.. SecKit for Splunk TA Windows documentation master file, created by
   sphinx-quickstart on Thu Oct  4 13:22:29 2018.
   You can adapt this file completely to your liking, but it should at least
   contain the root `toctree` directive.

Welcome to SecKit for Splunk TA Microsoft AD's documentation!
=============================================================

This Success enablement content kit provides ready to deploy configuration for Microsoft ActiveDirectory Data Collection in a typical organization. This configuration is intended to be completed  **AFTER** `<https://splunk-ta-windows-seckit.readthedocs.io>`__

The files referenced in this kit are available in our `bitbucket repo <https://bitbucket.org/splservices/Splunk_TA_microsoft_ad_seckit>`_

Objectives
------------------------------------------

- Collect Microsoft AD operational events

Deploy the Splunk Add on (on prem)
------------------------------------------

Deploy the Splunk TA Microsoft AD to each appropriate instance of Splunk, in the following order

Splunk Search Head
++++++++++++++++++++++++++++++++++++++++++

** DO NOT DEPLOY TO ENTERPRISE SECURITY INSTANCE **

- Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base `<https://splunkbase.splunk.com/app/3207/>`__
- Expand and copy to $SPLUNK_HOME/etc/apps.
- Remove the following files from $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft_ad/default/
  - admon.conf
  - inputs.conf
  - eventgen.conf
  - indexes.conf
  - perfmon.conf
- Restart the Search Head

Splunk Search Head Cluster
++++++++++++++++++++++++++++++++++++++++++

** DO NOT DEPLOY TO ENTERPRISE SECURITY INSTANCE **

- Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base `<https://splunkbase.splunk.com/app/3207/>`__
- Remove the Splunk_TA_Windows folder from $SPLUNK_HOME/etc/shcluster/apps and push to the cluster using the appropriate command
  - non ES SHC ``splunk apply shcluster-bundle``
  - ES SHC ``splunk apply shcluster-bundle -preserve-lookups true``
- Expand and copy Splunk_TA_Windows to $SPLUNK_HOME/etc/shcluster/apps
- Remove the following files from $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_microsoft_ad/default/
  - admon.conf
  - inputs.conf
  - eventgen.conf
  - indexes.conf
  - perfmon.conf
- Push to the cluster using the appropriate command
  - non ES SHC ``splunk apply shcluster-bundle``
  - ES SHC ``splunk apply shcluster-bundle -preserve-lookups true``

Splunk Non Clustered Indexers, Windows Heavy Forwarders, Intermediate Forwarders
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

- Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base `<https://splunkbase.splunk.com/app/3207/>`__
- Copy to $SPLUNK_HOME/etc/apps.
- Remove the following files from $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft_ad/default/
  - admon.conf
  - inputs.conf
  - eventgen.conf
  - indexes.conf
  - perfmon.conf

Splunk Clustered Indexers
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

- Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base `<https://splunkbase.splunk.com/app/3207/>`__
- Expand and Copy to $SPLUNK_HOME/etc/apps.
- Remove the following files from $SPLUNK_HOME/etc/master-apps/Splunk_TA_microsoft_ad/default/
  - admon.conf
  - inputs.conf
  - eventgen.conf
  - indexes.conf
  - perfmon.conf
- Create the following indexes in accordance to the standard practices for index definition in your organization by added to or created an indexes.conf file in the most appropriate app in master-apps. If no standard location we suggest ``$SPLUNK_HOME/master-apps/Splunk_TA_microsoft_ad_Indexes/local/indexes.conf``
  - ``appmsad``: Used for Active Directory Operational Events

Splunk Deployment Server
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

- Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base `<https://splunkbase.splunk.com/app/3207/>`__
- Expand and Copy to $SPLUNK_HOME/etc/deployment-apps
- Remove the following files from $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_microsoft_ad/default/
  - admon.conf
  - inputs.conf
  - eventgen.conf
  - indexes.conf
  - perfmon.conf
- Download src/Splunk_TA_microsoft_ad_DS and copy to $SPLUNK_HOME/etc/apps
- Download src/Splunk_TA_microsoft_ad_*<n>* and copy to $SPLUNK_HOME/etc/deployment-apps
- Restart the deployment server


Deploy the Splunk Add on (Splunk Cloud)
------------------------------------------

- Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base `<https://splunkbase.splunk.com/app/3207/>`__
- Manually create the indexes prescribed above
- Deploy to intermediate forwarders and Windows heavy forwarders as prescribed above
- Configure deployment server as prescribed above.

Begin Data Collection
------------------------------------------

Collection will be automatically


Indices and tables
==================

* :ref:`genindex`
* :ref:`modindex`
* :ref:`search`