Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identifying non-reporting hosts via correlation with DNS.

rmckerchar
New Member
‎10-26-2012 07:43 AM

Hi guys,

I'm trying to define a search to spot Active Directory domain controllers which have not (and possibly never have) sent theie security logs into Splunk.

I can easily get a list of domain controllers from DNS (_ldap._tcp.dc._msdcs. SRV records). First stage I'd simply like to paste this list into a search and then do a set operation to subtract hosts which we've received data from. Later I guess I could get splunk to do the DNS query too.

Something like, to mix splunk & SQL syntax:

["list of DCs here" as host] host NOT IN [search sourcetype="wineventlog:security" | dedup host | fields host]

To show me everything in the first list which doesn't match a host in the second.

regards,

-ross

0 Karma
Reply

rmckerchar
New Member
‎11-08-2012 07:22 AM

Here's how I ended up solving this:

| set diff [ | set union [| ldapsearch domain="DOMAIN1" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] [| ldapsearch domain="DOMAIN2" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] | fields cn | fields - _* | eval host=cn | fields - cn
] [ search index=winsec | dedup host | eval host=upper(host) | fields host | fields - _* ]

So,

  1. Do some LDAP searches to get DCs for a couple of our domains (had to do a union here as I domain=A OR domain=B didn't seem to work in conjuction with the ldapsearch app)
  2. Rename the cn field as host.
  3. Diff against a search which returns all DCs only (in our case this was a specific index used by DC security logs). Upper the host field to get around case differences.

Interestingly, the "fields somefield - _*" syntax didn't work as a filter here, hence multiple use of "fields". One to select fields, one to filter out the ones I didn't want.

-ross

0 Karma
Reply

bmacias84
Champion
‎10-26-2012 08:56 AM

You could store your DC list in a csv and use lookup, just index a list of DCs, or WMI query AD peroidicly.. Once your have your complete search just use the diff command. You probably have to play around a bit with the your results.



... | diff pos1=1 pos2=3 attribute=domain_contorller

Hope this helps you. Cheers.

Please don't forget to click accept and up this post, if it helps you.

Additional reading:

Diff

enriching-data-with-lookups-part-1

enriching-data-with-db-lookups-part-2

CreateAndConfigureFieldLookups

Reply

rmckerchar
New Member
‎10-27-2012 08:25 AM

Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...