this one may be a bit weird question, more for DC admins and datamodel builders, but a conceptual one:)
Using the add-on for MS Windows (Splunk_TA_Windows) for parsing Domain Controller's Security eventlog brings us several questions:
is it correct, that field "dest" is aliased from a ComputerName (ComputerName_as_dest) - which is always actual name of Domain Controller, and "src" - is a machine-server, where user has authenticated.
Thus in many cases "src" is a service server (Exchange, Remote Desktop, RADIUS etc), which obviously should be destination. This fact results numerous notable events for rules like "Brute force behavior detected" or "Excessive failures", as hundreds of people may authenticate to the server.
Right now I think it's better to restrict eventtype with authentication events in DCs with only combination "EventCode=4624 Logon_Type=2" or exclude all public servers.
I'd like to ask for any recomendations, if someone faced the same thoughts and revised knowledge approach - what is source what is dest... How to not affect rules in ES with alike customizations.
And is it possible to get real (first hop) source from AD (maybe some other logs exists) in case we can't correlate with service and endpoint logs?
... View more