Splunk® App for Windows Infrastructure

Splunk App for Windows Infrastructure Reference

Download manual as PDF

Download topic as PDF

Active Directory Reports

The Active Directory module of the Splunk App for Windows Infrastructure contains several reports that let you view common security issues within Active Directory.

There are six groups of reports available for perusal:

DNS Reports

Exch 30 dnsreport.png

The DNS Reports collection lets you generate reports on your DNS operations by running real-time searches against the collected DNS data. These reports include:

  • DNS Failing Domains: A list of the queries made by DNS servers that return failing responses (such as SERVFAIL, NXDOMAIN, etc.) This panel lets you sort by query, query type, response, count, and percentage of queries.
  • DNS Top Failing Domains: A list of the top queries made by clients for domains that return failures. You can sort by query, query type, count, and percentage of queries.
  • DNS Top Hosts sending failing queries: A list of the hosts that send the most failing DNS queries. You can sort by source IP address, count, and percentage of queries.
  • DNS Top Non-authoritative responses: A list of the queries that DNS servers returned non-authoritative responses for. You can sort by query, query type, count, and percentage of queries.
  • DNS Top Querying Hosts: A list of the hosts who made the highest number of DNS queries. You can sort by source IP address, count, and percentage of queries.
  • DNS Top Recursive Failure Domains: A list of domains whose DNS servers failed to perform recursion - the ability to query DNS information on remote names handled by other DNS servers - correctly. You can sort by query, query type, count, and percentage of queries.
  • DNS Top Requested Queries: A list of the top requested DNS queries. You can sort by query, query type, count, and percentage of queries.

Note: In order to view these statistics, your DNS servers must have debug logging enabled. If this feature is not turned on, then these reports will be blank.


User Reports

Exch 30 userreport.png

The User Reports report collection lets you generate reports on your users from your AD servers.

These reports include:

  • All: A list of all users in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official (SAM) account name, LDAP Common Name, user principle name, and User Account Control (UAC) attribute settings.
  • New: A list of newly created users in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by user creation time, user added, and the user who performed the addition. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
  • Deleted: A list of deleted accounts in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by user deletion time, user deleted, and the user who performed the deletion. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
  • Active: A list of users who are active (meaning they have recently logged on) to the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by username, full name, user principal name, and last logon time. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
  • Inactive: A list of users who have not recently logged onto the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
  • Unused: A list of users who have never logged onto the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • Disabled: A list of users whose ability to access the selected domain has been disabled. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • Non-expiring: A list of accounts that do not expire. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • Password Not Required: A list of accounts where a password is not required. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • No Password Expiry: A list of accounts where the password does not expire. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
  • Smartcard Not Required: A list of accounts where a smartcard is not required to authenticate. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • Smartcard Required: A list of accounts where a smartcard is required to authenticate. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • Password Too Old: A list of accounts where the password is too old: YYou can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • No Manager: A list of accounts that do not have a delegate assigned to them. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
  • Sensitive accounts: A list of accounts whose security contexts have not been delegated to a service even though the service account has been set as trusted for Kerberos delegation. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.


Computer Reports

Exch 30 compreport.png

The Computer Reports report collection lets you generate reports on computer accounts from your AD servers.

These reports include:

  • All: A list of all computers in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, User Account Control attributes, installed operating system, and any OS service packs that have been installed.
  • Domain controllers only: A list of all domain controllers in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, User Account Control attributes, installed operating system, and any OS service packs that have been installed.
  • New: A list of computers that have recently been added to the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computers that were added, installed operating system, OS service pack, and the user who performed the addition.
  • Deleted: A list of computers that have recently been removed from the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computers that were deleted, installed operating system, OS service pack, and the user who performed the deletion. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
  • Active: A list of computers that have recently logged on to the selected domain in Active Directory. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, OS service pack, and last logon time. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
  • Inactive: A list of computers that have not logged on to Active Directory recently. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, OS service pack, and last logon time. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
  • Unused: A list of computers that have never logged on to Active Directory. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS hostname, and
  • Disabled: A list of computers whose ability to log into Active Directory has been disabled. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, and OS service pack. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
  • Trusted: A list of computers that either manage or are managed by a domain trust relationship. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, UAC attributes, installed operating system, and OS service pack.
  • No Manager: A list of computers that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, UAC attributes, installed operating system, and OS service pack.


Security Group Reports

Exch 30 grpreport.png

The Security Group Reports report collection lets you generate reports on group accounts from your AD servers.

These reports include:

  • All: A list of all security groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, group type, LDAP member Distinguished Name, and member type.
  • New: A list of recently-created groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by creation time, group name, group class, group type, and the user who performed the addition. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page.
  • Deleted: A list of recently-removed groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by creation time, group name, group class, group type, and the user who performed the addition. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page.
  • Changed type: A list of the changes that have been made to security groups in the selected domain, over the selected time period. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by the time that the group change occurred, the change action, the group name, the user who performed the change, the old group class or type, and the new group class or type. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page.
  • Empty: A list of groups in the selected domain that do not have any users in them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group name or type.
  • Large: A list of groups in the selected domain that have a member count that is greater than a specified amount. You can use the Domain drop-down list to choose between domains known to the app. You can enter a positive number that represents the size of the group's membership into the Minimum Size text field. The page then shows only groups whose membership equals or is greater than the number entered. You can then sort that list by group name, group type, the number of members, the LDAP Member Distinguished Name, and the member type.
  • Nested: A list of groups in the selected domain that have been nested into other groups. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Distinguished Name, LDAP Common Name, group type, and member type.
  • No Manager: A list of groups in the selected domain that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group name, group type, LDAP Member Distinguished Name, and member type.


Group Policy Object Reports

Exch 30 gporeport.png

The Group Policy Object Reports report collection allows you to generate reports on group policy objects from your AD servers.

These reports include:

  • All: A list of all group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group policy ID, group policy name, group policy object version number, and the list of containers that the object has been linked to.
  • New: A list of recently-created group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by add time, LDAP Common Name, group policy object display name, group policy object version number, and the list of containers that the object has been linked to. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
  • Deleted: A list of recently-removed group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by delete time and LDAP Common Name. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
  • Disabled: A list of group policy objects that have been disabled. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group policy object ID, group policy object name, group policy object version number, group policy object status, change time, and the list of containers that the object has been linked to.


Organizational Unit Reports

Exch 30 oureport.png

The Organizational Unit Reports report collection allows you to generate reports on group policy objects from your AD servers.

These reports include:

  • All: A list of all organizational units in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by name, description, and the list of linked group policy objects.
  • New: A list of recently-created OUs in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by the time the OU was added, the OU name, description, and the list of linked group policy objects. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
  • Deleted: A list of recently-deleted OUs in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by delete time, OU name, and description. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
  • No Manager: A list of OUs in the selected domain that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by OU name, description, and the list of linked group policy objects. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
  • GPO Linked: A list of OUs with a direct GPO link. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by OU name, description, and the list of linked group policy objects.
PREVIOUS
Print Job Viewer
  NEXT
Active Directory Overview (Topology Report)

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters