Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does anyone have a group of security audits already in place and can make recommendations on using Splunk to monitor Active Directory?

joshk2005
Explorer
‎10-30-2014 10:37 AM

I have just been handed the Splunk application for our organization. I've been asked to work with our security team to create some audit ability that can monitor changes to sensitive groups, changes to privileged accounts, changes to GPO's, all servers accessed by specific user in last x days, all changes that a given user has made in AD in x days, etc. We are still defining what we want audited with Splunk, but I just wondered if anyone have a group of security audits already in place that can make some recommendations.

Reply

msmith4
New Member
‎11-01-2016 04:32 AM

make sure you review 4624 and 4625 events and correlate them. e.g. if 4625 is coming from same source but to multiple accounts, somebody is most likely attempting password guessing.

0 Karma
Reply

shandman
Path Finder
‎09-28-2016 11:17 AM

At my previous company, I implemented the https://splunkbase.splunk.com/app/1059/ "splunk app for active directory" . The security team used it daily in monitoring Active Directory and some of the things you referenced. I would start there.

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎07-12-2015 08:09 PM

Hi Josh,

Check out the blog post, http://blogs.microsoft.com/cybertrust/2013/06/03/microsoft-releases-new-mitigation-guidance-for-acti...

The document they reference, http://aka.ms/bpsadtrd , is thorough, but may be overwhelming. Of particular interest is Appendix L, which provides a list of the event codes to monitor. That should get you started into which EventCodes you can use to build your alerts and dashboards.

Cheers

Reply

NimrodSky
Explorer
‎07-12-2015 08:51 AM

Hi,

We just added SkyFormation into Splunkbase approved apps, you can see it here - https://splunkbase.splunk.com/app/2787/

SkyFormation currently provides you with Discover and governance for your cloud application usage, but we are definitely planning on providing business cloud app policies similar to the ones you mention above.

If your company use business cloud apps such as sales force I'd be happy to learn more about your needs.

Nimrod Bar-Zeav

SkyFormation

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...