Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Identifying non-reporting hosts via correlation with DNS.

rmckerchar
New Member
‎10-26-2012 07:43 AM

Hi guys,

I'm trying to define a search to spot Active Directory domain controllers which have not (and possibly never have) sent theie security logs into Splunk.

I can easily get a list of domain controllers from DNS (_ldap._tcp.dc._msdcs. SRV records). First stage I'd simply like to paste this list into a search and then do a set operation to subtract hosts which we've received data from. Later I guess I could get splunk to do the DNS query too.

Something like, to mix splunk & SQL syntax:

["list of DCs here" as host] host NOT IN [search sourcetype="wineventlog:security" | dedup host | fields host]

To show me everything in the first list which doesn't match a host in the second.

regards,

-ross

0 Karma
Reply

rmckerchar
New Member
‎11-08-2012 07:22 AM

Here's how I ended up solving this:

| set diff [ | set union [| ldapsearch domain="DOMAIN1" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] [| ldapsearch domain="DOMAIN2" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] | fields cn | fields - _* | eval host=cn | fields - cn
] [ search index=winsec | dedup host | eval host=upper(host) | fields host | fields - _* ]

So,

  1. Do some LDAP searches to get DCs for a couple of our domains (had to do a union here as I domain=A OR domain=B didn't seem to work in conjuction with the ldapsearch app)
  2. Rename the cn field as host.
  3. Diff against a search which returns all DCs only (in our case this was a specific index used by DC security logs). Upper the host field to get around case differences.

Interestingly, the "fields somefield - _*" syntax didn't work as a filter here, hence multiple use of "fields". One to select fields, one to filter out the ones I didn't want.

-ross

0 Karma
Reply

bmacias84
Champion
‎10-26-2012 08:56 AM

You could store your DC list in a csv and use lookup, just index a list of DCs, or WMI query AD peroidicly.. Once your have your complete search just use the diff command. You probably have to play around a bit with the your results.



... | diff pos1=1 pos2=3 attribute=domain_contorller

Hope this helps you. Cheers.

Please don't forget to click accept and up this post, if it helps you.

Additional reading:

Diff

enriching-data-with-lookups-part-1

enriching-data-with-db-lookups-part-2

CreateAndConfigureFieldLookups

Reply

rmckerchar
New Member
‎10-27-2012 08:25 AM

Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...