Splunk Add-on for Admon Enrichment: Technical Guide and Documentation¶
Create a living replica of Active Directory within KV Stores using admon data. This supporting add-on leverages well known AD attributes to build categories and priorities for integrating with the Assets and Identities ES Framework.
What is admon?¶
The Splunk universal forwarder comes packaged with an active directory monitoring capability known as admon. When admon is configured, a process called splunk-admon.exe is launched, which monitors active directory via LDAP calls.
What is SA-admon?¶
SA-admon contains saved searches which populate pre-built KV Stores with context enriched admon data. Pre-populated lists of privileged users and assets based on well known out-of-the-box active directory attributes.
High Level How It Works¶
- Admon will take a baseline of all AD objects, then will capture incremental changes writing all the objects to events within a Splunk index
- Update, edit and schedule saved searches within this app to populate the KV Stores
- Clone the Saved Searches and edit for additional domains / forests as required
- Once the KV Stores are populated add them to Assets & Identities (A&I)
Additional Categories¶
The saved searches within SA-admon contain a number out of the box categories for AD objects which can be enumerated from their attributes.
- Domain Controllers
- Read-only Domain Controllers
- Constrained Delegation Enabled
- Unconstrained Delegation Enabled
- Privileged Accounts
Privileged accounts are identified by the adminCount attribute being set with a value of 1. This attribute signifies that the object is protected, or it is a member of a protected group, such as:
- Domain Admins
- Enterprise Admins
- Domain Controllers
- Cert Publishers
- Full list of protected objects can be found here.
Prioritisation with a Cyber Security Lens¶
It is important for cyber teams to plan out their own separate priority for assets & identities, differentiating from operational criticality. SA-admon uses the following logic to define priority within the prebuilt searches.
Asset Priority:
- Device contains sensitive data = High
- Device grants access to sensitive data = Critical
- All other network joined devices = Medium
Identity Priority:
- Executives, VIP Users, Executive Assistants, Legal, Domain Admins, Enterprise Admins = Critical
- Other Privileged Accounts, Service Accounts, Vendor Accounts = High
- All other network accounts = Medium