Splunk Search

How to view host disk encryption status

dfiore42
New Member

I need a query to view disk encryption (DAR) of all my hosts, be it Bit Locker, LUKS, etc.

index=* host=* | ???

Thank you in advance.

Labels (1)
Tags (3)
0 Karma

ragedsparrow
Contributor

Do you have data in splunk that denotes that the disk in encrypted?  There are a few things to know here:

  • Where your data is stored (index)
  • What differentiates your data  (sourcetype, source, etc)
  • Is your data that you need being monitored? 

Specifically for BitLocker, those are included in Windows Events.  This answer may be helpful in finding where they are: https://community.splunk.com/t5/Getting-Data-In/Retrieving-Windows-Event-logs-with-hyphens-in-the-na... 


0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...