Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Identifying non-reporting hosts via correlation with DNS.

rmckerchar
New Member
‎10-26-2012 07:43 AM

Hi guys,

I'm trying to define a search to spot Active Directory domain controllers which have not (and possibly never have) sent theie security logs into Splunk.

I can easily get a list of domain controllers from DNS (_ldap._tcp.dc._msdcs. SRV records). First stage I'd simply like to paste this list into a search and then do a set operation to subtract hosts which we've received data from. Later I guess I could get splunk to do the DNS query too.

Something like, to mix splunk & SQL syntax:

["list of DCs here" as host] host NOT IN [search sourcetype="wineventlog:security" | dedup host | fields host]

To show me everything in the first list which doesn't match a host in the second.

regards,

-ross

0 Karma
Reply

rmckerchar
New Member
‎11-08-2012 07:22 AM

Here's how I ended up solving this:

| set diff [ | set union [| ldapsearch domain="DOMAIN1" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] [| ldapsearch domain="DOMAIN2" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] | fields cn | fields - _* | eval host=cn | fields - cn
] [ search index=winsec | dedup host | eval host=upper(host) | fields host | fields - _* ]

So,

  1. Do some LDAP searches to get DCs for a couple of our domains (had to do a union here as I domain=A OR domain=B didn't seem to work in conjuction with the ldapsearch app)
  2. Rename the cn field as host.
  3. Diff against a search which returns all DCs only (in our case this was a specific index used by DC security logs). Upper the host field to get around case differences.

Interestingly, the "fields somefield - _*" syntax didn't work as a filter here, hence multiple use of "fields". One to select fields, one to filter out the ones I didn't want.

-ross

0 Karma
Reply

bmacias84
Champion
‎10-26-2012 08:56 AM

You could store your DC list in a csv and use lookup, just index a list of DCs, or WMI query AD peroidicly.. Once your have your complete search just use the diff command. You probably have to play around a bit with the your results.



... | diff pos1=1 pos2=3 attribute=domain_contorller

Hope this helps you. Cheers.

Please don't forget to click accept and up this post, if it helps you.

Additional reading:

Diff

enriching-data-with-lookups-part-1

enriching-data-with-db-lookups-part-2

CreateAndConfigureFieldLookups

Reply

rmckerchar
New Member
‎10-27-2012 08:25 AM

Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...