Splunk Add-on for Admon Enrichment: Technical Guide and Documentation¶

Create a living replica of Active Directory within KV Stores using admon data. This supporting add-on leverages well known AD attributes to build categories and priorities for integrating with the Assets and Identities ES Framework.

What is admon?¶

The Splunk universal forwarder comes packaged with an active directory monitoring capability known as admon. When admon is configured, a process called splunk-admon.exe is launched, which monitors active directory via LDAP calls.

What is SA-admon?¶

SA-admon contains saved searches which populate pre-built KV Stores with context enriched admon data. Pre-populated lists of privileged users and assets based on well known out-of-the-box active directory attributes.

High Level How It Works¶

Admon will take a baseline of all AD objects, then will capture incremental changes writing all the objects to events within a Splunk index
Update, edit and schedule saved searches within this app to populate the KV Stores
Clone the Saved Searches and edit for additional domains / forests as required
Once the KV Stores are populated add them to Assets & Identities (A&I)

Additional Categories¶

The saved searches within SA-admon contain a number out of the box categories for AD objects which can be enumerated from their attributes.

Domain Controllers
Read-only Domain Controllers
Constrained Delegation Enabled
Unconstrained Delegation Enabled
Privileged Accounts

Privileged accounts are identified by the adminCount attribute being set with a value of 1. This attribute signifies that the object is protected, or it is a member of a protected group, such as:

Domain Admins
Enterprise Admins
Domain Controllers
Cert Publishers
Full list of protected objects can be found here.

It is also strongly recommended to implement additional categories and prioritisation for Crown Jewels assets. For Example:

Device contains sensitive data: priority = High
Device grants access to sensitive data: priority = Critical