Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is used for managing permissions and access to network resources. AD stores data as objects, including users, groups, and devices, and organizes them into a hierarchical structure.
- Centralized Management: Provides a single point of management for network resources.
- Authentication and Authorization: Manages user login and access permissions.
- Group Policy: Allows administrators to implement specific configurations for users and computers.
- Scalability: Can be used in small or large-scale environments.
- Integration: Works with other Microsoft services and applications.
AD helps in streamlining IT administration and enhancing security by ensuring that only authorized users have access to resources.
The Splunk Universal Forwarder is a lightweight version of Splunk designed to collect and forward log data to a Splunk instance (e.g., Splunk Enterprise or Splunk Cloud) for indexing and analysis.
- π Data Collection: Gathers log data from various sources, including files, directories, and network ports.
- π Data Forwarding: Sends collected data to a central Splunk server for processing and indexing.
- β‘ Lightweight: Designed to be resource-efficient, making it suitable for deployment on numerous endpoints.
- π Security: Ensures secure data transmission using encryption.
Sysmon is a Windows system service and driver that logs detailed system activity to the Windows event log. It is part of the Sysinternals suite and is commonly used for advanced system monitoring and forensic analysis.
- π Process Creation Logging: Records details about new processes, including command-line arguments and executable hashes.
- π Network Connection Logging: Logs TCP and UDP network connections.
- π File Creation Time Changes: Monitors and logs changes to file creation times to detect tampering.
- π οΈ Registry Event Logging: Tracks changes to the Windows Registry.
- π·οΈ Event Tagging: Tags events with unique identifiers for easier correlation and analysis.
Sysmon generates detailed logs about system activity, which can be collected and forwarded by the Splunk Universal Forwarder to a Splunk server. This integration allows for advanced monitoring, analysis, and visualization of security-related events, helping organizations detect and respond to potential threats more effectively.
-
π οΈ Change Hostname: Set the hostname to
Target-PC. -
π Assign Static IPv4 Address: Assign a static IP to the target machine.
-
β¬οΈ Download Splunk Universal Forwarder:
- Go to Splunk.com, log in, and download the Splunk Universal Forwarder.
- Install it.
-
β¬οΈ Download and Install Sysmon:
- Sysmon (System Monitor) is a Windows service and driver that logs detailed system activity to the event log. It tracks process creations, network connections, and changes to file creation times, helping to detect and investigate malicious activity. It's part of the Sysinternals suite and is used for advanced monitoring and forensic analysis.
- Download Sysmon from the Sysinternals suite.
- Use sysmon-modular for configuration.
- Download the
sysmonconfig.xml. - Install Sysmon with the downloaded configuration file.
sysmon -accepteula -i sysmonconfig.xml
-
βοΈ Configure Splunk Forwarder:
- Now we need to instruct our splunk forwarder on what we want to send over to our Splunk Server.To do this we must configure a file called inputs.conf. For this we use inputs.conf file from github
- Modify the
inputs.conffile.
- Change Splunk Forwarder logon as Local System. as follows.
- Restart the service.
- Now we have Sysmon installed and Universal forwarder installed along with updated inputs.conf
-
π Access Splunk Server:
- Log in to the Splunk server.
- Create an index named endpoint.
- Ensure that Splunk server is set to receive data.
Forwarding and Receiving
- If we everything setup correctly. Verify that data from the target machine is being received.
-
π οΈ Change Hostname: Set the hostname to
ActiveDirectory. -
π Assign Static IPv4 Address: Assign IP
192.168.10.7. -
β¬οΈ Download Splunk Universal Forwarder: Install it on the Windows server.
-
β¬οΈ Download and Install Sysmon: Follow the same process as for the target machine.
- Download Sysmon.
- Use the sysmon-modular configuration.
- Install Sysmon with the configuration file.
-
βοΈ Configure Splunk Forwarder:
- Now we need to instruct our splunk forwarder on what we want to send over to our Splunk Server To do this we must configure a file called inputs.conf For this we use inputs.conf file from github
- Modify the
inputs.conffile.
- Anytime you update inputs.conf file you must restart splunk universal folder service.
- Restart the Splunk Forwarder service after updating the configuration.
Now that both the Target Machine and Active Directory have the Splunk Universal Forwarder and Sysmon configured, verify that the data from both machines is being received by the Splunk server.
Ensure that:
- Both machines are sending data.
- The Splunk server is configured to receive and index the data correctly.