this one may be a bit weird question, more for DC admins and datamodel builders, but a conceptual one:)
Using the add-on for MS Windows (Splunk_TA_Windows) for parsing Domain Controller's Security eventlog brings us several questions:
is it correct, that field "dest" is aliased from a ComputerName (ComputerName_as_dest) - which is always actual name of Domain Controller, and "src" - is a machine-server, where user has authenticated.
Thus in many cases "src" is a service server (Exchange, Remote Desktop, RADIUS etc), which obviously should be destination. This fact results numerous notable events for rules like "Brute force behavior detected" or "Excessive failures", as hundreds of people may authenticate to the server.
Right now I think it's better to restrict eventtype with authentication events in DCs with only combination "EventCode=4624 Logon_Type=2" or exclude all public servers.
I'd like to ask for any recomendations, if someone faced the same thoughts and revised knowledge approach - what is source what is dest... How to not affect rules in ES with alike customizations.
And is it possible to get real (first hop) source from AD (maybe some other logs exists) in case we can't correlate with service and endpoint logs?
Hi,
When you see a service server in src is right because in this event the service server is acting as a client. We have exclusions in our alerts to avoid false positives than from these servers. If you want to get the real ip address from a client, in that case (service servers) you need to get logs from that services (for example, in our case we are getting logs from ADFS to get client real ip address).
Best regards,
Hi apezuela,
that's true, but here's another concern - for broad user activity analysis (e.g. using tag=authentication and standard eventtypes) , when I need to investigate sources and destinations for user, we'll have both src=Exchsrvr (for DC log) and dest=Exchsrvr (for Exchsrvr logs), this can be confusing for Exchange admin accounts, because he might authenticated interactively and you can't separate it here.