Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Start session recording when performing privilege elevation

11 April,19 at 11:51 AM

[How to] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

Part1 - Start session recording when performing privilege elevation


Spanish Version 

We will made the configuration of a profile to start the recordings of the sessions from the elevation of privileges and the Splunk integration with Infrastructure Service (Auditing and Monitoring Service) so the auditing sessions can be viewed directly from the Splunk Portal.


Requirements - Part 1
- A server with Infrastructure Services (Privilege Elevation Service and Auditing and Monitoring Service) pre-installed.
- A Windows 7 station with Centrify agent running
This laboratory will be divided into 2 parts. Initially we will make the configurations in Centrify to create a profile that allows elevation of privileges and start recording the session once the applications within the profile are accessed. After verifying the operation of the above, we will proceed to perform the installation of Splunk and its integration with Centrify.


    1. To start, within Centrify Access manager, we will create 2 applications that require administrator privileges for execution, in this case the Services application and the Firewall with Advanced Security for a Windows machine.
    2. For the Windows Services application (services.msc) we will use the following configuration.

      We will create 3 profiles, one for versions before Windows 2003 or higher, another profile by default and finally for the MMC console.







    3. We configure the RunAs tab to perform the execution as a local administrator user.

    4. For the Firewall with Advanced Security application (WF.msc), we have the following configuration.






    5. We create a role definition for users that require auditing when elevating privileges.




    6. We assign the applications created in the previous steps to the new role. (Services and Windows Firewall)73F3ED43-E9CB-46E6-9C20-F3D3974311E2.png
    7. Then we will create another role that allows the login to the systems without having to audit them. E6ADB249-02E1-4BCD-8E11-361C5FE2BEE1.png




      Screen Shot 2018-05-18 at 3.35.17 PM.png


    8. To complete the configuration, we will assign an Active Directory group to the created roles.


    9. We verify that the roles are assigned to one of the users within the selected AD group.


    10. We will perform the tests by entering one of the systems within the Zone where we created the role and we will elevate the privileges to verify the operation of the configuration made.7C2C0E8F-B843-4552-82FB-19CE00C0B4CC.png  6A0831B9-B2F0-4C7A-AB29-5AC2BD46B6D0.png
    11. We verified the audit session in the Audit Analyzer and observed that the session is interrupted when the configured application is closed.


Once the audit session was confirmed, we finalized the configuration of part 1 of this article. Visit the following link Part 2.

 [HOW TO] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk


Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.