Category: Splunk

BitLocker Volume Details in Splunk

Monitoring BitLocker Volume Details

I was recently asked if BitLocker encryption details can be reported on in Splunk.

The answer is yes, if you send the right data to Splunk.

There is a Windows Event Log (Microsoft-Windows-BitLocker/BitLocker Management) that will log when someone encrypts or decrypts a volume.  This information is good to know, but what happens after a volume is decrypted… after days, weeks, or months has passed you will need to search back an extended amount of time to see that activity.  And eventually these events will be removed from Splunk based on the index’s retention.

I have created a solution that will allow you to see the latest volume status (latest based on an interval you can configure; the default is every 4 hours).  In addition to whether BitLocker Encryption is enabled for each volume, the script also records the volume type (Operating System or Data) and Drive Type (Fixed or Removable) so you can filter the dashboard to view the status for scenarios where you are only concerned with Fixed disks, Operating System disks, or Data disks.

Universal Forwarder Inputs

  1. Download the ut_splunkforwarder_inputs_bitlocker app from GitHub – BeckhamTX/Splunk-Inputs-WinSysAdminToolkit
  2. Configure the app
    • You must configure the index that you want to send the BitLocker data to:
      • Create a new folder named local inside ut_splunkforwarder_inputs_bitlocker
      • Create a new file named inputs.conf inside ut_splunkforwarder_inputs_bitlocker\local
      • Edit inputs.conf to include the following, replacing myIndex with the index you want to send to
        [powershell://BitLockerVolumeDetails]
        index = myIndex
    • You can optionally adjust the schedule that the volume details are gathered on:
      • Edit ut_splunkforwarder_inputs_bitlocker\local\inputs.conf
      • Add the following line replacing 6 */4 * * * with your custom schedule
        schedule = 6 */4 * * *
        The schedule can be in one of the following two formats:

        Format Syntax Example
        Cron Cron notation (minute, hour, day of month, day, day of week 6 */4 * * *
        would be at 6 minutes past the hour, every 4 hours (4.00 am, 8.00 am, 12.00 pm, 4.00 pm…)
        Seconds An integer (specifically the number of seconds before it runs again) 7200
        would be every 7200 seconds (every 2 hours)
  3. Deploy the ut_splunkforwarder_inputs_bitlocker app to your Universal Forwarders.
    You have several options to get this configuration out to all of your hosts: You may be running a Splunk Deployment Server.  If not, you can use systems management tools such as SCCM/MEMCM.
  4. The Universal Forwarders must be restarted to start using the new BitLocker input configuration.  This can be done using the following command:
    “C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe” restart

Splunk Dashboards

There are two dashboards I have created as part of my Windows SysAdmin Toolkit Splunk app.

This app is not (yet) on Splunkbase, so I will post the dashboard source code here soon.  (If you would like the dashboard source code before I get to post it, please leave a comment on here and I can send it to you directly.)

BitLocker – Comprehensive Overview of Latest Volume Details

This dashboard includes:

  • a few statistics about drive encryption across all hosts
  • the latest status for each volume on all hosts (there are several filter options available here)
  • events from the BitLocker Management Windows Event log for all hosts

BitLocker – Details for a Host

This dashboard provides details for a single host (although you can wildcard the host name if you want to see details for multiple hosts with a common naming pattern.)

Using Splunk to Identify Account Logon Failures and Lockouts in Active Directory

Working as both an AD Domain Admin and Splunk Admin, I am working on an Active Directory app for Splunk to present useful statistics as well as provide search forms and reports to be used by AD and Help Desk support staff.
This is the first in a series of blog posts I will make on the development of this app.

 

Step 1: Identify which Event IDs are related to logon failures and lockouts.

FailedLogonsAndLockouts-EventIDs

 

Step 2: Contruct the search strings that will be used to perform relevant searches

  • index=“ad” source=”WinEventLog:Security” Account_Name=<accountname> EventCode=4771 Failure_Code=”0x18″ earliest=<-4h> | table _time Client_Address Account_Name EventCode Failure_Code
  • index=“ad” source=”WinEventLog:Security” Logon_Account=<accountname> EventCode=4776 Error_Code=”0xc000006a” earliest=<-4h> | table _time Source_Network_Address Logon_Account EventCode Error_Code Logon_Type
  • index=“ad” source=”WinEventLog:Security” Account_Name=<accountname> EventCode=4740 earliest=<-4h> | table _time Caller_Computer_Name Account_Name EventCode

Step 3: Create a search form in Splunk

The search form that I created includes two input fields: account name and how many hours to search back.  The input tokens are plugged into the search strings to customise the search.

FailedLogonsAndLockouts-FormXML

 

Search Form:

FailedLogonsAndLockouts-SearchForm