LDAP Authentication/Bind tracking via Windows Events and/or Splunk - windows

Id like to have a Splunk query to show LDAP Authentication/Binds to a group of AD servers. However, if this can be found via Windows events I can then write the query in Splunk. I'm a bit new with LDAP and Splunk...
Current search (50 or so results in 15 mins):
index="winevent" host="AD Servers" serviceBindingInformation | stats count by Account_Name
This seems to show only "Message=A directory service object was modified." which is not what we are looking for.
Another search (over 6000 results in 15 mins):
index="winevent" host="AD Servers" LDAP
While I get far more results, I dont seem to have any that are showing Authentication or LDAP Binds. The event code for all of the results is:
5136: A directory service object was modified
Is there a different way to search for LDAP Authentication than how I am going about it or is there a change that should be made on AD or Splunk to allow visibility to view LDAP Authentication?
Thanks, C

Related

Grafana hide query from user

I am trying to build a Grafana dashboard with an Elastic data-source but when I view the network traffic I see that the browser goes directly to the elastic DB, this means that if a user wanted to they can change the query and get whatever data they want. I want to be able to limit the data to this specific user.
I was thinking of limiting it with a filter for the specific user but am open to suggestions.
After rifling through the grafana forum I found this
https://community.grafana.com/t/grafana-templating-by-logged-in-user/1724
So apparently it's not possible.

How Can I Count the Number of Times a User has Logged on to a OpenLdap Domain

I am using openLdap server for centralised authentication.I wanted to count number of times all clients have logined against this openLdapserver. On googling i found that Logoncount is there for Active Directory but didnt find anything for openldap. Any help is appreciable.Thanks
This is not supported directly in the user entry. You would have to enable the access log overlay and scan the access logs yourself.

querying LDAP - get account status (like disabled , active, etc.)

I am querying a LDAP and setting variables for mail and displayName. I also need to get account is disable or active. Which property should I need to pull for this?
If using Active Directory the attribute you are interested in is userAccountControl which is a bit mask. Here are the possible values... http://support.microsoft.com/kb/305144/
There is no standard attribute though and it will vary by product and sometimes applications that use the directory server as a repository.
We have auto unlock after 5min via GPO enabled on our network. With this setting, the userAccountControl field remains unchanged until the user logs in. So we have currently no way to find out if a user is still logged or not by querying LDAP.

Multitenant setup with Kibana and Elasticsearch

I am going to use logstash+ES+kibana for my project. I want to know how to use this framework for multi tenants. Can any one explain me how after the authentication Kibana query the elastic search index and load in Kibana's dashboard? Can I restrict kibana to look for a specifix index of Elastic search for a particular user or some-id? Anybody has tried this?
Thnx
You could, but depending on your use case it is probably not a good idea. There are a few gotchas, particularly regarding security and separating the users. First Kibana is just javascript running in the browser. So whatever Kibana is allowed to do so is your user. You can however have a separate index pattern for each "user", but elastic search does not provide you any ways of authenticating a users or authorizing a user access to a specific index. You would have to use some sort of proxy for this.
I recommend http://www.found.no/foundation/elasticsearch-in-production/ and http://www.found.no/foundation/elasticsearch-security/ for a more in depth explanation.
Create an index for each tenant.
In this way you can use a proxy (like the app the hosts kibana) to intercept the request and return a settings that includes the index to use.
The value that specifies the index to use can be the logged in user or you can get that value somewhere else.
To separate even more the data, you can use a prefix in each index name, and then when you specify an index you can use a pattern to take all the index related to only certain kind of data/entities.
Hope this help.
Elasticsearch announced today a plugin they are working on that should provide security features to ES product. Probably, this will contain ways of restricting access based on roles and users setup at cluster and indices level. If this happens I see no way for them not to extend this security layer to Kibana, as well. Also, it seems this plugin will have a commercial version only.

apps-scripts: remote database password security

I connect to a remote sqlserver database using the jdbc service. My apps script has my password and userid. Is there a security risk involved. I ask because javascript is open to inspection; are app-scripts open to users?
What is the best way to get that secure information into an app?
Even hard coded values don't show up in the javascript when rendered by the browser. That is because all the code that you write runs on the server side (except client handlers).
However, if you share a script or spreadsheet with the script with another user, the code is visible to the other user.
You can store your username and password in a spreadsheet that only you have access to and read from there during runtime. However, ensure that the script runs under your id (i.e only published as a web app).
Use the UserProperties service. It's values are only available to you and if you decide to make the application multi-user, you could even direct users to store their unique sql username/password in their own UserProperties.

Resources