All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for EMC Isilon file system auditing: Why should I export my SID database to a CSV file?

ronj_clark
Explorer
‎09-19-2016 09:55 AM

Why, from a security perspective, would I want to export my SID database to a CSV file? Then I have to protect that file from unauthorized access.

Assuming that you are getting Microsoft AD logs into Splunk and that index is called "msad", trying this search:

index="isilon_audit" sourcetype="isilon" | join Security_ID [ search index="msad" | fields Security_ID, Account_Name, user | dedup user ] | table Security_ID, Account_Name, user, filename

Let me know your thoughts.

Thanks,
Ron

0 Karma
Reply

sobrien
Splunk Employee
Splunk Employee
‎09-22-2016 02:07 AM

Hi Ron,

This app is being deprecated and replaced by the EMC Isilon app for Splunk Enterprise - https://splunkbase.splunk.com/app/2688/.

This new app leverages the API of the Isilon to do the user mappings, removing the need for the lookup file in the older app. It is to be used in conjunction with the Isilon TA.

You can read more about it here - https://bigdatabeard.com/2016/09/22/auditing-excitement-with-isilon-enabled-by-splunk/

HTH,

Simon.

Reply

jtacy
Builder
‎09-20-2016 08:55 PM

Any user on the domain should be able to use a tool like ActiveRoles Management Shell to do forward/reverse lookups on SIDs so I wouldn't personally consider SID-name mappings confidential. You could put the lookup file in an app rather than globally to make it less exposed but I don't see it as a risk either way.

You will pay a significant performance penalty on your query because of the join and it may also be tricky to get the expected results because of the multivalue fields in those Windows events. You'll get much better runtime performance and avoid row/time limits on your subsearch if you output it to a file on a schedule and use a lookup; it's really designed for this. To generate the file, I would consider something like this query which should handle the multivalue fields well but it's very, very slow (note that I'm filtering on login events to reduce the event count and I'm not sure you'll get accurate SID-name mapping if you allow other event codes):

index=msad EventCode=4624 Security_ID=* | eval combo=mvzip(Security_ID,Account_Name,"|") | mvexpand combo | dedup combo | rex field=combo "(?<Security_ID>\S+)\|(?<Account_Name>.*)" | table Security_ID Account_Name

There's probably a technique to make this much faster without losing correctness but I'm concerned about the need to keep the multivalue Account_Name and Security_ID fields aligned. Note that this query will also collect computer SIDs; maybe eliminating those would make it faster.

If you have a Windows UF available, it might be easier to run a scripted input that pulls the SID-name mappings into an index that you then outputlookup into a file. That would probably deliver the cleanest and most complete data.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...