Hello!
I am fairly new at using Splunk. I am trying to keep create a search that will let me monitor msad-successful-user-logons for admin/service accounts. I'm using the query from "Administrator Logons" dash on the "Administrator Audit" dashboard from the App:Splunk App for Windows Infrastructure as a reference. As this doesn't seem to list AD accounts with admin privileges (it seems to log all logons from any user), I want to use specific our Admin/service account OU's instead of specifying specific users.
So poking around I've found two ways to search for those OU's
using inputlookup:
|inputlookup ad-user-lookup where (DistinguishedName="_Service Accounts" OR DistinguishedName="_Admin Accounts")
using ldapsearch(haven't figured out how to combine the two into one search as with inputlookup)
| ldapsearch domain=my.domain basedn="OU=_Admin Accounts,DC=domain,DC=ca" scope="sub" search="(objectClass=user)" scope="sub" search="(objectClass=user)"
| ldapsearch domain=my.domain basedn="OU=_Service Accounts,DC=domain,DC=ca" scope="sub" search="(objectClass=user)" scope="sub" search="(objectClass=user)"
I'm trying to combine it with the following search, but not have to specific user="Admin*" or other users names instead:
eventtype=msad-successful-user-logons dest_nt_domain="" user="Admin" OR user="admin*" | rename src as src_ip|ip-to-host
| fix-localhost
|lookup SiteInfo host | dedup consecutive=t Site, src_host, src_ip | eval Account_Name=mvindex(Account_Name, -1) | table _time, Account_Name, src_host, src_ip | rename src_host as Workstation, src_ip as "IP Address", Account_Name as "AD Account"
I’ve seen examples similar to this, where the inputlookup is encased in a square bracket in the search, so I've tried the following:
eventtype=msad-successful-user-logons [|inputlookup ad-user-lookup where (DistinguishedName="_Service Accounts" OR DistinguishedName="_Admin Accounts")] |rename src as src_ip|ip-to-host
|fix-localhost
|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip|rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account"
but my searches yield no results. Any help would be appreciated.
Looks like I managed to figure out the way to go about this and get the intended results. However it appears to be taking quite a long time to search.
Updated:
eventtype=msad-successful-user-logons |rename src as src_ip|`ip-to-host`|`fix-localhost`|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip |rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account", DistinguishedName as Groups | lookup ad-user-lookup SamAccountName as "AD Account" OUTPUT DistinguishedName | regex DistinguishedName="_Admin Accounts"
Eventually figured out the answer.
@DeanDeleon0 - Was one of your comments you left above the answer to your question? If yes, which one? I can convert it to a comment and accept it for you. If not, can you please provide the solution? Thank you.
The last comment, prior to this one.
Looks like I managed to figure out the way to go about this and get the intended results. However it appears to be taking quite a long time to search.
Updated:
eventtype=msad-successful-user-logons |rename src as src_ip|`ip-to-host`|`fix-localhost`|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip |rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account", DistinguishedName as Groups | lookup ad-user-lookup SamAccountName as "AD Account" OUTPUT DistinguishedName | regex DistinguishedName="_Admin Accounts"
Ok, so I've been apparently using the incorrect lookup and needed to use just |lookup. This is now yielding results... but how can I now filter so it only shows me users from the OU's I want from inside the DistinguishedName field?
query:
eventtype=msad-successful-user-logons |rename src as src_ip|ip-to-host
|fix-localhost
|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip, CN |rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account", DistinguishedName as Groups | lookup ad-user-lookup SamAccountName as "AD Account" OUTPUT DistinguishedName