LT Auditor+ App for Splunk

LT Auditor+ App for Splunk is a Splunk app that is optimized to receive data from LT Auditor+ agents. The App has Intelligent dashboards with drilldown capabilities to provide a complete view of change activity on Active Directory, Group Policy, Servers, File Shares, Endpoints, USB Flash Drives in an organization.

Most SIEM systems including Splunk scrapes native Windows logs to collect information on Active Directory, GPO and file share activity. The volume of data generated in raw logs is huge and this information have several limitations such as:

• High volume of clutter and noise making it difficult access valuable and critical information;
• Does not provide a complete audit trail like showing who did what from where and when for changes to user identities, policies and access to critical files;
• Very limited information on changes to Group Policies. Understanding what attributes were changed on vital GPO policies is critical in ensuring that the network has not been compromised. This information is not available in the event logs.

Core benefits of ingesting data from LT Auditor+ are:

1. Creation of complex filters to determine what type of audit data is sent to Splunk. This improves the quality of data as well as dramatically reducing noise and clutter;
2. Comprehensively audit modifications to Active Directory, Group Policies, File Shares and USB Flash Drives;
3. FFIEC, NIST, PCI-DSS, HIPAA and SOX compliance reports;
4. Provides information on Active Directory audits such as Group Memberships, Last Logons, Password Settings, Account Settings and Security Permissions;
5. Reduces requirements to understand complex Spunk queries, Windows event ids and makes investigation for security incidents easier for security professionals.

The following section describes how to install LT Auditor+ App for Splunk across single and distributed instances of Splunk.

Download LT Auditor+ App for Splunk and extract contents to reveal the following two files:

1. Single Instance/lt-auditor-app-for-splunk.tar.gz
2. Distributed Environment/lt-auditor-app-for-splunk.tar.gz
3. Distributed Environment/ta-lt-auditor.tar.gz

   LT Auditor+ App for Splunk

1. Login in to your Splunk console
   
   




2. Access the Splunk home page
   
   




3. Click on the Apps icon to open Apps screen as shown below:
   
   




4. Click ‘Install app from file’ to open the screen ‘Upload an app’:
   
   




5. Browse to the file lt-auditor-app-for-splunk.tar.gz and select upload
   
   




6. You will now see the LT Auditor+ App for Splunk and LT Auditor+ Add-on for Splunk installed as shown below:
   
   




7. Click the Splunk icon to switch to the Home page and you will now see the new App – LT Auditor+ App for Splunk.
   
   

8. Click Settings->Indexes->New Index and set the following:

1. Index Name: lt_auditor_idx
2. App: LT Auditor+ App for Splunk

1. Click Save

9. Click Settings->Data inputs

10. For Local inputs/TCP click Add new

11. Select TCP and input Port: 1468. Click Next 

1. For Source type select Miscellaneous->generic_single_line
2. For App context select LT Auditor+ App for Splunk
3. For Host select IP
4. For Index select lt_auditor_idx
5. Click Review

12. Confirm settings and click Submit to complete.

13. Click Settings->Server controls and Restart Splunk

1. Connect to the master-node;
2. Extract the contents of the file ‘Distributed Environment/ta-lt-auditor.tar.gz’ to the folder ‘/opt/splunk/etc/master-apps’;
3. Run the command /opt/splunk/bin/splunk apply cluster-bundle to deploy to all peer nodes.

The LT Auditor+ Add-on uses a custom index called lt_auditor_idx. Please take steps to ensure that this index is replicated across all peer servers.

1. Connect to Search Head machine
2. For non-clustered Search Head extract the contents of the file ‘Distributed Environment\lt-auditor-app-for-splunk.tar.gz’ to the folder ‘ /opt/splunk/etc/apps’;
3. For clustered Search Heads:
   1. Extract the contents of the file ‘Distributed Environment\lt-auditor-app-for-splunk.tar.gz’ to the folder ‘ /opt/splunk/etc/shcluster/apps’
   2. Delete file from transforms.conf andprops.conf from the default folder
   3. Run the command /opt/splunk/bin/splunk apply shcluster-bundle -target https://<master-node>:8089 -force true

1. Connect to Heavy Forwarder machine
2. Extract the contents of the file ‘Distributed Environment/ta-lt-auditor.tar.gz’ to the folder ‘/opt/splunk/etc/apps’
3. If there are multiple forwarders use a deployer to distribute the Add-on ta-lt-auditor.tar.gzto all forwarders.

Run the LTSIEM.EXE file found in the extracted folder from the LT Auditor+ download.

1. For SIEM system select Splunk Enterprise
2. For SIEM Server Name/IP Address set Name/IP of Splunk Server
3. For TCP Port set 1468
4. Click Activate to configure settings

The LT Auditor+ App for Splunk provides a portal to view audit data ingested from LT Auditor+ and has the following dashboards

After the App is installed, users will be gain access to the portal by clicking on the LT Auditor+ App for Splunk as shown below.

The first dashboard is the Home dashboard that provides a summary of all LT Auditor+ activity ingested by Splunk.

The home dashboard displays the following notables:

• Audited Events – Count of total audited events for specified time range.
• Audited Users – Count of total users audited for specified time range.
• Audited Agents – Number of LT Auditor+ agents sending data to Splunk.

Clicking on any of the LT Auditor+ Audited Modules listed will take the user to new dashboard for specified activity. The following dashboards are accessible:

1. Active Directory
2. File/Folder
3. Group Policy
4. Logon
5. Health Check

The Active Directory dashboard provides complete details of all Active Directory activity recorded with LT Auditor+ as shown.

The dashboard has the following sections:

1. Filters – Criteria can set to define content displayed on the dashboard;
2. Notables – Summary of information about all activity that occurred;
3. Audited Operations – Pie chart of specific operations for given filter criteria;
4. Audited Events Over Time – Graphical representation of event modifications occurred for specified filter criteria;
5. Users – List of all users making changes to cause the events to be recorded;
6. Nodes – List of source nodes where changes were made from;
7. Server – List of host servers where the changes occurred.

Click show filters to display query criteria for the dashboard as shown below.  The dashboard will automatically update if criteria is specified in the filters.

Criteria can be configured based on:

1. Time Frame
2. Active Directory Objects
3. Active Directory Classes
4. Active Directory Attributes
5. Active Directory Attribute Values
6. Users
7. Nodes
8. Servers

Clicking on Audited Operations will produce a detailed report on specified operation.  For example, clicking on Delete Object will generate a report all Active Directory objects deleted for specified filter criteria.

Audited Events over time is graphical representation of when Active Directory modifications occurred for specified filter criteria.

The following section describe each of the Active Directory notables.

Total Events is a count of all Active Directory events collected as per filter criteria. Clicking on this notable will generate a report of those events as shown below.

After a report has been generated, it can be further refined be inputting additional filter criteria. All reports can be exported to other file formats.

Objects is a count of distinct Active Directory objectsmodified per filter criteria. Clicking on this notable generates a table summary of these objectswith column counts of users, nodes, servers and activity count as shown below. Clicking on any of the objects will generate a detailed report of changes on specified object.

Classes is a count of distinct Active Directory classes modified per filter criteria. Clicking on this notable generates a table summary of these classes with column counts of users, nodes, servers and activity count as shown below. Clicking on any of the classes will generate a detailed report of changes on specified class.

Users is a count of users that performed operations per filter criteria. Clicking on this notable generates a table summary of users with column counts of objects, nodes, servers and activity count as shown below. Clicking on any of the Userswill generate a detailed report of changes made by specified user.

Nodes is a count of source node addresses of users that performed operations per filter criteria. Clicking on this notable generates a table summary of nodes with column counts of objects, users, servers and activity count as shown below. Clicking on any of the Nodes will generate a detailed report of changes made from specified node.

Servers is a count of host servers where changes occurred per filter criteria. Clicking on this notable generates a table summary of servers with column counts of objects, users, nodes and activity count as shown below. Clicking on any of the Servers will generate a detailed report of changes made on the specified server.

The Group Policy dashboard provides complete details of all Group Policy activity recorded with LT Auditor+ as shown.

The dashboard has the following sections:

1. Filters – Criteria can set to define content displayed on the dashboard;
2. Notables – Summary of information about all activity that occurred;
3. Audited Operations – Pie chart of specific operations for given filter criteria;
4. Audited Events Over Time – Graphical representation of event modifications occurred for specified filter criteria;
5. Users – List of all users making changes to cause the events to be recorded;
6. Nodes – List of source nodes where changes were made from;
7. Server – List of host servers where the changes occurred.

Click show filters to display query criteria for the dashboard as shown below.  The dashboard will automatically update if criteria is specified in the filters.

Criteria can be configured based on:

1. Time Frame
2. GPO Name or Object
3. Attribute or GPO Attribute
4. Users
5. Nodes
6. Servers

The following section describe each of the Group Policy notables.

Total Events is a count of all Group Policy events collected as per filter criteria. Clicking on this notable will generate a report of those events as shown below.

GPO Names is a count of distinct Group Policy objects modified per filter criteria. Clicking on this notable generates a table summary of these objects with column counts of users, nodes, servers and activity count as shown below. Clicking on any of the objects will generate a detailed report of changes on specified object.

Attributes is a count of distinct Group Policy attributes modified per filter criteria. Clicking on this notable generates a table summary of these attributes with column counts of users, nodes, servers and activity count as shown below. Clicking on any of the classes will generate a detailed report of changes on specified attribute.

These notables have the same functionality as described for the Active Directory dashboard.

The Logon Server dashboard provides complete details of all login activity recorded with LT Auditor+ as shown.

The dashboard has the following sections:

1. Filters – Criteria can set to define content displayed on the dashboard;
2. Notables – Summary of information about all activity that occurred;
3. Audited Operations – Pie chart of specific operations for given filter criteria;
4. Audited Events Over Time – Graphical representation of event modifications occurred for specified filter criteria;
5. Users – List of all users making changes to cause the events to be recorded;
6. Nodes – List of source nodes where changes were made from;
7. Server – List of host servers where the changes occurred.

Click show filters to display query criteria for the dashboard as shown below.  The dashboard will automatically update if criteria is specified in the filters.

Criteria can be configured based on:

1. Time Frame
2. Users
3. Nodes
4. Servers

The following section describe each of the Logon Server notables.

Total Events is a count of all login events collected as per filter criteria. Clicking on this notable will generate a report of those events as shown below.

These notables have the same functionality as described for the Active Directory dashboard.

Failed Logons is a count of all failed login events collected as per filter criteria. Clicking on this notable generates a table summary of user failed activity with column counts of nodes, servers and activity count as shown below. Clicking on any of the users will generate a detailed report of failed logon activity for specified user.

The Files/Folders dashboard provides complete details of all file and folder activity recorded with LT Auditor+ as shown.

The dashboard has the following sections:

1. Filters – Criteria can set to define content displayed on the dashboard;
2. Notables – Summary of information about all activity that occurred;
3. Audited Operations – Pie chart of specific operations for given filter criteria;
4. Audited Events Over Time – Graphical representation of event modifications occurred for specified filter criteria;
5. Users – List of all users making changes to cause the events to be recorded;
6. Nodes – List of source nodes where changes were made from;
7. Server – List of host servers where the changes occurred.

Click show filters to display query criteria for the dashboard as shown below.  The dashboard will automatically update if criteria is specified in the filters.

Criteria can be configured based on:

1. Time Frame
2. Users
3. Nodes
4. Servers
5. Filenames

The following section describe each of the Logon Server notables.

Total Events is a count of all file activity collected as per filter criteria. Clicking on this notable will generate a report of those events as shown below.

These notables have the same functionality as described for the Active Directory dashboard.

Failed Attempts is a report of all failed file activity collected as per filter criteria.

These dashboards provide insight to possible malware attacks in any organization.

Ransomware attacks typically cause a lot of simultaneous rename operations as file get encrypted. Thisdashboardprovides details if more than 500 rename operations occurred, performed by the same user from the same node at the same time.

Clicking on a user will generate details about user’srename activity.

Data exfiltration occurs when malicious actors access large numbers of files at the same time. This dashboard provides details if more than 500 files were accessed by the same user, from the same node at the same time.

Clicking on a user will generate details about user’s access activity.

Excessive failed logon activity always needs to be investigated to ensure that an organization is not being attacked. This dashboard provides details on all logon failures and the type of failure.

These dashboards are a collection of best practices to monitor in an organization.

This dashboard provides a quick view of privileges elevated for specified time frame.

Privileges tracked are:

1. Group memberships to powerful groups
2. Active Directory permissions delegated
3. Group Policy permissions delegated
4. Linked Group Policies changed
5. Group Policy Filtering changes

This dashboard provides a quick view access to the organization’s network that may require reviews.

Access tracked:

1. Admin Logons
2. Generic ‘Administrator’ Logons
3. Remote Access
4. After Hour Logon activity

This dashboard provides a quick view group policy modification critical for any organization.

Policies tracked are:

1. Lockout Policy Changes
2. Password Policy Changes
3. System Policy Changes
4. Audit Policy Changes