Skip to content

Splunk Add-on for Admon Enrichment (SA-admon) Installation

LAPS Warning

Domains running LAPS need to be aware of the plaintext local admin password stored in the ms-Mcs-AdmPwd AD attribute. By default, domain controllers running admon will have the necessary privileges to read and index the plain text laps passwords. If the admon data is being sent directly to Splunk Cloud, masking of the plaintext password will be applied by the indexing tier. On-prem Splunk instances will need to install SA-admon (or just the props.conf masking configuration) on the applicable devices (HF or IDX depending on architecture)

To avoid relying on masking data, admon inputs can be configured on a domain joined device with an unprivilged user account which does not have access to read the ms-Mcs-AdmPwd AD attribute. See the remote DC example inputs configuration file.

Where to Install SA-admon?

  • ES Search Head
  • Indexers if LAPS masking is required
  • Heavy Forwarders if LAPS masking is required & data is traversing the HF

How to Deploy admon and Update the KV Stores

  • Step 1: Deploy the admon inputs.conf stanza to a single DC in each domain

Each time the universal forwarder is restarted, a baseline will be captured.

See Single DC admon Input example configuration for a single DC.

  • Step 2: Add an index to the macro activedirectory (settings > advanced search > search macros)

Search Preview

  • Step 3: Open the saved searches and update categories and priorities as required

Search Preview

Search Preview

  • Step 4: Identify the time period when a baseline was captured

Search Preview

  • Step 5: Run the saved searches over the baseline and all the events since it was captured to populate the KV Store

Search Preview

  • Step 6: Enable and schedule the saved searches to run on a regular interval to ensure all changes are written to the KV Store (settings > searches, reports, and alerts > app = SA-admon)

Search Preview

Single DC admon Input Configuration Stanza

## admon inputs.conf
[admon://ADMonitoring]
targetDc = localhost
baseline = 1
index = admon
disabled = false

Remote DC admon Input Configuration Stanza

## admon inputs.conf
[admon://ADMonitoring]
targetDc = WIN-DC-02
baseline = 1
index = admon
disabled = false

Replication Delays

The timestamp captured in Admon events reflects when the domain controller receives the event. If changes are made on other domain controllers within the network, the Admon timestamp will correspond to when the domain controller with Admon installed receives the replication packet—not when the change originally occurred on the other domain controller. Significant replication delays can result in false-negative events. To mitigate this, consult with a Windows expert and consider implementing Change Notification on site links.