All Apps and Add-ons

How correctly interpret soucetype for Security log from Domain Controllers?

evelenke
Contributor

this one may be a bit weird question, more for DC admins and datamodel builders, but a conceptual one:)
Using the add-on for MS Windows (Splunk_TA_Windows) for parsing Domain Controller's Security eventlog brings us several questions:
is it correct, that field "dest" is aliased from a ComputerName (ComputerName_as_dest) - which is always actual name of Domain Controller, and "src" - is a machine-server, where user has authenticated.
Thus in many cases "src" is a service server (Exchange, Remote Desktop, RADIUS etc), which obviously should be destination. This fact results numerous notable events for rules like "Brute force behavior detected" or "Excessive failures", as hundreds of people may authenticate to the server.
Right now I think it's better to restrict eventtype with authentication events in DCs with only combination "EventCode=4624 Logon_Type=2" or exclude all public servers.
I'd like to ask for any recomendations, if someone faced the same thoughts and revised knowledge approach - what is source what is dest... How to not affect rules in ES with alike customizations.
And is it possible to get real (first hop) source from AD (maybe some other logs exists) in case we can't correlate with service and endpoint logs?

0 Karma

apezuela
Explorer

Hi,

When you see a service server in src is right because in this event the service server is acting as a client. We have exclusions in our alerts to avoid false positives than from these servers. If you want to get the real ip address from a client, in that case (service servers) you need to get logs from that services (for example, in our case we are getting logs from ADFS to get client real ip address).

Best regards,

0 Karma

evelenke
Contributor

Hi apezuela,

that's true, but here's another concern - for broad user activity analysis (e.g. using tag=authentication and standard eventtypes) , when I need to investigate sources and destinations for user, we'll have both src=Exchsrvr (for DC log) and dest=Exchsrvr (for Exchsrvr logs), this can be confusing for Exchange admin accounts, because he might authenticated interactively and you can't separate it here.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...