Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Identifying non-reporting hosts via correlation with DNS.

rmckerchar
New Member
‎10-26-2012 07:43 AM

Hi guys,

I'm trying to define a search to spot Active Directory domain controllers which have not (and possibly never have) sent theie security logs into Splunk.

I can easily get a list of domain controllers from DNS (_ldap._tcp.dc._msdcs. SRV records). First stage I'd simply like to paste this list into a search and then do a set operation to subtract hosts which we've received data from. Later I guess I could get splunk to do the DNS query too.

Something like, to mix splunk & SQL syntax:

["list of DCs here" as host] host NOT IN [search sourcetype="wineventlog:security" | dedup host | fields host]

To show me everything in the first list which doesn't match a host in the second.

regards,

-ross

0 Karma
Reply

rmckerchar
New Member
‎11-08-2012 07:22 AM

Here's how I ended up solving this:

| set diff [ | set union [| ldapsearch domain="DOMAIN1" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] [| ldapsearch domain="DOMAIN2" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] | fields cn | fields - _* | eval host=cn | fields - cn
] [ search index=winsec | dedup host | eval host=upper(host) | fields host | fields - _* ]

So,

  1. Do some LDAP searches to get DCs for a couple of our domains (had to do a union here as I domain=A OR domain=B didn't seem to work in conjuction with the ldapsearch app)
  2. Rename the cn field as host.
  3. Diff against a search which returns all DCs only (in our case this was a specific index used by DC security logs). Upper the host field to get around case differences.

Interestingly, the "fields somefield - _*" syntax didn't work as a filter here, hence multiple use of "fields". One to select fields, one to filter out the ones I didn't want.

-ross

0 Karma
Reply

bmacias84
Champion
‎10-26-2012 08:56 AM

You could store your DC list in a csv and use lookup, just index a list of DCs, or WMI query AD peroidicly.. Once your have your complete search just use the diff command. You probably have to play around a bit with the your results.



... | diff pos1=1 pos2=3 attribute=domain_contorller

Hope this helps you. Cheers.

Please don't forget to click accept and up this post, if it helps you.

Additional reading:

Diff

enriching-data-with-lookups-part-1

enriching-data-with-db-lookups-part-2

CreateAndConfigureFieldLookups

Reply

rmckerchar
New Member
‎10-27-2012 08:25 AM

Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...