Hello All,
I have an ongoing issue with my Splunk environment. Actually an user "Alex" have added remote desktop users "Brad" on a server "xyzabc.com"
But when i m reviewing my splunk logs, it shows only user "Alex" details, its not showing the name of "Brad" in the logs. Instead of its showing only the Security ID of "Brad"
Please let me know what causing this issue.
Thanks,
Ramu.R
If you can not use evt_resolve_ad_obj
the next best approach is to use a lookup.
Install and configure the Splunk supporting Add-On for AD, if you don't already have it:
https://splunkbase.splunk.com/app/1151/
Then try a search like this:
| ldapsearch domain=YOURDOMAIN search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,objectSid"
| eval identity=lower(sAMAccountName)
| rename objectSid as sid
| table identity sid
| outputlookup sid-identity.csv
This will give you a list of all the SIDs for your users (if it looks ok, schedule this to run once a day etc.)
Go back to your windows group membership logs, and look at your fields, if you have the TA installed you should have a field called Security_ID. (If not, or its not extracting correctly, you may want to extract it yourself.
This inline rex will give you a quick and dirty result.
| rex "Subject:\s+Security ID:\s+(?P<Security_ID>.*)\s+"
Then lookup that SID in your lookup file:
|lookup sid-identity.csv sid as Security_ID OUTPUT identity
You should now have a field called identity which contains the samAccountName for the SID.
If you can not use evt_resolve_ad_obj
the next best approach is to use a lookup.
Install and configure the Splunk supporting Add-On for AD, if you don't already have it:
https://splunkbase.splunk.com/app/1151/
Then try a search like this:
| ldapsearch domain=YOURDOMAIN search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,objectSid"
| eval identity=lower(sAMAccountName)
| rename objectSid as sid
| table identity sid
| outputlookup sid-identity.csv
This will give you a list of all the SIDs for your users (if it looks ok, schedule this to run once a day etc.)
Go back to your windows group membership logs, and look at your fields, if you have the TA installed you should have a field called Security_ID. (If not, or its not extracting correctly, you may want to extract it yourself.
This inline rex will give you a quick and dirty result.
| rex "Subject:\s+Security ID:\s+(?P<Security_ID>.*)\s+"
Then lookup that SID in your lookup file:
|lookup sid-identity.csv sid as Security_ID OUTPUT identity
You should now have a field called identity which contains the samAccountName for the SID.
Hello Nickhill,
Thanks a lot for the effort you are making to get this answer, you rock 🙂
Let me try this and keep you update with the progress.
Thanks,
Ramu.R
Hi Nickhill,
In my Splunk environment Kaspersky logs, I was able to extract a few more fields based. However, looking at some of the logs, where viruses are found, I'm not sure what the action should be since there is nothing in the logs indicating what it should be.
The logs that contain "GNRL_EV_VIRUS_FOUND" - the action is currently mapping to unknown with the automatic lookup that is in place. This is happening because we are not able to determine what action should be, i believe this should be mapped to "allowed", but not entirely sure.
I was not able to find any Kaspersky documentation that would help determine this. Are you able to provide any Kaspersky documentation that could help? Also if any documentation regarding the logs for field mapping.
Looking for your reply.
Thanks,
Ramu.R
Hi Ramu, probably best to post this in a new question. I'll try and take a look.
You need to define/add evt_resolve_ad_obj = 1
to the inputs.conf stanza for the security event log.
This will force the Splunk UF to try to resolve the SID to a user account
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor
Thanks a lot Nickhill, let me try this and will update you with the progress soon.
Did some research on this and came to know that it has been turn that off by default is because it causes a lot of lag with the events (minutes to hours) reaching Splunk. It can also cause resource issues as well as this is done at the universal forwarder level. Also, seeing that we do not have universal forwarders on all of your Windows hosts, we have installed UF on Windows event collector and getting the events to Splunk .I am not entirely sure this would work as expected.
This is directly from the same link you sent:
I agree this was a great solution, but in my environment we need look for some other ways. Is there any other ways to get my request done apart from the solution you provided.
Thanks,
Ramu.R
The time lag is directly proportionate to the number of events it performs the resolution against.
If the DC is very very busy, yes there can be some latency, but its bearable in my environment - in my experience I have not experienced "a lot of lag", but each env is different.
I will post another answer shortly which covers a different approach.