Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to use Splunk to search all hosts on a domain to identify which hosts have a particular security group listed?

selimh
New Member
‎07-17-2017 01:25 PM

Is it possible to use Splunk to search all hosts on a domain to identify which hosts have a particular security group listed?

Tags (3)
0 Karma
Reply

DalJeanis
Legend
‎07-17-2017 03:08 PM

If you are talking about an AD security group, then as a general case, no. That would need to be done using AD tools, unless the AD administrator had chosen to load such data into splunk (an unlikely and bad idea).

you might be able to simulate such a search, if you knew someone who belonged to the AD group (and not many others) and if you know other people who didn't belong to it, then you could find all the hosts that Mr Access had accessed that Ms NoAccess didn't. However, that's very hit-or-miss, since there's no guarantee that Mr Access or Ms NoAccess have accessed everything they could, and there's not guarantee that Ms NoAccess doesn't have another AD group that allows her to get to the locations that that AD group access privilege grants to Mr Access.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...