icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading MS Windows AD Objects
SHA256 checksum (ms-windows-ad-objects_403.tgz) 19627a25d497f0608098a9634e8eb644d05bdeb624f55616c13680e8060780dd SHA256 checksum (ms-windows-ad-objects_329.tgz) 5d97b72a55ee7f52b39dc857e89946cc243b368246386f1dcc160fbb18f109a0 SHA256 checksum (ms-windows-ad-objects_327.tgz) 46783378d5697f5488929aa85a09ffbda48a154a055a9b5938ed6d50098e2ecf SHA256 checksum (ms-windows-ad-objects_323.tgz) f23e399009a8413fdd94a5e3ace15ce751c26a39bb6bb4d094fed4481c777d9d SHA256 checksum (ms-windows-ad-objects_32.tgz) e443b7a24a7c79a367721f1ff1582b9f8058c587c44a21f119841537ebbc35ce SHA256 checksum (ms-windows-ad-objects_311.tgz) 3dca033df547f678c2bf5eec00155ad3755feb015150b258998704357f12f867 SHA256 checksum (ms-windows-ad-objects_31.tgz) 933614f5e7fc8ba79e36adf3ac504292e5f4b160ce19469048a8585a1559b8bd
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

MS Windows AD Objects

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Provides a solution for building and dynamically updating Splunk AD Object Lookups with User, Group, Computer, OU, and Group Policy Active Directory object data. These lookups can then be used for quickly analyzing the latest AD attribute values and correlate with Windows Events or any other indexed data.
There are over 40 dashboards/50 reports provided, including numerous ones that can help you build your own.
This application also provides an efficient, alternative, option for looking up AD Object attributes instead of using the Support Add-On for Active Directory (ie remote LDAP Queries). Since the the Splunk for Windows Infrastructure and Splunk for Microsoft Exchange applications require the SA LDAPSearch add-on by default, the MS Windows AD Objects application provides the needed dashboard files to replace the ones provided within these applications.

Description:

The MS Windows AD Objects application leverages admon(ActiveDirectory) data for building and updating AD object
lookup files stored in the kvstore. These lookup files can then be leveraged for looking up the latest (< 10 Minutes) AD attribute information of User, Groups, Group Policies, Organizational Units, and Computer AD objects. This app also contains updated dashboard files for the Splunk'ae for Windows Infrastructure and Splunk'ae for Microsoft Exchange applications that you can optionally use instead of the default ones proved by these applications. These updated files replace the use of the SA_LDAPSearch (Splunk'ae Support Add-On for Active Directory) ldap queries in the searches/macros/dashboards to instead use the MS Windows AD Objects lookups.


Use Cases

  • Dynamic AD Object Lookup
    • Need to capture, dynamically build and update Active Directory Object lookup tables for Users, Groups, Computers, OUs, and Group Policies.
  • Security or IT Operations
    • Audit or manage Active Directory Object creations, deletions, moves, modifications and advance events to performance correlation analytics.
    • Audit or manage AD User Logins, either for potential Security threats or IT Service impact.
  • Correlation of AD Objects and other data sources
    • Correlate Active Directory Objects with Windows Events or any other Splunk indexed datasources.


Application Highlights

  • Getting Started and Data In step-by-step walkthrough (New Version 4.0)
    • The Configuration - Getting Data In dashboard walks you through the complete process for getting Windows data in and configuration of the MS Windows AD Objects application.
    • This dashboard first leverages input, Scope of your environment and deployment plans to provide aligned Steps for configuration and getting the required/recommended Windows data in.
    • Note: If you are upgrading from a previous version of the MS Windows AD Objects application, you Still need to walk through this wizard, because it will ensure that the new macros that point to the Windows data is configured, and your current csv lookups are migrated to the appropriate kvstore.
  • Advance Correlation Analytics (New and Updated Version 4.0)
    • The AD Objects - Group - Sub Search - Builder and AD Objects - User - Logins by Group Membership dashboards have been enhanced in both performance and result analysis, such as viewing indexed data by sourcetype for all Users within a specific AD Group.
    • Added a new dashboard AD Objects - OU - Sub Search - Builder that provides you a way to analyze indexed data correlated with all Users within an Organizational Unit.
  • Powerful Automatic Building of KVStore Lookups (New Version 4.0)
    • The building, or migrating from previous object csv's has been enhanced with time selections, performance and scalability improvements.
    • If you are upgrading from a previous version of the MS Windows AD Objects, you can also migrate your existing Object lookup csv to the new KVStore lookup.
  • Login Analysis Tracking:
    • Login attempt Success Ratio
    • Logins by group membership
    • Login attempts by Disabled/Expired Accounts
    • Logins by Non-Domain Accounts
    • Locked Accounts
  • AD Object Change Management:
    • Change Management Data Model (Updated Version 4.0)
      • Used for tracking AD Change Trends using Splunk's Data Modeling
      • MS_Windows_AD_Changes Data Model
    • Change Management Events Lookup (Updated Version 4.0)
      • Lookup that contains Change Event ID's, category, type, and target Objects.
      • Leveraged as a sub-search for change reports and dashboards
    • Change Management Dashboard
      • Track All Administrator change activities from a single dashboard.
    • Individual AD Object Change Reports (Updated Version 4.0)
      • Report by type of changes (Create,Delete,Modify,Moves)
      • Target AD Objects (Users,Groups,Group Membership,Computer,OU's and Containers, GPO)


Implementation Options

  • Stand Alone
    • This application provides numerous dashboards and reports for analyzing your Active Directory objects data as well as core Microsoft Windows events, WinHostMon, and perfmon data. These are all provided within this application and do not depend on either the Splunk\'ae for Windows Infrastructure or Splunk\'ae for Microsoft Exchange applications.
  • Integration Options
    • What type of Integration?
      • Optionally integrate the AD Object Lookups maintained by the MS Windows AD Objects application with either the Splunk\'ae for Windows Infrastructure or Splunk\'ae for Microsoft Exchange. This integration process consists of updating the macro's, reports, and dashboards of these applications to use the AD Object lookups instead of doing remote LDAP Queries with the Splunk Support Add-On for Active Directory
    • How does the MS Windows AD Objects application integrate with these applications?
      • The MS Windows AD Objects application comes with updated configuration, and dashboards files for replacing the Splunk\'ae for Windows Infrastructure or Splunk\'ae for Microsoft Exchange apps required use of the Splunk\'ae Support for Active Directory (SA-LDAPsearch) application for getting AD Attribute data with MS Windows AD Objects generated lookups.


    Application Configuration Steps Overview:

    • Note: The configuration steps for the MS Windows AD Objects application is now defined and outlined specifically for your environment using the Configuration - Getting Data In dashboard. Below is a basic overview of the individual sections and tasks covered by this dashboard:

    • Sections covered and walked through:
      • Section Step 1: Scope Definition: This step is used to align the subsequent steps with your environment and deployment plans.
      • Section Step 2: Preperation: Provides the preparation steps for the Splunk Core components, MS Windows AD Objects and TA Configuration are ready to receive the Windows data and deployment.
      • Section Step 3: Deployment: Covers the steps for distributing the previously configured Splunk Technical Add-Ons to the target Windows Systems.
      • Section Step 4: Check Data: This section provides you a way of verifying, and if necessary troubleshooting, previous configuration steps.
      • Section Step 5: Build Lookups: This last section walks through the the final step of building the MS Windows AD Object's lookup tables.
    • Tasks that that have specific steps outlined within this dashboard:
      • Downloading Software and/or applications: You will be provided links to Splunk Enterprise software, Windows TA, and the pre-configured Example TA's provided by the MS Windows AD Objects application.
      • Installation Instructions (If installation of the following components is necessary.):
        • Splunk Universal Forwarder: You will be provided step-by-step instructions for installing the Splunk Universal Forwarder on your target Windows Systems.
        • Splunk Deployment Server: If you choose to use the Splunk Deployment Server, and it isn't already installed, you will be provided the step-by-step installation and configuration instructions.
        • Splunk Heavy Forwarder: If you choose to use the Splunk Heavy Forwarder, and it isn't already installed, you will be provided the step-by-step installation and configuration instructions.
        • Splunk Add-On for Microsoft Windows: If you have not already installed the Splunk Add-On for Microsoft windows application on your Search Heads/Indexers/Heavy Forwarder/Splunk Cloud Environment, then you will be provided the steps for doing so.
      • Knowledge Object Configuration: You will be provided the steps, including validation status, for creating the Splunk Indexes that will store the Windows data, and configuring the macro's that are leveraged for pointing to the Windows data.
      • Defining Deployment Server Classes: If you are using a Splunk Deployment Server then you will be provided the steps for creating the Splunk Deployment Server classes, configuration of the TA's that will be deployed, and defining the target Splunk Forwarders the TA's will be deployed too.
      • Building the MS Windows AD Objects kvstore lookups: You will be provided the steps, and perform the actions to building the required lookups for your AD User, Group, Computer, GPO and OU objects.
      • Other Best Practice Configuration or Validation: Depending on your Scope definitions, you will also be provided other necessary configuration or Getting Data In required steps.
    \


    Supporting Splunk Application Requirements:

    Below is a list of required supporting Splunk applications by each Splunk component.\

    • Splunk Search Head:
      • Required - MS Windows AD Objects
      • Required - Splunk Add-on for Microsoft Windows
      • Optional - Splunk\'ae for Windows Infrastructure or Splunk\'ae for Micorosft Exchange
    • Splunk Indexer:
      • Required - Splunk Add-on for Microsoft Windows
    • Splunk Universal Forwarder:
      • Required - Splunk Add-on for Microsoft Windows
    • Splunk Cloud Environment:
      • Required - MS Windows AD Objects
      • Required - Splunk Add-on for Microsoft Windows
      • Optional - Splunk\'ae for Windows Infrastructure or Splunk\'ae for Micorosft Exchange
    • Splunk Heavy Forwarder:
      • Required - Splunk Add-on for Microsoft Windows
      • Splunk Cloud Only - Splunk Cloud Credentials Application


    Data Requirements:

    This application leverages admon (ie. sourcetype=ActiveDirectory) data collected by the Splunk Add-on for Microsoft Windows TA or the Splunk_TA_windows_admon pre-configured TA provided by the MS Windows AD Objects application. Below are the two types of admon data leveraged:

    • admon Data Types:
      • admon Baseline data:
        • Is a single point in time, complete, event dump of the Active Directory Object Attributes
      • admon Update and Delete data:
        • Are events that get generated when AD Objects are updated or deleted.

    This application also leverages Windows Event Logs,WinHostMon, and Performance Counter data collected by the Splunk Add-on for Microsoft Windows TA, and/or the Splunk_TA_windows_dc/Splunk_TA_windows/local/inputs.conf pre-configured TA's provided by the MS Windows AD Objects application.

Release Notes

Version 4.0.3
Aug. 20, 2020

Version:4.03:
- Important NOTE: If you previously installed version 4.0.2, then you will need to rebuild the lookups using the "Build AD Lookup Lists - Main" dashboard.
- Fixed dn_path field extractions
- Fixed issue were new admon event data being appended to the lookups vs of updating existing row.
- New - Added new fields that can be used for filter User/Group/Computers using the cn, dn, sAMAccountName, or userPrincipalName. AD_Obj_User (lookup_usr field), AD_Obj_Group (lookup_grp field), AD_Obj_Computer (lookup_cmp field). For example this helps lookup an event's user field and pull back the AD Attributes, where the user value can be the cn, dn, historical dn, sAMAccountName or email address. (... | lookup AD_Obj_User lookup_usr AS user OUTPUT dn AS user_dn, cn AS user_cn )
- Added some new Critical Objects correlation and performance reports.
NOTE: Updating from pre 4.x version:
This update consist of multiple enhancements and changes, carefully read the details info before upgrading.

Version 3.2.9
April 12, 2019

Version 3.29 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs

Version 3.2.7
April 12, 2019

Version 3.2.6 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs

Version 3.2.3
June 20, 2018

Resolved Issues:
⁃ Cloud Verification Fixes:
⁃ Replaced “Real Time” time setting for the AD Objects - Verify Baseline Data - Completed report.
⁃ Updated the MS_Windows_AD_Changes data modal settings to not enable acceleration by default.
- Other Fixes:
- Fixed Documentation View
⁃ Add Transforms Stanza/settings for lookups:
⁃ ms_ad_obj_uac_temp.csv, ms_ad_obj_field_AD_Computer_LDAP_list.csv, ms_ad_obj_field_AD_User_LDAP_list.csv,ms_ad_obj_field_AD_Group_ LDAP_list.csv, ms_ad_obj_user_rights_map.csv.
⁃ These lookups are extra lookups available for reference or expansion.
⁃ Fix Regex - Issues in transforms where capturing groups were used, instead of
non-capturing groups.
⁃ Updated Sync and Build Searches for Users, Computers and Groups to remove the values in the memberOf field when the object is deleted.
⁃ Added another field, memberOf_hist that will contain the memberOf values at the time the object is deleted.
⁃ Enhanced the User Audit dashboard with tooltip information.

Version 3.2
April 4, 2018

Version 3.2:
Fixed:
- Regex - user \S-\S issue, to \S\-\S
- case sensitivity for lookups
- missing domain field
- admin audit lookup was getting populated when a user resets their own password
- enhanced and new field extractions
- enabled case-insensitive setting for lookups
Enhanced UI:
- Updated login dashboard/reports to use a more efficient search.
- Updated Dashboards: Admin Change Management, Logon Ratio (Now includes non-domain attempts), Group Sub-Search Builder, and numerous others.
** For more information please refer to the Configuration Dashboards -> Documentation view. **

Version 3.1.1
June 21, 2017

Version 3.1.1
Minor Updates - Updated field extraction to retrieve cn, user, values for AD Object Moves. Also, fix an minor issue with the Application Health - Saved Servers dashboard. Including the previous release notes for other recent information from version 3.0.
Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)

Version 3.1
June 20, 2017

Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)

1,291
Installs
7,499
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.