Welcome to SecKit for Splunk TA Microsoft AD’s documentation!

This Success enablement content kit provides ready to deploy configuration for Microsoft ActiveDirectory Data Collection in a typical organization. This configuration is intended to be completed AFTER https://splunk-ta-windows-seckit.readthedocs.io

The files referenced in this kit are available in our bitbucket repo

Objectives

  • Collect Microsoft AD operational events

Deploy the Splunk Add on (on prem)

Deploy the Splunk TA Microsoft AD to each appropriate instance of Splunk, in the following order

Splunk Search Head

** DO NOT DEPLOY TO ENTERPRISE SECURITY INSTANCE **

  • Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/3207/
  • Expand and copy to $SPLUNK_HOME/etc/apps.
  • Remove the following files from $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft_ad/default/ - admon.conf - inputs.conf - eventgen.conf - indexes.conf - perfmon.conf
  • Restart the Search Head

Splunk Search Head Cluster

** DO NOT DEPLOY TO ENTERPRISE SECURITY INSTANCE **

  • Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/3207/
  • Remove the Splunk_TA_Windows folder from $SPLUNK_HOME/etc/shcluster/apps and push to the cluster using the appropriate command - non ES SHC splunk apply shcluster-bundle - ES SHC splunk apply shcluster-bundle -preserve-lookups true
  • Expand and copy Splunk_TA_Windows to $SPLUNK_HOME/etc/shcluster/apps
  • Remove the following files from $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_microsoft_ad/default/ - admon.conf - inputs.conf - eventgen.conf - indexes.conf - perfmon.conf
  • Push to the cluster using the appropriate command - non ES SHC splunk apply shcluster-bundle - ES SHC splunk apply shcluster-bundle -preserve-lookups true

Splunk Non Clustered Indexers, Windows Heavy Forwarders, Intermediate Forwarders

  • Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/3207/
  • Copy to $SPLUNK_HOME/etc/apps.
  • Remove the following files from $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft_ad/default/ - admon.conf - inputs.conf - eventgen.conf - indexes.conf - perfmon.conf

Splunk Clustered Indexers

  • Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/3207/
  • Expand and Copy to $SPLUNK_HOME/etc/apps.
  • Remove the following files from $SPLUNK_HOME/etc/master-apps/Splunk_TA_microsoft_ad/default/ - admon.conf - inputs.conf - eventgen.conf - indexes.conf - perfmon.conf
  • Create the following indexes in accordance to the standard practices for index definition in your organization by added to or created an indexes.conf file in the most appropriate app in master-apps. If no standard location we suggest $SPLUNK_HOME/master-apps/Splunk_TA_microsoft_ad_Indexes/local/indexes.conf - appmsad: Used for Active Directory Operational Events

Splunk Deployment Server

  • Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/3207/
  • Expand and Copy to $SPLUNK_HOME/etc/deployment-apps
  • Remove the following files from $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_microsoft_ad/default/ - admon.conf - inputs.conf - eventgen.conf - indexes.conf - perfmon.conf
  • Download src/Splunk_TA_microsoft_ad_DS and copy to $SPLUNK_HOME/etc/apps
  • Download src/Splunk_TA_microsoft_ad_*<n>* and copy to $SPLUNK_HOME/etc/deployment-apps
  • Restart the deployment server

Deploy the Splunk Add on (Splunk Cloud)

  • Download version Splunk TA Microsoft AD 1.0.0 from the deps folder of the repository OR from Splunk Base https://splunkbase.splunk.com/app/3207/
  • Manually create the indexes prescribed above
  • Deploy to intermediate forwarders and Windows heavy forwarders as prescribed above
  • Configure deployment server as prescribed above.

Begin Data Collection

Collection will be automatically

Indices and tables