Upload
vumien
View
218
Download
3
Embed Size (px)
Citation preview
HOW TO MAXIMIZE THE VALUE OF YOUR SPLUNK INVESTMENT
PRESENTER:Adam StetsonPresales [email protected] x2907
About Netwrix Corporation
Year of foundation: 2006
Headquarters location: Irvine, California
Global customer base: 6000Recognition: Among the fastest growing software companies in the US with more than 70 industry awards from Redmond Magazine, SC Magazine, WindowsIT Proand others
Customer support: global 24/5 support with 97% customer satisfaction
Netwrix Customers
GA
Financial
Healthcare & Pharmaceutical
Federal, State, Local, Government
Industrial/Technology/Other
Award winning products
All awards: www.netwrix.com/awards
Agenda
Facts about Splunk
Big Data – Big Issues
Integrating Splunk with Netwrix Auditor
Netwrix Auditor Demonstration
Questions and Answers
Prize Drawing
Splunk Overview
Output data requires significant further analysis
Windows Security log is the only source of data
Any Machine
Data
ServersSensors
Web ServersNetworks
Active Directory Virtual
Machines
Databases Applications
Windows
RFID
App Servers
Security DevicesExchange
Who, What, When and Where20151225041807.000000Category=13824CategoryString=User Account ManagementEventCode=4720EventIdentifier=4720EventType=4Logfile=SecurityRecordNumber=15755597SourceName=Microsoft-Windows-Security-AuditingTimeGenerated=20151225121807.760817-000TimeWritten=20151225121807.760817-000Type=Audit SuccessUser=NULLComputerName=DC1.enterprise.comwmi_type=WinEventLog:SecurityMessage=A user account was
Subject:Security ID: Account Name: Account Domain: Logon ID:
New Account:Security ID: Account Name: Account Domain:
Attributes:SAM Account Name: Display Name: User Principal Name: Password Last Set: Account Expires: Primary Group ID: Old UAC Value: New UAC Value: User Account Control:
Logon Hours: <value not set>
S-1-5-21-210521867-2639090965-1213260628-1106J.CarterENTERPRISE0x57932AE
S-1-5-21-210521867-2639090965-1213260628-1174C.HoffmanENTERPRISE
C.HoffmanCharles [email protected]<never><never>5130x00x15
Account Disabled'Password Not Required' - Enabled'Normal Account' - Enabled
Before and After Values
Permissions Change:Original Security Descriptor: D:PAI(A;OICI;FA;;;S-1-5-21-210521867-2639090965-1213260628-1106)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-210521867-2639090965-1213260628-1143)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-210521867-2639090965-1213260628-1138)
New Security Descriptor: D:PARAI(A;OICI;FA;;;S-1-5-21-210521867-2639090965-1213260628-1106)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-210521867-2639090965-1213260628-1143)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-210521867-2639090965-1213260628-1138)(A;OICI;FA;;;S-1-5-21-210521867-2639090965-1213260628-1174)<value not set>
Group Policy Attribute Changes
ComputerName=DC1.enterprise.comwmi_type=WinEventLog:SecurityMessage=A directory service object was modified.
Subject:Security ID: S-1-5-21-210521867-2639090965-1213260628-1106Account Name: J.CarterAccount Domain: ENTERPRISELogon ID: 0x582F8BDDirectory Service:Name: enterprise.comType: Active Directory Domain Services
Object:DN: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=ENTERPRISE,DC=COMGUID: {847770C3-9549-4BFB-A94F-773247AA3953}Class: groupPolicyContainer
Attribute:LDAP Display Name: versionNumberSyntax (OID): 2.5.5.9Value: 59
Operation:Type: Value AddedCorrelation ID: {51A06FDB-AF8D-489C-AE60-C42F0981F263}Application Correlation ID: -
Big Data – Big Issues
SECURITY
COMPLIANCE
OPERATIONS
Who?
What?
When?
Where?
Netwrix Auditor
Exchange Server
File Server
Group Policy
Active Directory
Integration with Splunk
Saving Money and Increasing ROI
Daily indexed volume of eventsindexed
Size
4,722,121
3,663 MB
Splunk alone
2,156
3,5 MB
Splunk – Netwrix Auditor integration
Extra Benefits1. State-in-time Information
Current configurations
Past configurations
Enabled
Enabled
Disabled
Disabled
Extra Benefits
2. Interactive, Google-like Search of Audit Data
Extra Benefits
3. Video Recording of Privileged User Activity
Extra Benefits
4. Out-of-the-box Compliance Reports
About Netwrix Auditor
Netwrix Auditor
delivers #completevisibility into IT infrastructure changes
and data access by providing actionable audit data about
who changed what, when and whereeach change was made and who has
access to what
Netwrix Auditor
Netwrix Auditor Applications
Netwrix Auditor for
Active Directory
Netwrix Auditor for
SharePoint
Netwrix Auditor for SQL Server
Netwrix Auditor for
VMware
Netwrix Auditor for
Windows Server
Netwrix Auditor for
File Servers
Netwrix Auditor for
Exchange
Netwrix Auditor Applications Scope
Active Directory changes; Group Policy changes; State-in-Time information on configurations; real-time alerts; AD change rollback; inactive user tracking and password expiration alerting.
Changes to Windows-based file servers, EMC Storage and NetApp Filers; State-in-Time information on configurations.
SharePoint farm configuration changes, security and content changes.
Exchange changes and non-owner mailbox access auditing.
SQL configuration and database content changes.
Changes to configuration of Windows-based servers; Event Logs, Syslog, Cisco, IIS, DNS; User activity video recording.
VMware vSphere changes.
Netwrix Auditor forActive Directory
Netwrix Auditor forExchange
Netwrix Auditor forFile Servers
Netwrix Auditor forSharePoint
Netwrix Auditor forSQL Server
Netwrix Auditor forVMware
Netwrix Auditor forWindows Server
Demonstration
Netwrix Auditor
Five Easy Steps to Integration
1) Run the Netwrix Auditor Administrator console and enable
integration for your domain or file server managed object or objects
as follows:
• Active Directory -> Advanced Options -> Configure -> Enable integration with: Third-party SIEM products
• Exchange Server -> Advanced Options -> Configure -> Enable integration with: Third-party SIEM products
• Group Policy -> Advanced Options -> Configure -> Enable integration with: Third-party SIEM products
• File Servers -> Advanced Settings -> Enable integration with third-party SIEM solutions
Five Easy Steps to Integration
2) Run the Splunk web console and go to Settings -> Data inputs ->
Remote event log collections -> Add new. Do the following:
Specify a name for the Netwrix Auditor change log.
Type in the host where Netwrix Auditor is located and click Find logs.
Select the NetWrixChangeReporter log.
Five Easy Steps to Integration
3) Choose Next -> configure Input Settings and specify the following settings:
App Context – Select “Search and Reporting”
Host – Select “Netwrix Auditor”
Index – Select “Default”
Five Easy Steps to Integration
4) Click Review and check your configurations.
5) Click Submit to complete the integration.
Free Trial: setup in your own test environment
netwrix.com/freetrial
Test Drive: virtual POC, try in a Netwrix-hosted test lab
netwrix.com/testdrive
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Contact Sales to obtain more information
netwrix.com/contactsales
Webinars: join our upcoming webinars and watch the recorded sessions
netwrix.com/webinars
netwrix.com/webinars#featured
Next Steps
Thank You!
Prize Drawing
Haven’t won this time? Sign up for upcoming sessions: https://www.netwrix.com/webinars.html
Get Your Fitbit Activity Wristband!