Getting Data In

Active directory data input.

clyde772
Communicator

What is the most suggested way to pull data from Active Diretory?

We need to input Active Directory's user information for event co-relations.

THanks Gurus~!

Tags (1)
0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Wow - answering a year old query.

Set up a temporal lookup based on the Windows Security Log (which you will need to ingest from the domain controllers). You can use http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j to figure out the EventCode that you need to read for the user logons.

Note that most windows systems use Kerberos "pre-authentication" to do authentication. So the logon events are not necessarily obvious. Just take a look at the events and extract the username and domain (preferenbly as the CIM compliant fields user and src_nt_domain.

ftk
Motivator

A good starting point would be the documentation, specifically Monitor Active Directory in the Admin manual.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...