Splunk Search

How to view host disk encryption status

dfiore42
New Member

I need a query to view disk encryption (DAR) of all my hosts, be it Bit Locker, LUKS, etc.

index=* host=* | ???

Thank you in advance.

Labels (1)
Tags (3)
0 Karma

ragedsparrow
Contributor

Do you have data in splunk that denotes that the disk in encrypted?  There are a few things to know here:

  • Where your data is stored (index)
  • What differentiates your data  (sourcetype, source, etc)
  • Is your data that you need being monitored? 

Specifically for BitLocker, those are included in Windows Events.  This answer may be helpful in finding where they are: https://community.splunk.com/t5/Getting-Data-In/Retrieving-Windows-Event-logs-with-hyphens-in-the-na... 


0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...