All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Which of these Splunk apps do I use for Windows Advanced Audit Policy Configuration in our environment??

jodyc100x
New Member
‎01-09-2016 03:53 PM

Hello All,

I'm a new Splunker and have a Windows 6.3.2 enterprise installed with the following:

Supporting Add-on for Active Directory v 2.1.2
Cisco Security Suite v 3.1.1
Template for Citrix XenDesktop 7 v 1.1.1
App for Windows Infrastructure v 1.2.0
Add-on for PowerShell v 1.2.1
TA_Windows v 4.8.1

We are using Advanced Audit Policy (AAP) Configuration in our environment. I am not having any luck finding documentation on which AAP settings need to be configured. It appears to be an all or nothing proposition where either we get almost no information or millions of events in a very short period of time. I have searched the Splunk site fairly thoroughly, but have not found any really helpful guidance on this. I did find this page:

http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/ConfigureActiveDirectoryauditpolicy

This page mentions AAP, but quickly loses me when suggesting I review eventtypes.conf file. Any help or suggestions are greatly appreciated!

jpc

0 Karma
Reply

ralf_sturhan
Engager
‎01-14-2016 08:25 AM

I found this great table, which lists the AAP GPO settings and corresponding Event IDs: http://girl-germs.com/?p=363 . If you take the Event IDs in the eventtypes.conf of the Splunk App for Windows Infrastructure, you get the folllowing table:

Account
    Account Credential Validation             4776
    Audit Kerberos Authentication Service      4768,4771  
Account Management
        Audit Distribution Group Management 4744, 4745, 4746, 4747,
                                               4748, 4749, 4750, 4751,
                                               4752, 4753, 4759, 4760,
                                               4761, 4762
        Audit Computer Account Management     4741, 4742, 4743 
        Audit User Account Management         4720, 4722, 4723, 4724,
                                               4725, 4726, 4738, 4740,
                                               4767, 4781
        Audit Security Group Management     4727, 4728, 4729, 4730,
                                               4731, 4732, 4733, 4734,
                                               4735, 4737, 4754, 4755,
                                               4756, 4757, 4758, 4764
DS Access
        Audit Directory Service Access       4662
Logon/Logoff    
        Audit Account Lockout                 4625
        Audit Logon                         4624, 4625
Policy Change   
        Audit Audit Policy Change             4912
System
    Audit Security State Change             4609
    Audit System Integrity                   4612

Enabling the Success and Failure check boxes for each of them in Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration should to the trick.

[edit 2016/01/19: added some missing event ids and GPO settings]

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...