data via Splunk Stream. We have docs in SSE for pulling in DNS, and you can configure DHCP the same way:
https://docs.splunksecurityessentials.com/data-onboarding-guides/stream-dns/
There are of course also official docs for Stream:
https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/AboutSplunkAppforStream

Hopefully that helps!

0 Karma
Reply

dagar_ruralking
Loves-to-Learn
‎11-06-2019 10:08 AM

Per this: https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/Upgrade
It talks about using msad, wineventlog, perfmon, winevents, and windows indexes.

Prior to me seeing the SSE on boarding a few weeks ago, I was unaware of using oswin, oswinsec, and oswinscript indexes. I am going through and updating my TA_windows to make use of these. The question though, is do I leave all the admon stanzas to point to msad ?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎11-06-2019 11:02 AM

The indexes that are included in SSE were provided to me by Splunk PS, so generally speaking you should use the SSE versions.

Summoning @rfaircloth_splunk in case he has other opinions.

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎11-06-2019 11:04 AM

I generally use "appmsadmon" as the admon index

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎11-06-2019 11:05 AM

https://seckit.readthedocs.io/projects/splunk-ta-windows-seckit/en/latest/index.html

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...