[How to] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
Part1 - Start session recording when performing privilege elevation
We will made the configuration of a profile to start the recordings of the sessions from the elevation of privileges and the Splunk integration with Infrastructure Service (Auditing and Monitoring Service) so the auditing sessions can be viewed directly from the Splunk Portal.
Requirements - Part 1
- A server with Infrastructure Services (Privilege Elevation Service and Auditing and Monitoring Service) pre-installed.
- A Windows 7 station with Centrify agent running
This laboratory will be divided into 2 parts. Initially we will make the configurations in Centrify to create a profile that allows elevation of privileges and start recording the session once the applications within the profile are accessed. After verifying the operation of the above, we will proceed to perform the installation of Splunk and its integration with Centrify.
To start, within Centrify Access manager, we will create 2 applications that require administrator privileges for execution, in this case the Services application and the Firewall with Advanced Security for a Windows machine.
For the Windows Services application (services.msc) we will use the following configuration.
We will create 3 profiles, one for versions before Windows 2003 or higher, another profile by default and finally for the MMC console.
We configure the RunAs tab to perform the execution as a local administrator user.
- For the Firewall with Advanced Security application (WF.msc), we have the following configuration.
- We create a role definition for users that require auditing when elevating privileges.
- We assign the applications created in the previous steps to the new role. (Services and Windows Firewall)
Then we will create another role that allows the login to the systems without having to audit them.
- To complete the configuration, we will assign an Active Directory group to the created roles.
- We verify that the roles are assigned to one of the users within the selected AD group.
- We will perform the tests by entering one of the systems within the Zone where we created the role and we will elevate the privileges to verify the operation of the configuration made.
We verified the audit session in the Audit Analyzer and observed that the session is interrupted when the configured application is closed.
Once the audit session was confirmed, we finalized the configuration of part 1 of this article. Visit the following link Part 2.
[HOW TO] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk