All Apps and Add-ons

Which of these Splunk apps do I use for Windows Advanced Audit Policy Configuration in our environment??

jodyc100x
New Member

Hello All,

I'm a new Splunker and have a Windows 6.3.2 enterprise installed with the following:

Supporting Add-on for Active Directory v 2.1.2
Cisco Security Suite v 3.1.1
Template for Citrix XenDesktop 7 v 1.1.1
App for Windows Infrastructure v 1.2.0
Add-on for PowerShell v 1.2.1
TA_Windows v 4.8.1

We are using Advanced Audit Policy (AAP) Configuration in our environment. I am not having any luck finding documentation on which AAP settings need to be configured. It appears to be an all or nothing proposition where either we get almost no information or millions of events in a very short period of time. I have searched the Splunk site fairly thoroughly, but have not found any really helpful guidance on this. I did find this page:

http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/ConfigureActiveDirectoryauditpolicy

This page mentions AAP, but quickly loses me when suggesting I review eventtypes.conf file. Any help or suggestions are greatly appreciated!

jpc

0 Karma

ralf_sturhan
Engager

I found this great table, which lists the AAP GPO settings and corresponding Event IDs: http://girl-germs.com/?p=363 . If you take the Event IDs in the eventtypes.conf of the Splunk App for Windows Infrastructure, you get the folllowing table:

Account
    Account Credential Validation             4776
    Audit Kerberos Authentication Service      4768,4771  
Account Management
        Audit Distribution Group Management 4744, 4745, 4746, 4747,
                                               4748, 4749, 4750, 4751,
                                               4752, 4753, 4759, 4760,
                                               4761, 4762
        Audit Computer Account Management     4741, 4742, 4743 
        Audit User Account Management         4720, 4722, 4723, 4724,
                                               4725, 4726, 4738, 4740,
                                               4767, 4781
        Audit Security Group Management     4727, 4728, 4729, 4730,
                                               4731, 4732, 4733, 4734,
                                               4735, 4737, 4754, 4755,
                                               4756, 4757, 4758, 4764
DS Access
        Audit Directory Service Access       4662
Logon/Logoff    
        Audit Account Lockout                 4625
        Audit Logon                         4624, 4625
Policy Change   
        Audit Audit Policy Change             4912
System
    Audit Security State Change             4609
    Audit System Integrity                   4612

Enabling the Success and Failure check boxes for each of them in Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration should to the trick.

[edit 2016/01/19: added some missing event ids and GPO settings]

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...