Hi guys,
I'm trying to define a search to spot Active Directory domain controllers which have not (and possibly never have) sent theie security logs into Splunk.
I can easily get a list of domain controllers from DNS (_ldap._tcp.dc._msdcs. SRV records). First stage I'd simply like to paste this list into a search and then do a set operation to subtract hosts which we've received data from. Later I guess I could get splunk to do the DNS query too.
Something like, to mix splunk & SQL syntax:
["list of DCs here" as host] host NOT IN [search sourcetype="wineventlog:security" | dedup host | fields host]
To show me everything in the first list which doesn't match a host in the second.
regards,
-ross
Here's how I ended up solving this:
| set diff [ | set union [| ldapsearch domain="DOMAIN1" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] [| ldapsearch domain="DOMAIN2" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] | fields cn | fields - _* | eval host=cn | fields - cn
] [ search index=winsec | dedup host | eval host=upper(host) | fields host | fields - _* ]
So,
Interestingly, the "fields somefield - _*" syntax didn't work as a filter here, hence multiple use of "fields". One to select fields, one to filter out the ones I didn't want.
-ross
You could store your DC list in a csv and use lookup, just index a list of DCs, or WMI query AD peroidicly.. Once your have your complete search just use the diff command. You probably have to play around a bit with the your results.
... | diff pos1=1 pos2=3 attribute=domain_contorller
Hope this helps you. Cheers.
Please don't forget to click accept and up this post, if it helps you.
Additional reading:
enriching-data-with-lookups-part-1
Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!