Daily Splunk Reports
So I am a full convert and profit of Splunk now. I have been using it at work for around 4 months now. I have rolled it out to our domain controllers and have started rolling it to all our Windows and *nix servers. The ability to find out who did what has made my job so much easier. There was an incident where an OU was deleted in our AD. I was able to see exactly who and when did it. Normally this type of searching wasn't possible or at least hard to get due to the size of our infrastructure. Our Event Logs roll over around once an hour. The OU was deleted 8 hours before we were contacted.
Here is a few of the reports I have scheduled to get every morning to take a look at what has happened in my environment.
User Accounts deleted:
EventCode="630" | fields Caller_User_Name, Target_Domain, Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Account | rename host as DomainController | rename Target_Domain as Users_Domain
User Accounts created:
EventCode="624" | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Modified_Account | rename host as DomainController | rename New_Domain as New_Account_Domain
Computer Accounts deleted:
EventCode="647" | fields Caller_User_Name, Target_Domain, Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Computer | rename host as DomainController | rename Target_Domain as Removed_Domain
Computer Accounts created:
EventCode="645" | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename New_Account_Name as New_Computer | rename host as DomainController | rename New_Domain as Joined_Domain
Getting more intelligence on how much data splunk is eating.
http://www.splunkninja.com/profiles/blogs/getting-more-intelligence-on
Great article from Michael Wilde on how to see how much data you are indexing from Splunk
Searching for Account Lockouts with Splunk
This requires that the Splunk agent is getting the security event from the Domain Controller(s).
- Find the username of the person
- Log in to the Splunk server.
- Click on the Search button.
- Enter the search paramitters to find the user and select your time frame for the search:
source="WinEventLog:Security" User_Name="lockedUser"
- Then check the “Client_Address” field. This can be found on the left column.
- The client IP shows where the lockout came from.
1. Find the username of the person
2. Log in to the Splunk server.
3. Click on the Search button
4. Enter the search paramitters to find the user and select your time frame for the search:
source="WinEventLog:Security" Type="Failure Audit" User_Name="lockedUser"
5. Then check the “Client_Address” field. This can be found on the left column
6. The client IP shows where the lockout came from.
Archives
- August 2010 (2)
- July 2010 (3)
- May 2010 (3)
- March 2010 (2)
- February 2010 (4)
- January 2010 (5)
- December 2009 (5)
- November 2009 (2)
- October 2009 (2)
- September 2009 (3)
- August 2009 (1)
- July 2009 (3)
- June 2009 (8)
Tags
Begging for money
