All Apps and Add-ons

Splunk App Active Directory - 2008 R2, Advanced Audit Policy

Explorer

I've got a default setup of Splunk (v 5.0.3) with the following:
Active Directory App. (1.2.1)
Sideview Utils (2.6.3)
SA-ldapsearch (1.1.9)
TA for Windows (4.6.3)
Universal Forwarder (5.0.3)

Everything appears to be working correctly - I am seeing log data sent to the indexer from two active directory/dns servers and I can pull up data on all of the menus within the app (security, change management, health, etc.) however... I am having problems finding specific events. I don't know if this is related to how we have our audit policies setup (Advanced Audit Policy, 2008 R2 domain) but suspect it is related.

Specifically, I am not seeing failed login attempts to the domain when a user is mistyping their passwords on a client workstation. I am seeing this type of event when an admin attempts a remote desktop to one of the Domain Controllers and fails.

Also, (most likely related to above) I am trying to use the "User Utilization" menu option and filter for a specific time period, but again, I am only seeing events showing up from users connecting directly to a DC (Admin/remote desktop) and not the client connections.

Any ideas here? Thanks in advance!

0 Karma
1 Solution

Explorer

Figured this out...

Basically, if you are using the Advanced Audit Configuration settings, you have to enable "Audit Kerberos Authentication Service" under Advanced Audit Configuration > Account Logon.

With this auditing enabled the Splunk App for Active Directory will begin picking up the following eventIDs from the Domain Controllers:

4768 – A Kerberos authentication ticket (TGT) was requested – In my test this was a BAD/UNKNOWN username

4771 – Kerberos pre-authentication failed – In my test this was a good username and BAD password

View solution in original post

0 Karma

Explorer

Figured this out...

Basically, if you are using the Advanced Audit Configuration settings, you have to enable "Audit Kerberos Authentication Service" under Advanced Audit Configuration > Account Logon.

With this auditing enabled the Splunk App for Active Directory will begin picking up the following eventIDs from the Domain Controllers:

4768 – A Kerberos authentication ticket (TGT) was requested – In my test this was a BAD/UNKNOWN username

4771 – Kerberos pre-authentication failed – In my test this was a good username and BAD password

View solution in original post

0 Karma

Explorer

Follow-up:

Suspecting an auditing issue on the DCs, I did some testing.

Logged off with my user account.

Tried to login with a bad username (TESTFAIL)

Tried to login with a good username and a BAD password

Logged in successfully

On the client device I see all the auditing correctly, 4634 for the logoff and 4625s for the failed login attempts. I then check the (2) Domain Controllers to see if I can find corresponding events, I looked by type and just at the general time in which I did this test, and I am not seeing anything.

Why aren't these audits captured on the DCs?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!