The MS Windows AD Objects application leverages admon(ActiveDirectory) data for building and updating AD object
lookup files stored in the kvstore. These lookup files can then be leveraged for looking up the latest (< 10 Minutes) AD attribute information of User, Groups, Group Policies, Organizational Units, and Computer AD objects. This app also contains updated dashboard files for the Splunk'ae for Windows Infrastructure and Splunk'ae for Microsoft Exchange applications that you can optionally use instead of the default ones proved by these applications. These updated files replace the use of the SA_LDAPSearch (Splunk'ae Support Add-On for Active Directory) ldap queries in the searches/macros/dashboards to instead use the MS Windows AD Objects lookups.
There is a current issue where the msad_action field is not being extracted by the Splunk AddOn for Windows for XMLWinEventLogs. This field is heavily leveraged by this application, so below is a workaround until the TA is fixed, or a new version of this app is released.
Version:4.03:
- Important NOTE: If you previously installed version 4.0.2, then you will need to rebuild the lookups using the "Build AD Lookup Lists - Main" dashboard.
- Fixed dn_path field extractions
- Fixed issue were new admon event data being appended to the lookups vs of updating existing row.
- New - Added new fields that can be used for filter User/Group/Computers using the cn, dn, sAMAccountName, or userPrincipalName. AD_Obj_User (lookup_usr field), AD_Obj_Group (lookup_grp field), AD_Obj_Computer (lookup_cmp field). For example this helps lookup an event's user field and pull back the AD Attributes, where the user value can be the cn, dn, historical dn, sAMAccountName or email address. (... | lookup AD_Obj_User lookup_usr AS user OUTPUT dn AS user_dn, cn AS user_cn )
- Added some new Critical Objects correlation and performance reports.
NOTE: Updating from pre 4.x version:
This update consist of multiple enhancements and changes, carefully read the details info before upgrading.
Version 3.29 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs
Version 3.2.6 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs
Resolved Issues:
⁃ Cloud Verification Fixes:
⁃ Replaced “Real Time” time setting for the AD Objects - Verify Baseline Data - Completed report.
⁃ Updated the MS_Windows_AD_Changes data modal settings to not enable acceleration by default.
- Other Fixes:
- Fixed Documentation View
⁃ Add Transforms Stanza/settings for lookups:
⁃ ms_ad_obj_uac_temp.csv, ms_ad_obj_field_AD_Computer_LDAP_list.csv, ms_ad_obj_field_AD_User_LDAP_list.csv,ms_ad_obj_field_AD_Group_ LDAP_list.csv, ms_ad_obj_user_rights_map.csv.
⁃ These lookups are extra lookups available for reference or expansion.
⁃ Fix Regex - Issues in transforms where capturing groups were used, instead of
non-capturing groups.
⁃ Updated Sync and Build Searches for Users, Computers and Groups to remove the values in the memberOf field when the object is deleted.
⁃ Added another field, memberOf_hist that will contain the memberOf values at the time the object is deleted.
⁃ Enhanced the User Audit dashboard with tooltip information.
Version 3.2:
Fixed:
- Regex - user \S-\S issue, to \S-\S
- case sensitivity for lookups
- missing domain field
- admin audit lookup was getting populated when a user resets their own password
- enhanced and new field extractions
- enabled case-insensitive setting for lookups
Enhanced UI:
- Updated login dashboard/reports to use a more efficient search.
- Updated Dashboards: Admin Change Management, Logon Ratio (Now includes non-domain attempts), Group Sub-Search Builder, and numerous others.
For more information please refer to the Configuration Dashboards -> Documentation view.
Version 3.1.1
Minor Updates - Updated field extraction to retrieve cn, user, values for AD Object Moves. Also, fix an minor issue with the Application Health - Saved Servers dashboard. Including the previous release notes for other recent information from version 3.0.
Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)
Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.