We recently upgraded to the Splunk TA for Windows 5.0.1
Afterwards, we realized that the MS Windows AD Objects app dashboards and reports stopped producing information.
I managed to "fix" most of the issues by modifying the original search macros:
Example:
AD Objects - Audit - Changes - Computers
`ms_ad_obj_computer_changes_base`
| fields _time,user,src_user,src_nt_domain,dest_nt_domain,user_type,msad_action,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,msad_action,Old_DN,New_DN
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)
| eval dest_computer_subject=if(isnull(dest_nt_domain),user,upper(dest_nt_domain)."\\".user)
| `ms_ad_obj_msad-changed-attributes`
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,dest_computer_subject,signature,msad_action
| eval MSADChanges=mvjoin(MSADChanges, "########")
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnull(MSADChanges),"Signature: ".signature,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)
| table _time,adminuser,msad_action,dest_computer_subject,Correlation_IDs,MSADChanges
| makemv delim="########" MSADChanges
| rename adminuser as "Administrator",msad_action as "Action",dest_computer_subject as "Target Computer ID",MSADChanges as "Changes"
depends on the macro:
`ms_ad_obj_computer_changes_base`
Which has syntax:
eventtype=ms_ad_obj_wineventlog_security [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="Computer" | stats values(EventCode) AS EventCode by obj_type | format | table search] src_user_type="user"
When running this as-is, i don't get any events...
But I noticed, when adding the following index contexts, it works just fine:
index="windows" OR index="wineventlog"
The following macros were broken (among others):
ms_ad_obj_all_changes_base
ms_ad_obj_computer_changes_base
ms_ad_obj_gpo_changes_base
ms_ad_obj_group_all_changes_base
ms_ad_obj_group_changes_base
ms_ad_obj_group_membership_changes_base
The Splunk App for Windows Infrastructure
comes with a predefined role winfra-admin
. The sole purpose of this role is to set the indexes msad
, perfmon
, windows
and wineventlog
as "Indexes searched by default. So the user who works with the Windows-App has permission to see all the events in these indexes.
If you do not have or use Splunk App for Windows Infrastructure
, just create some simliar role and assign this to your user - then you should be fine without changing any of the out-the-box-reports, -macros and dashboards for the MS Windows AD Objects
-App.
Here is the content of the default authorize.conf
:
[role_winfra-admin]
srchIndexesDefault = msad;winevents;windows;wineventlog;perfmon