Archive

Splunk App for EMC Isilon file system auditing: Why should I export my SID database to a CSV file?

Explorer

Why, from a security perspective, would I want to export my SID database to a CSV file? Then I have to protect that file from unauthorized access.

Assuming that you are getting Microsoft AD logs into Splunk and that index is called "msad", trying this search:

index="isilon_audit" sourcetype="isilon" | join Security_ID [ search index="msad" | fields Security_ID, Account_Name, user | dedup user ] | table Security_ID, Account_Name, user, filename

Let me know your thoughts.

Thanks,
Ron

0 Karma

Splunk Employee
Splunk Employee

Hi Ron,

This app is being deprecated and replaced by the EMC Isilon app for Splunk Enterprise - https://splunkbase.splunk.com/app/2688/.

This new app leverages the API of the Isilon to do the user mappings, removing the need for the lookup file in the older app. It is to be used in conjunction with the Isilon TA.

You can read more about it here - https://bigdatabeard.com/2016/09/22/auditing-excitement-with-isilon-enabled-by-splunk/

HTH,

Simon.

Builder

Any user on the domain should be able to use a tool like ActiveRoles Management Shell to do forward/reverse lookups on SIDs so I wouldn't personally consider SID-name mappings confidential. You could put the lookup file in an app rather than globally to make it less exposed but I don't see it as a risk either way.

You will pay a significant performance penalty on your query because of the join and it may also be tricky to get the expected results because of the multivalue fields in those Windows events. You'll get much better runtime performance and avoid row/time limits on your subsearch if you output it to a file on a schedule and use a lookup; it's really designed for this. To generate the file, I would consider something like this query which should handle the multivalue fields well but it's very, very slow (note that I'm filtering on login events to reduce the event count and I'm not sure you'll get accurate SID-name mapping if you allow other event codes):

index=msad EventCode=4624 Security_ID=* | eval combo=mvzip(Security_ID,Account_Name,"|") | mvexpand combo | dedup combo | rex field=combo "(?<Security_ID>\S+)\|(?<Account_Name>.*)" | table Security_ID Account_Name

There's probably a technique to make this much faster without losing correctness but I'm concerned about the need to keep the multivalue AccountName and SecurityID fields aligned. Note that this query will also collect computer SIDs; maybe eliminating those would make it faster.

If you have a Windows UF available, it might be easier to run a scripted input that pulls the SID-name mappings into an index that you then outputlookup into a file. That would probably deliver the cleanest and most complete data.

0 Karma