MS Windows AD Objects

Overview

Details

Provides a solution for building and dynamically updating Splunk AD Object Lookups with User, Group, Computer, OU, and Group Policy Active Directory object data. These lookups can then be used for quickly analyzing the latest AD attribute values and correlate with Windows Events or any other indexed data.
There are over 40 dashboards/50 reports provided, including numerous ones that can help you build your own.
This application also provides an efficient, alternative, option for looking up AD Object attributes instead of using the Support Add-On for Active Directory (ie remote LDAP Queries). Since the the Splunk for Windows Infrastructure and Splunk for Microsoft Exchange applications require the SA LDAPSearch add-on by default, the MS Windows AD Objects application provides the needed dashboard files to replace the ones provided within these applications.

Description:

The MS Windows AD Objects application leverages admon(ActiveDirectory) data for building and updating AD object
lookup files stored in the kvstore. These lookup files can then be leveraged for looking up the latest (< 10 Minutes) AD attribute information of User, Groups, Group Policies, Organizational Units, and Computer AD objects. This app also contains updated dashboard files for the Splunk'ae for Windows Infrastructure and Splunk'ae for Microsoft Exchange applications that you can optionally use instead of the default ones proved by these applications. These updated files replace the use of the SA_LDAPSearch (Splunk'ae Support Add-On for Active Directory) ldap queries in the searches/macros/dashboards to instead use the MS Windows AD Objects lookups.

Use Cases

Dynamic AD Object Lookup
- Need to capture, dynamically build and update Active Directory Object lookup tables for Users, Groups, Computers, OUs, and Group Policies.
Security or IT Operations
- Audit or manage Active Directory Object creations, deletions, moves, modifications and advance events to performance correlation analytics.
- Audit or manage AD User Logins, either for potential Security threats or IT Service impact.
Correlation of AD Objects and other data sources
- Correlate Active Directory Objects with Windows Events or any other Splunk indexed datasources.

IMPORTANT - XMLWinEventLog - msad_action field extraction - Work Around

There is a current issue where the msad_action field is not being extracted by the Splunk AddOn for Windows for XMLWinEventLogs. This field is heavily leveraged by this application, so below is a workaround until the TA is fixed, or a new version of this app is released.

First: Add an automatic lookup for source XMLWinEventLog:Security using the AD_Audit_Change_EventCodes lookup.

In the MS Windows AD Objects app, navigate to Settings - - > Lookups - - > Automatic Lookups.
Click New Automatic Lookup
Enter the following:
- Name: ms_ad_obj_wrkaround_msad_action
- Source: XmlWinEventLog:Security
- Lookup Input Fields:
  - EventCode = EventCode
  - obj_type = obj_type
- Lookup output Fields:
  - change_action = change_action
- Click Save
- Set the permissions to the app and role permissions

Second: Update the source::XmlWinEventLog:Security : EVAL-msad_action calculated field in the MS Windows AD Objects app.

In the MS Windows AD Objects app, navigate to Settings - - > Fields - - > Calculated Fields
In the Search box, type msad_action
Click on the source::XmlWinEventLog:Security : EVAL-msad_action
Replace the Eval Expression:
- From: if(msad_action=“change” OR msad_action=“changed” OR msad_action=“set” OR msad_action=“reset”,“modified”,if(msad_action=“add”,“added”,if(EventID=“4722",“enabled”,msad_action)))
- To: if(isnull(change_action),if(msad_action=“change” OR msad_action=“changed” OR msad_action=“set” OR msad_action=“reset”,“modified”,if(msad_action=“add”,“added”,if(EventID=“4722”,“enabled”,msad_action))),change_action)
Click Save

New in Version 4.1.1

Split AD_Obj_(User/Group/Computer) Lookups into separate lookups by domain
- This updated version will help large environments shrink their AD_Obj_User, AD_Obj_Group and AD_Object_Computer lookups, by providing a way to split out each of them into separate, smaller, lookups for each AD Domain.
- This prevents running into KV Store replication limits, by providing smaller KV Stores required to replication.
- Note: The AD Objects - CFG - Split KVs dashboard located in Configuration Dashboards - Advance Configurations will walk you through how to enable and set this up is
Windows Registry Reports
- This updated version also provides 9 new Windows Registry Reports.

Application Highlights

Getting Started and Data In step-by-step walkthrough (New Version 4.1.0)
- The Configuration - Getting Data In dashboard walks you through the complete process for getting Windows data in and configuration of the MS Windows AD Objects application.
- This dashboard first leverages input, Scope of your environment and deployment plans to provide aligned Steps for configuration and getting the required/recommended Windows data in.
- Note: If you are upgrading from a previous version of the MS Windows AD Objects application, you Still need to walk through this wizard, because it will ensure that the new macros that point to the Windows data is configured, and your current csv lookups are migrated to the appropriate kvstore.

Advance Correlation Analytics (New and Updated Version 4.0)
- The AD Objects - Group - Sub Search - Builder and AD Objects - User - Logins by Group Membership dashboards have been enhanced in both performance and result analysis, such as viewing indexed data by sourcetype for all Users within a specific AD Group.
- Added a new dashboard AD Objects - OU - Sub Search - Builder that provides you a way to analyze indexed data correlated with all Users within an Organizational Unit.

Powerful Automatic Building of KVStore Lookups (New Version 4.0)
- The building, or migrating from previous object csv's has been enhanced with time selections, performance and scalability improvements.
- If you are upgrading from a previous version of the MS Windows AD Objects, you can also migrate your existing Object lookup csv to the new KVStore lookup.
Login Analysis Tracking:
- Login attempt Success Ratio
- Logins by group membership
- Login attempts by Disabled/Expired Accounts
- Logins by Non-Domain Accounts
- Locked Accounts

AD Object Change Management:
- Change Management Data Model (Updated Version 4.0)
  - Used for tracking AD Change Trends using Splunk's Data Modeling
  - MS_Windows_AD_Changes Data Model
- Change Management Events Lookup (Updated Version 4.0)
  - Lookup that contains Change Event ID's, category, type, and target Objects.
  - Leveraged as a sub-search for change reports and dashboards
- Change Management Dashboard
  - Track All Administrator change activities from a single dashboard.
- Individual AD Object Change Reports (Updated Version 4.0)
  - Report by type of changes (Create,Delete,Modify,Moves)
  - Target AD Objects (Users,Groups,Group Membership,Computer,OU's and Containers, GPO)

Implementation Options

Stand Alone
- This application provides numerous dashboards and reports for analyzing your Active Directory objects data as well as core Microsoft Windows events, WinHostMon, and perfmon data. These are all provided within this application and do not depend on either the Splunk\'ae for Windows Infrastructure or Splunk\'ae for Microsoft Exchange applications.
Integration Options
- What type of Integration?
  - Optionally integrate the AD Object Lookups maintained by the MS Windows AD Objects application with either the Splunk\'ae for Windows Infrastructure or Splunk\'ae for Microsoft Exchange. This integration process consists of updating the macro's, reports, and dashboards of these applications to use the AD Object lookups instead of doing remote LDAP Queries with the Splunk Support Add-On for Active Directory
- How does the MS Windows AD Objects application integrate with these applications?
  The MS Windows AD Objects application comes with updated configuration, and dashboards files for replacing the Splunk\'ae for Windows Infrastructure or Splunk\'ae for Microsoft Exchange apps required use of the Splunk\'ae Support for Active Directory (SA-LDAPsearch) application for getting AD Attribute data with MS Windows AD Objects generated lookups.
---------------- ##Application Configuration Steps Overview:##
Note: The configuration steps for the MS Windows AD Objects application is now defined and outlined specifically for your environment using the Configuration - Getting Data In dashboard. Below is a basic overview of the individual sections and tasks covered by this dashboard:

Sections covered and walked through:
Section Step 1: Scope Definition: This step is used to align the subsequent steps with your environment and deployment plans.
Section Step 2: Preperation: Provides the preparation steps for the Splunk Core components, MS Windows AD Objects and TA Configuration are ready to receive the Windows data and deployment.
Section Step 3: Deployment: Covers the steps for distributing the previously configured Splunk Technical Add-Ons to the target Windows Systems.
Section Step 4: Check Data: This section provides you a way of verifying, and if necessary troubleshooting, previous configuration steps.
Section Step 5: Build Lookups: This last section walks through the the final step of building the MS Windows AD Object's lookup tables.
Tasks that that have specific steps outlined within this dashboard:
Downloading Software and/or applications: You will be provided links to Splunk Enterprise software, Windows TA, and the pre-configured Example TA's provided by the MS Windows AD Objects application.
Installation Instructions (If installation of the following components is necessary.):
Splunk Universal Forwarder: You will be provided step-by-step instructions for installing the Splunk Universal Forwarder on your target Windows Systems.
Splunk Deployment Server: If you choose to use the Splunk Deployment Server, and it isn't already installed, you will be provided the step-by-step installation and configuration instructions.
Splunk Heavy Forwarder: If you choose to use the Splunk Heavy Forwarder, and it isn't already installed, you will be provided the step-by-step installation and configuration instructions.
Splunk Add-On for Microsoft Windows: If you have not already installed the Splunk Add-On for Microsoft windows application on your Search Heads/Indexers/Heavy Forwarder/Splunk Cloud Environment, then you will be provided the steps for doing so.
Knowledge Object Configuration: You will be provided the steps, including validation status, for creating the Splunk Indexes that will store the Windows data, and configuring the macro's that are leveraged for pointing to the Windows data.
Defining Deployment Server Classes: If you are using a Splunk Deployment Server then you will be provided the steps for creating the Splunk Deployment Server classes, configuration of the TA's that will be deployed, and defining the target Splunk Forwarders the TA's will be deployed too.
Building the MS Windows AD Objects kvstore lookups: You will be provided the steps, and perform the actions to building the required lookups for your AD User, Group, Computer, GPO and OU objects.
Other Best Practice Configuration or Validation: Depending on your Scope definitions, you will also be provided other necessary configuration or Getting Data In required steps.
\ ---------------- ##Supporting Splunk Application Requirements:## Below is a list of required supporting Splunk applications by each Splunk component.\
Splunk Search Head:
Required - MS Windows AD Objects
Required - Splunk Add-on for Microsoft Windows
Optional - Splunk\'ae for Windows Infrastructure or Splunk\'ae for Micorosft Exchange
Splunk Indexer:
Required - Splunk Add-on for Microsoft Windows
Splunk Universal Forwarder:
Required - Splunk Add-on for Microsoft Windows
Splunk Cloud Environment:
Required - MS Windows AD Objects
Required - Splunk Add-on for Microsoft Windows
Optional - Splunk for Windows Infrastructure or Splunk for Micorosft Exchange
Splunk Heavy Forwarder:
Required - Splunk Add-on for Microsoft Windows
Splunk Cloud Only - Splunk Cloud Credentials Application
---------------- ##Data Requirements:## This application leverages admon (ie. sourcetype=ActiveDirectory) data collected by the Splunk Add-on for Microsoft Windows TA or the Splunk_TA_windows_admon pre-configured TA provided by the MS Windows AD Objects application. Below are the two types of admon data leveraged:
admon Data Types:
admon Baseline data:
Is a single point in time, complete, event dump of the Active Directory Object Attributes
admon Update and Delete data:
Are events that get generated when AD Objects are updated or deleted.
This application also leverages Windows Event Logs,WinHostMon, and Performance Counter data collected by the Splunk Add-on for Microsoft Windows TA, and/or the Splunk_TA_windows_dc/Splunk_TA_windows/local/inputs.conf pre-configured TA's provided by the MS Windows AD Objects application.

Release Notes

Version 4.1.1

Oct. 13, 2021

MS Windows AD Objects = 4.1.1

IMPORTANT NOTE:

There is a current issue with the latest Splunk AddOn for Windows, where the msad_action field is not being correctly extracted XMLWineventlogs only. See the Details Tab for a workaround. Will add to next version

Fixed Dashboards: ###

Fixed css's for Dashboards
Removed hardcoded content from AD Object - Group Changes

Fixed Regex, Fields for user and user_obj_lkp

New Features: Multi-Domain - Split Lookups:

Added the capability to split out AD_Obj_(User/Group/Computer) lookups into separate lookups for domains.
This overcomes the issue of large, mult-domain, environments reaching KV Store replication limits. This version provides a way to split the AD_Obj_(User/Group/Computer) lookups into smaller ones by AD Domain.
NOTE: This requires manual steps, which is outlined in the "AD Objects - CFG - Split KVs" dashboard.

New Features: Multi-Domain - Registry Reports ###

New 9 Windows Registry Reports

Version 4.0.3

Aug. 20, 2020

Version:4.03:
- Important NOTE: If you previously installed version 4.0.2, then you will need to rebuild the lookups using the "Build AD Lookup Lists - Main" dashboard.
- Fixed dn_path field extractions
- Fixed issue were new admon event data being appended to the lookups vs of updating existing row.
- New - Added new fields that can be used for filter User/Group/Computers using the cn, dn, sAMAccountName, or userPrincipalName. AD_Obj_User (lookup_usr field), AD_Obj_Group (lookup_grp field), AD_Obj_Computer (lookup_cmp field). For example this helps lookup an event's user field and pull back the AD Attributes, where the user value can be the cn, dn, historical dn, sAMAccountName or email address. (... | lookup AD_Obj_User lookup_usr AS user OUTPUT dn AS user_dn, cn AS user_cn )
- Added some new Critical Objects correlation and performance reports.
NOTE: Updating from pre 4.x version:
This update consist of multiple enhancements and changes, carefully read the details info before upgrading.

Version 3.2.9

April 12, 2019

Version 3.29 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs

Version 3.2.7

April 12, 2019

Version 3.2.6 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs

Version 3.2.3

June 20, 2018

Resolved Issues:
⁃ Cloud Verification Fixes:
⁃ Replaced “Real Time” time setting for the AD Objects - Verify Baseline Data - Completed report.
⁃ Updated the MS_Windows_AD_Changes data modal settings to not enable acceleration by default.
- Other Fixes:
- Fixed Documentation View
⁃ Add Transforms Stanza/settings for lookups:
⁃ ms_ad_obj_uac_temp.csv, ms_ad_obj_field_AD_Computer_LDAP_list.csv, ms_ad_obj_field_AD_User_LDAP_list.csv,ms_ad_obj_field_AD_Group_ LDAP_list.csv, ms_ad_obj_user_rights_map.csv.
⁃ These lookups are extra lookups available for reference or expansion.
⁃ Fix Regex - Issues in transforms where capturing groups were used, instead of
non-capturing groups.
⁃ Updated Sync and Build Searches for Users, Computers and Groups to remove the values in the memberOf field when the object is deleted.
⁃ Added another field, memberOf_hist that will contain the memberOf values at the time the object is deleted.
⁃ Enhanced the User Audit dashboard with tooltip information.

Version 3.2

April 4, 2018

Version 3.2:
Fixed:
- Regex - user \S-\S issue, to \S-\S
- case sensitivity for lookups
- missing domain field
- admin audit lookup was getting populated when a user resets their own password
- enhanced and new field extractions
- enabled case-insensitive setting for lookups
Enhanced UI:
- Updated login dashboard/reports to use a more efficient search.
- Updated Dashboards: Admin Change Management, Logon Ratio (Now includes non-domain attempts), Group Sub-Search Builder, and numerous others.
For more information please refer to the Configuration Dashboards -> Documentation view.

Version 3.1.1

June 21, 2017

Version 3.1.1
Minor Updates - Updated field extraction to retrieve cn, user, values for AD Object Moves. Also, fix an minor issue with the Application Health - Saved Servers dashboard. Including the previous release notes for other recent information from version 3.0.
Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)

Version 3.1

June 20, 2017

Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)

14,439

Downloads

Share Subscribe

Version

Built by

Steve Hogan

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate