Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Identifying non-reporting hosts via correlation with DNS.

rmckerchar
New Member
‎10-26-2012 07:43 AM

Hi guys,

I'm trying to define a search to spot Active Directory domain controllers which have not (and possibly never have) sent theie security logs into Splunk.

I can easily get a list of domain controllers from DNS (_ldap._tcp.dc._msdcs. SRV records). First stage I'd simply like to paste this list into a search and then do a set operation to subtract hosts which we've received data from. Later I guess I could get splunk to do the DNS query too.

Something like, to mix splunk & SQL syntax:

["list of DCs here" as host] host NOT IN [search sourcetype="wineventlog:security" | dedup host | fields host]

To show me everything in the first list which doesn't match a host in the second.

regards,

-ross

0 Karma
Reply

rmckerchar
New Member
‎11-08-2012 07:22 AM

Here's how I ended up solving this:

| set diff [ | set union [| ldapsearch domain="DOMAIN1" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] [| ldapsearch domain="DOMAIN2" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] | fields cn | fields - _* | eval host=cn | fields - cn
] [ search index=winsec | dedup host | eval host=upper(host) | fields host | fields - _* ]

So,

  1. Do some LDAP searches to get DCs for a couple of our domains (had to do a union here as I domain=A OR domain=B didn't seem to work in conjuction with the ldapsearch app)
  2. Rename the cn field as host.
  3. Diff against a search which returns all DCs only (in our case this was a specific index used by DC security logs). Upper the host field to get around case differences.

Interestingly, the "fields somefield - _*" syntax didn't work as a filter here, hence multiple use of "fields". One to select fields, one to filter out the ones I didn't want.

-ross

0 Karma
Reply

bmacias84
Champion
‎10-26-2012 08:56 AM

You could store your DC list in a csv and use lookup, just index a list of DCs, or WMI query AD peroidicly.. Once your have your complete search just use the diff command. You probably have to play around a bit with the your results.



... | diff pos1=1 pos2=3 attribute=domain_contorller

Hope this helps you. Cheers.

Please don't forget to click accept and up this post, if it helps you.

Additional reading:

Diff

enriching-data-with-lookups-part-1

enriching-data-with-db-lookups-part-2

CreateAndConfigureFieldLookups

Reply

rmckerchar
New Member
‎10-27-2012 08:25 AM

Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...