No matter how big or small you are, whether you have budget or not – you need to be monitoring changes in Active Directory. There are awesome Active Directory audit solutions out there. And ideally you are using one of them. But if for whatever reason you can’t, you still have AD and it still needs to be monitored. This solution helps you do just that.
Yesterday during Randy Franklin Smith’s webinar:
How to Monitor Active Directory Changes for Free: Using Splunk Free, Supercharger Free and My New Splunk App we released a version of our Splunk App for LOGbinder. Not only is this application
free, but with the help of our just announced free edition of Supercharger for Windows Event Collection, we demonstrate the power of WEC’s Xpath filtering to deliver just the relevant events to Splunk Free and stay within the 500MB daily limit of Splunk Light’s free limitations. It’s a trifecta free tools that produces this:
Among other abilities, our new Splunk App puts our deep knowledge of the Windows Security Log to work by analyzing events to provide an easy to use but powerful dashboard of changes in Active Directory. You can see what’s been changing in AD sliced up
• by object type (users, groups, GPOs, etc)
• by domain
• by time
• by administrator
Too many times we see dashboards that showcase the biggest and highest frequency actors and subjects but get real – most of the time what you are looking for is the needle – not the haystack. So we show the smallest, least frequent actors and objects too.
Just because it’s free doesn’t mean it’s low value. We put some real work into this. We always learn something new about or own little AD lab environment when we bring this app up. To make this app work we had to make some improvements to how Splunk parses Windows Security Events. The problem with stuff built by non-specialists is that it suffices for filling in a bullet point like “native parsing of Windows Security Logs” but doesn’t come through when you get serious about analysis. Case-in-point: Splunk treats these 2 very different fields in the below event as one:
As you can see rsmith created the new user cmartin. But checkout what Splunk does with that event:
Whoah! So there’s no different between the actor and the target of a critical event like a new account being created? One Splunker tells me they have dealt with this issue by ordinal position but we are frightened that actor and target could switch positions. Anyway, it’s ugly. Here’s what the same vent looks like once you install our Splunk App:
That’s what we’re talking about! Hey, executives may say that’s just the weeds but we know that with security the devil is in the details.
Now, you knowledgeable Splunkers out there are probably wondering if we get these events by defining them at index time. And the answer is “no”. Randy provided the Windows Security Log brains but we got a real Splunker to build the app and you’ll be happy to know that Imre defined these new fields as search time fields. So this works on old events already indexed and more importantly doesn’t impact indexing. We tried to do this right.
Plus, we made sure this app works whether you consume events directly from the Security log each computer or via Windows Event Collection (which is what we recommend with the help of Supercharger).
For those of you new to Splunk, we’ll quickly show you how to install Splunk Free and our Splunk App. Then we’ll show you how in 5 minutes or our free edition of Supercharger for Windows Event Collection can have your domain controllers efficiently forwarding just the relative trickle of relevant change events to Splunk. Then we’ll start rendering some beautiful dashboards and drilling down into those events. We will briefly show you how this same Splunk app can also analyze SharePoint, SQL Server and Exchange security activity produced by our LOGbinder product and mix all of that activity with AD changes and plot it on a single pane of glass.
And if you are already proficient with Splunk and collecting domain controller logs you can get the Splunk app at
https://www.logbinder.com/Resources/ and look under SIEM Integration.