All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to index Active Directory data?

dagar_ruralking
Loves-to-Learn
‎11-06-2019 07:35 AM

The SSE docs https://docs.splunksecurityessentials.com/data-onboarding-guides/windows-security-logs/ don't mention AD data. How should these be indexed?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎11-06-2019 07:51 AM

For security use cases, the most important data source is Windows Security Logs from the Active Directory Domain Controllers. The guide you linked (or found in the app) will absolutely cover those logs.

The second most significant data source is Active Directory itself, via admon. That is documented here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorActiveDirectory

The third data source that we often see from domain controllers is DNS and DHCP data, if your domain controller is serving as a DNS server for external resolution, or serving as a DHCP server for production use cases. For those, we recommend pulling in data via Splunk Stream. We have docs in SSE for pulling in DNS, and you can configure DHCP the same way:
https://docs.splunksecurityessentials.com/data-onboarding-guides/stream-dns/
There are of course also official docs for Stream:
https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/AboutSplunkAppforStream

Hopefully that helps!

0 Karma
Reply

dagar_ruralking
Loves-to-Learn
‎11-06-2019 10:08 AM

Per this: https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/Upgrade
It talks about using msad, wineventlog, perfmon, winevents, and windows indexes.

Prior to me seeing the SSE on boarding a few weeks ago, I was unaware of using oswin, oswinsec, and oswinscript indexes. I am going through and updating my TA_windows to make use of these. The question though, is do I leave all the admon stanzas to point to msad ?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎11-06-2019 11:02 AM

The indexes that are included in SSE were provided to me by Splunk PS, so generally speaking you should use the SSE versions.

Summoning @rfaircloth_splunk in case he has other opinions.

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎11-06-2019 11:04 AM

I generally use "appmsadmon" as the admon index

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎11-06-2019 11:05 AM

https://seckit.readthedocs.io/projects/splunk-ta-windows-seckit/en/latest/index.html

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...