All Apps and Add-ons

Splunk App Active Directory - 2008 R2, Advanced Audit Policy

boeing_smithbj
Explorer

I've got a default setup of Splunk (v 5.0.3) with the following:
Active Directory App. (1.2.1)
Sideview Utils (2.6.3)
SA-ldapsearch (1.1.9)
TA for Windows (4.6.3)
Universal Forwarder (5.0.3)

Everything appears to be working correctly - I am seeing log data sent to the indexer from two active directory/dns servers and I can pull up data on all of the menus within the app (security, change management, health, etc.) however... I am having problems finding specific events. I don't know if this is related to how we have our audit policies setup (Advanced Audit Policy, 2008 R2 domain) but suspect it is related.

Specifically, I am not seeing failed login attempts to the domain when a user is mistyping their passwords on a client workstation. I am seeing this type of event when an admin attempts a remote desktop to one of the Domain Controllers and fails.

Also, (most likely related to above) I am trying to use the "User Utilization" menu option and filter for a specific time period, but again, I am only seeing events showing up from users connecting directly to a DC (Admin/remote desktop) and not the client connections.

Any ideas here? Thanks in advance!

0 Karma
1 Solution

boeing_smithbj
Explorer

Figured this out...

Basically, if you are using the Advanced Audit Configuration settings, you have to enable "Audit Kerberos Authentication Service" under Advanced Audit Configuration > Account Logon.

With this auditing enabled the Splunk App for Active Directory will begin picking up the following eventIDs from the Domain Controllers:

4768 – A Kerberos authentication ticket (TGT) was requested – In my test this was a BAD/UNKNOWN username

4771 – Kerberos pre-authentication failed – In my test this was a good username and BAD password

View solution in original post

0 Karma

boeing_smithbj
Explorer

Figured this out...

Basically, if you are using the Advanced Audit Configuration settings, you have to enable "Audit Kerberos Authentication Service" under Advanced Audit Configuration > Account Logon.

With this auditing enabled the Splunk App for Active Directory will begin picking up the following eventIDs from the Domain Controllers:

4768 – A Kerberos authentication ticket (TGT) was requested – In my test this was a BAD/UNKNOWN username

4771 – Kerberos pre-authentication failed – In my test this was a good username and BAD password

0 Karma

boeing_smithbj
Explorer

Follow-up:

Suspecting an auditing issue on the DCs, I did some testing.

Logged off with my user account.

Tried to login with a bad username (TESTFAIL)

Tried to login with a good username and a BAD password

Logged in successfully

On the client device I see all the auditing correctly, 4634 for the logoff and 4625s for the failed login attempts. I then check the (2) Domain Controllers to see if I can find corresponding events, I looked by type and just at the general time in which I did this test, and I am not seeing anything.

Why aren't these audits captured on the DCs?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...