Skip to content

Splunk Add-on for Admon Enrichment: Technical Guide and Documentation

Create a living replica of Active Directory within KV Stores using admon data. This supporting add-on leverages well known AD attributes to build categories and priorities for integrating with the Assets and Identities ES Framework.

What is admon?

The Splunk universal forwarder comes packaged with an active directory monitoring capability known as admon. When admon is configured, a process called splunk-admon.exe is launched, which monitors active directory via LDAP calls.

What is SA-admon?

SA-admon contains saved searches which populate pre-built KV Stores with context enriched admon data. Pre-populated lists of privileged users and assets based on well known out-of-the-box active directory attributes.

High Level How It Works

  • Admon will take a baseline of all AD objects, then will capture incremental changes writing all the objects to events within a Splunk index
  • Update, edit and schedule saved searches within this app to populate the KV Stores
  • Clone the Saved Searches and edit for additional domains / forests as required
  • Once the KV Stores are populated add them to Assets & Identities (A&I)

Additional Categories

The saved searches within SA-admon contain a number out of the box categories for AD objects which can be enumerated from their attributes.

  • Domain Controllers
  • Read-only Domain Controllers
  • Constrained Delegation Enabled
  • Unconstrained Delegation Enabled
  • Privileged Accounts

Privileged accounts are identified by the adminCount attribute being set with a value of 1. This attribute signifies that the object is protected, or it is a member of a protected group, such as:

  • Domain Admins
  • Enterprise Admins
  • Domain Controllers
  • Cert Publishers
  • Full list of protected objects can be found here.

Prioritisation with a Cyber Security Lens

It is important for cyber teams to plan out their own separate priority for assets & identities, differentiating from operational criticality. SA-admon uses the following logic to define priority within the prebuilt searches.

Asset Priority:

  • Device contains sensitive data = High
  • Device grants access to sensitive data = Critical
  • All other network joined devices = Medium

Identity Priority:

  • Executives, VIP Users, Executive Assistants, Legal, Domain Admins, Enterprise Admins = Critical
  • Other Privileged Accounts, Service Accounts, Vendor Accounts = High
  • All other network accounts = Medium

Installation Guide

Splunk Add-on for Admon Enrichment (SA-admon) Installation

LAPS Warning

Domains running LAPS need to be aware of the plaintext local admin password stored in the ms-Mcs-AdmPwd AD attribute. By default, domain controllers running admon will have the necessary privileges to read and index the plain text laps passwords. If the admon data is being sent directly to Splunk Cloud, masking of the plaintext password will be applied by the indexing tier. On-prem Splunk instances will need to install SA-admon (or just the props.conf masking configuration) on the applicable devices (HF or IDX depending on architecture)

To avoid relying on masking data, admon inputs can be configured on a domain joined device with an unprivilged user account which does not have access to read the ms-Mcs-AdmPwd AD attribute. See the remote DC example inputs configuration file.

Where to Install SA-admon?

  • ES Search Head
  • Indexers if LAPS masking is required
  • Heavy Forwarders if LAPS masking is required & data is traversing the HF

How to Deploy admon and Update the KV Stores

  • Step 1: Deploy the admon inputs.conf stanza to a single DC in each domain

Each time the universal forwarder is restarted, a baseline will be captured.

See Single DC admon Input example configuration for a single DC.

  • Step 2: Add an index to the macro activedirectory (settings > advanced search > search macros)

Search Preview

  • Step 3: Open the saved searches and update categories and priorities as required

Search Preview

Search Preview

  • Step 4: Identify the time period when a baseline was captured

Search Preview

  • Step 5: Run the saved searches over the baseline and all the events since it was captured to populate the KV Store

Search Preview

  • Step 6: Enable and schedule the saved searches to run on a regular interval to ensure all changes are written to the KV Store (settings > searches, reports, and alerts > app = SA-admon)

Search Preview

Single DC admon Input Configuration Stanza

## admon inputs.conf
[admon://ADMonitoring]
targetDc = localhost
baseline = 1
index = admon
disabled = false

Remote DC admon Input Configuration Stanza

## admon inputs.conf
[admon://ADMonitoring]
targetDc = WIN-DC-02
baseline = 1
index = admon
disabled = false

Replication Delays

The timestamp captured in Admon events reflects when the domain controller receives the event. If changes are made on other domain controllers within the network, the Admon timestamp will correspond to when the domain controller with Admon installed receives the replication packet—not when the change originally occurred on the other domain controller. Significant replication delays can result in false-negative events. To mitigate this, consult with a Windows expert and consider implementing Change Notification on site links.

Splunk Add-on for Admon Enrichment (SA-admon) ES Configuration

Once the admon data has been onboarded and the SA-admon KV Stores populated with dynamic active directory data, the following steps will guide the integration of the SA-admon lookups with the Splunk Enterprise Security Assets & Identities framework.

Adding the KV Store Lookups to ES Assets & Identities

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management

Identity Fields

Fields present in the identity fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Identity Fields > Add New Field

Identity Fields

Ensure all the additional fields have been included:

  • description (tag)
  • domain (tag)
  • dn
  • title
  • servicePrincipalName (multivalue)
  • userPrincipalName
  • sAMAccountName
  • objectSid
  • downLevelDomainName

Identity Lookups

⋅⋅⋅ Identity Lookups > New > New Configuration

Identity Lookups

  • Source: admon_identities_def
  • Select Convention: Email
  • Custom Conventions:
    • downLevelDomainName()
    • objectSid()
    • userPrincipalName()

New Identity Configuration

Custom conventions will be added to the identity field when the A&I merge occurs, these fields will then be used to match on a user when one of the values of the identity field is present in either the user or src_user field. Note the sAMAccountName was already added to the identity field within the SPL which populates the KV Store, so it was not added here. Further reading on how to configure A&I can be found here.

Troubleshooting TIP: If you are unable to add the custom conventions, the fields will need to be configured within the Identity Fields section of A&I Configuration before they can be added as a custom convention.

Asset Fields

Fields present in the asset fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Asset Fields > Add New Field

Asset Fields

Ensure all the additional fields have been included:

  • operatingSystem (tag)
  • operatingSystemVersion
  • description (tag)
  • location (tag, mv)

Assets Lookup

⋅⋅⋅ Identity Lookups > New > New Configuration

Asset Lookups

  • Source: admon_assets_def

New Asset Configuration

Each of the key fields listed will be merged together into the asset field during the A&I merge, which is why we did not need to add it to our lookup. The key fields will also be used to merge entries within all the asset lookups which share the common value. When the value of the asset field matches a value in one of the fields src,dest, dvc: A&I will enrich the raw event. Further reading on how to configure A&I can be found here.

Ended: Installation Guide

Splunk Add-on for Admon Enrichment (SA-admon) Troubleshooting Guide

⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Search Preview

Firstly, run through the preview searches to look for issues within the merged data. This step is especially important when merging multiple different lookup sources. The preview searches can be copied from the search preview tab within A&I.

Search Preview

Merging Issues

Merging is returning more results than expected

  • Check the fields are named correctly

Merging is occurring on unintentional field values, like an unknown MAC address

  • Add an exclusion for the unknown value

Search preview looks fine however the lookup does not

  • Your changes have worked, reset the collections

Identify merging errors

  • index=_internal source=*entity*.log

Raw logs not being enriched

Ensure A&I Lookups are enabled

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Correlation Setup

Correlation Setup

Lookup may contain incorrect values in the listed fields

  • Asset Lookups: ip, mac, nt_host, dns
  • Identity Lookup: identity (ensure the values are all being merged to the identity field from desired source fields, i.e. email, sAMAccountName, userPrincipalName, downLevelDomainName)

Raw events may not have correctly named fields which match a value in the asset / identity field

  • Asset Fields: src, dest, dvc
  • Identity: user, src_user
  • Note the field names all need to be named exactly as above

Overlapping Naming Conventions and IP Addressing Schemes