icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading MS Windows AD Objects
SHA256 checksum (ms-windows-ad-objects_329.tgz) 5d97b72a55ee7f52b39dc857e89946cc243b368246386f1dcc160fbb18f109a0 SHA256 checksum (ms-windows-ad-objects_327.tgz) 46783378d5697f5488929aa85a09ffbda48a154a055a9b5938ed6d50098e2ecf SHA256 checksum (ms-windows-ad-objects_323.tgz) f23e399009a8413fdd94a5e3ace15ce751c26a39bb6bb4d094fed4481c777d9d SHA256 checksum (ms-windows-ad-objects_32.tgz) e443b7a24a7c79a367721f1ff1582b9f8058c587c44a21f119841537ebbc35ce SHA256 checksum (ms-windows-ad-objects_311.tgz) 3dca033df547f678c2bf5eec00155ad3755feb015150b258998704357f12f867 SHA256 checksum (ms-windows-ad-objects_31.tgz) 933614f5e7fc8ba79e36adf3ac504292e5f4b160ce19469048a8585a1559b8bd
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

MS Windows AD Objects

Overview
Details
Provides a solution for building and dynamically updating Splunk AD Object Lookups with User, Group, Computer, OU, and Group Policy Active Directory object data. These lookups can then be used for quickly analyzing the latest AD attribute values and correlate with Windows Events or any other indexed data.
There are over 40 dashboards/50 reports provided, including numerous ones that can help you build your own.
This application also provides an efficient, alternative, option for looking up AD Object attributes instead of using the Support Add-On for Active Directory (ie remote LDAP Queries). Since the the Splunk for Windows Infrastructure and Splunk for Microsoft Exchange applications require the SA LDAPSearch add-on by default, the MS Windows AD Objects application provides the needed dashboard files to replace the ones provided within these applications.

Description:

The MS Windows AD Objects application leverages admon(ActiveDirectory) data for building and updating AD object
lookup files. These lookup files can be leveraged for looking up the latest (< 10 Minutes) AD attribute information of User, Groups, Group Policies, Organizational Units, and Computer AD objects. This app contains optional updated .conf files for the Splunk® for Windows Infrastructure and Splunk® for Microsoft Exchange applications. These updated .conf files replace the use of the SA_LDAPSearch (Splunk® Support for Active Directory) ldap queries in the searches/macros/pallete panels/dashboards to instead use the MS Windows AD Objects lookup files. Also, this application includes field extraction updates and enhancements for current versions of the Splunk® for Windows Infrastructure and Splunk® for Micorosft Exchange applications.


Use Cases

  • Dynamic AD Object Lookup
    • Need to capture, dynamically build and update Active Directory Object lookup tables for Users, Groups, Computers, OUs, and Group Policies.
  • Security or IT Operations
    • Audit or manage Active Directory Object creations, deletions, moves, and modifications
    • Audit or manage AD User Logins, either for potential Security threats or IT Service impact.
  • Correlation of AD Objects and other data sources
    • Correlate AD Objects with Windows Events or any other Splunk indexed datasources.


Application Highlights

  • Powerful Automatic Building of Lookups (New Version 3.0)
    • You can now build all of the AD Object Lookups by initiating a single execution.
  • Login Analysis Tracking:
    • Login attempt Success Ratio
    • Logins by group membership
    • Login attempts by Disabled/Expired Accounts
    • Logins by Non-Domain Accounts
    • Locked Accounts
  • AD Object Change Management:
    • Change Management Data Model (New Version 3.0)
      • Used for tracking AD Change Trends using Splunk's Data Modeling
      • MS_Windows_AD_Changes Data Model
    • Change Management Events Lookup (New Version 3.0)
      • Lookup that contains Change Event ID's, category, type, and target Objects.
      • Leveraged as a subsearch for change reports and dashboards
    • Change Management Dashboard
      • Track All Administrator change activities from a single dashboard.
    • Individual AD Object Change Reports (New Version 3.0)
      • Report by type of changes (Create,Delete,Modify,Moves)
      • Target AD Objects (Users,Groups,Group Membership,Computer,OU's and Containers, GPO)


Implementation Options

  • Stand Alone
    • This application provides numurous dashboards and reports for analyzing your Active Directory objects as well as core Microsoft Windows. These are all provided within this application and do not depend on either the Splunk® for Windows Infrastructure or Splunk® for Microsoft Exchange applications.
  • Integration Options
    • What type of Integration?
      • Optionally integrate the AD Object Lookups maintained by the MS Windows AD Objects application with either the Splunk® for Windows Infrastructure or Splunk® for Microsoft Exchange. This integration process consists of updating the macro's, reports, and dashboards of these applications to use the AD Object lookups instead of doing remote LDAP Queries with the Splunk Support Add-On for Active Directory
    • How does the MS Windows AD Objects application integrate with these applications?
      • The MS Windows AD Objects application comes with updated configuration, and dashboards files for replacing the Splunk® for Windows Infrastructure or Splunk® for Microsoft Exchange apps required use of the Splunk® Support for Active Directory (SA-LDAPsearch) application for getting AD Attribute data with MS Windows AD Objects generated lookups.
    • Why and What Splunk Environments can be integrated?
      • Splunk® Cloud Environments:
        • Splunk® Cloud environments that are leveraging either the Splunk® for Windows Infrastructure or Splunk® for Microsoft Exchange applications, where either corporate policies or security practices prevent external access to the internal AD Environment as required with the implementation of the Splunk® Support for Active Directory application.
      • Splunk® Enterprise On-Premise Environments:
        • Splunk On-Premise environments that are leveraging either the Splunk® for Windows Infrastructure or Splunk® for Microsoft Exchange applications, where current implementations of the Splunk® Support for Active Directory LDAP Queries are seeing slow response times.


Application Configuration Steps Overview:

Below is a basic overview of the deployment steps, for detailed steps either refer to the landing page or Documentation dashboard within the application, or the pdf documentation under ms_windows_ad_objects/appserver/static/ directory.

  1. Review Application Details and Architecture Information using the application landing page.
  2. Review and Follow Deployment Steps for collecting Active Directory Data
  3. After verifying required admon data has been indexed, leverage the Build AD Lookup Lists - Main dashboard to build the AD Object lookups for AD:
    • Users
    • Groups
    • Computers
    • Distribution Lists
    • Organizational Units
    • Group Policies
  4. Optional Step: Review and complete the integration steps for either, or both of the following applications:
    • Splunk® for Windows Infrastructure
    • Splunk® for Microsoft Exchange


Supporting Splunk Application Requirements:

Below is a list of required supporting Splunk applications by each Splunk component.

  • Splunk Search Head:
    • Required - MS Windows AD Objects
    • Optional - Splunk® for Windows Infrastructure or Splunk® for Micorosft Exchange
    • Required - Splunk Add-on for Microsoft Windows
      • NOTE: If using Splunk Add-on for Microsoft Windows Version 6.x+ then you do not use the following TA's. The inputs for the following TA's are included in the Splunk Add-On for Microsoft Windows starting with version 6.0.
      • Required (With Splunk_TA_Windows versions < 6) - Splunk Add-on for Microsoft Active Directory
      • Required (With Splunk_TA_Windows versions < 6) - Splunk Add-On for Microsoft DNS
  • Splunk Indexer:
    • Required - Splunk Add-on for Microsoft Windows
      • NOTE: If using Splunk Add-on for Microsoft Windows Version 6.x+ then you do not use the following TA's. The inputs for the following TA's are included in the Splunk Add-On for Microsoft Windows starting with version 6.0.
      • Required (With Splunk_TA_Windows versions < 6) - Splunk Add-on for Microsoft Active Directory
      • Required (With Splunk_TA_Windows versions < 6) - Splunk Add-On for Microsoft DNS
  • Splunk Universal Forwarder:
    • Required - Splunk Add-on for Microsoft Windows
      • **NOTE: If using Splunk Add-on for Microsoft Windows Version 6.x+ then you do not use the following TA's. The inputs for the following TA's are included in the Splunk Add-On for Microsoft Windows starting with version 6.0.
      • Required (With Splunk_TA_Windows versions < 6) - Splunk Add-on for Microsoft Active Directory
      • Required (With Splunk_TA_Windows versions < 6) - Splunk Add-On for Microsoft DNS


Data Requirements:

This application leverages admon collected data using the Splunk Add-on for Microsoft Active Directory TA or using the latest Splunk Addon or Windos. Below are the two types of admon data leveraged:

  • admon Data Types:
    • admon Baseline data:
      • Is a single point in time, complete, event dump of the Active Directory Object Attributes
    • admon Update and Delete data:
      • Are events that get generated when AD Objects are updated or deleted.

For More Details on the architecture, deployment, or usage of the MS Windows AD Objects application, either refer to the landing page or Documentation dashboard within the application, or the pdf documentation under ms_windows_ad_objects/appserver/static/ directory, or ask a question leveraging Splunk Answers link for this application on our Splunk base site.

Release Notes

Version 3.2.9
April 12, 2019

Version 3.29 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs

Version 3.2.7
April 12, 2019

Version 3.2.6 (Latest):
✓ Resolved:
⁃ Fixed: v3.2.5 Important Update - Possible search performance impact. Updated the field extraction (ms_ad_obj_admon_forest_s) added with the V3.2.5. Also, optimized the AD_Domain_Selector building search.
⁃ Fixed: [admon_dn_path] Transform regex for getting the dn_path field content.
✓ Enhanced Initial Lookup Building Searches:
⁃ Added a sub-search to “Build” reports, uses the most recent admonEventType(“Sync”) event as the starting time point to building the AD Object Lookups. Improves performance, especially in env with large, historical, admon data. Create new admon baseline for quickest build results.
⁃ Deleted Objects, admonEvent will be picked up for the last 90 days, but can be adjusted in the searches settings.
✓ New - Pre-Configured - Splunk_TA_windows V 6.0 input examples:
⁃ Pre-Configured and enabled inputs.conf examples for speeding up initial Windows deployments. (.../appserver/addons/TA_Examples/)
✓ Updated -Macros/Rpts/Dashbds See in-App Docs

Version 3.2.3
June 20, 2018

Resolved Issues:
⁃ Cloud Verification Fixes:
⁃ Replaced “Real Time” time setting for the AD Objects - Verify Baseline Data - Completed report.
⁃ Updated the MS_Windows_AD_Changes data modal settings to not enable acceleration by default.
- Other Fixes:
- Fixed Documentation View
⁃ Add Transforms Stanza/settings for lookups:
⁃ ms_ad_obj_uac_temp.csv, ms_ad_obj_field_AD_Computer_LDAP_list.csv, ms_ad_obj_field_AD_User_LDAP_list.csv,ms_ad_obj_field_AD_Group_ LDAP_list.csv, ms_ad_obj_user_rights_map.csv.
⁃ These lookups are extra lookups available for reference or expansion.
⁃ Fix Regex - Issues in transforms where capturing groups were used, instead of
non-capturing groups.
⁃ Updated Sync and Build Searches for Users, Computers and Groups to remove the values in the memberOf field when the object is deleted.
⁃ Added another field, memberOf_hist that will contain the memberOf values at the time the object is deleted.
⁃ Enhanced the User Audit dashboard with tooltip information.

Version 3.2
April 4, 2018

Version 3.2:
Fixed:
- Regex - user \S-\S issue, to \S\-\S
- case sensitivity for lookups
- missing domain field
- admin audit lookup was getting populated when a user resets their own password
- enhanced and new field extractions
- enabled case-insensitive setting for lookups
Enhanced UI:
- Updated login dashboard/reports to use a more efficient search.
- Updated Dashboards: Admin Change Management, Logon Ratio (Now includes non-domain attempts), Group Sub-Search Builder, and numerous others.
** For more information please refer to the Configuration Dashboards -> Documentation view. **

Version 3.1.1
June 21, 2017

Version 3.1.1
Minor Updates - Updated field extraction to retrieve cn, user, values for AD Object Moves. Also, fix an minor issue with the Application Health - Saved Servers dashboard. Including the previous release notes for other recent information from version 3.0.
Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)

Version 3.1
June 20, 2017

Version:3.1
Resolved Issues (1. Fixed duplication of the domain field when deploying against multiple domain controllers. 2. Resolved issue with the integration dashboards for Winfra/Exchange Apps pointing to the ldap search. 3. Updated several field extractions and added a user_type evaluation field for improving login reports and dashboards.)
Added Dashboards (1. Login Status Ratio 2. Application Knowledge Browser - Thank You Cindy McCririe)

695
Installs
5,616
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.