TIPS & TRICKS

Focusing on Microsoft – starting with Active Directory

This blog will focus on things related to Splunk and Microsoft. It will have posts related to how customers are using Splunk, which partners are adding to Splunk’s value proposition, and highlight existing functionality that optimizes Splunk for Windows workloads. Of course, there might also be a little shameless promotion of new whitepapers, upcoming presentations and Splunk-sponsored events.

As such, there are couple of whitepapers about monitoring and auditing Active Directory with Splunk. One of the whitepapers touches upon general requirements for AD monitoring/auditing , while the other describes how to use Splunk with these requirements in mind. Splunk does things differently from most other data management and processing tools. We suggest collecting ALL of the data first and then conduct ad hoc queries. This philosophy suits Active Directory monitoring very well, given that AD objects and policies constantly change for a myriad of reasons. Because of these changes, Splunk not only lets you know what changed but how, when and who made the changes. Splunk can also correlate changes and security event logs incredibly efficiently, allowing you to cross correlate changes, security event logs and who made those changes.

With this approach, Splunk can be used to monitor, audit and conduct administrative tasks across AD’s object lifecycle. You can also use Splunk to map SIDs and GUIDs from event logs throughout the enterprise into logical names.

Four characteristics make up the full state of Splunk for Active Directory:
Snapshot: an initial snapshot of all the objects in a given domain are created by binding to an available domain controller and querying for of its all objects using Update Sequence Number (USN) zero as the starting point. All non-null object attributes are inserted into Splunk with event type “Sync” to reflect the objects’ current state.
Deleted Objects: The domain controller deleted object container is enumerated, and for each deleted object, a “Deleted” event is inserted into Splunk.
Schema: The domain controller schema classes and attributes are enumerated for all mandatory and optional attributes and are inserted into Splunk as event “Schema.” Updated Objects: A change notification query is registered at a given starting root distinguished name, and all objects within the tree are monitored for changes. Each change is captured and the affected object attributes are queried from the domain controller and inserted into Splunk as an “Updated” event.
Objects: A change notification query is registered at a given starting root distinguished name, and all objects within the tree are monitored for changes. Each change is captured and the affected object attributes are queried from the domain controller and inserted into Splunk as an “Updated” event.

By combining these characteristics for change monitoring and security event logs you can very interesting information about Active Directory and other intelligence for objects related to AD.

Splunk
Posted by

Splunk