https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13896#M1404 <P>Okay, I see the Windows Security events when I delete group objects now that I've enabled AD auditing. However, when I delete a top most OU object itself, I do NOT see any Windows Security event generated for that. I do see the ActiveDirectory DEL event, but it does not tell me which user made the deletion.</P> Tue, 25 May 2010 22:06:09 GMT maverick 2010-05-25T22:06:09Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13890#M1398 <P>I have Windows Security events that tell me when a user logged on and I have an ActiveDirectory event that tells me that an OU object was deleted, but I cannot figure out how to correlate the two events together without a common unique "id" field (value) to link them.</P> <P>Is there a configuration within AD or within Windows that will log some sort of common ID or GUID to both events so I can use tie them together into a "this person deleted this OU object" in a report? </P> <P>Or, am I out of luck and maybe there is some search that will get me close to correlating these two semi-related events in such a way that I can get an approximate report along these lines?</P> Thu, 20 May 2010 01:24:23 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13890#M1398 maverick 2010-05-20T01:24:23Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13891#M1399 <P>I'll look into this and see if I can come up with something... I'm not sure if it's possible either.</P> Thu, 20 May 2010 08:36:19 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13891#M1399 Ledio_Ago 2010-05-20T08:36:19Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13892#M1400 <P>Maverick, in the deleted AD event, under the "Object details" look for the objectGUID field. It will look like:</P> <P>objectGUID=4afba9d3-6d77-b140-3591-0f45dc297f66</P> <P>The same GUID will show up in the Security event related to the deletion of the OU. The field name in the Seurity event is different, but the value is the same.</P> <P>I tried it myself, I deleted a user account in the DC. The ActiveDirectory event showed up in Splunk together with the WinEventLog Security event with EventCode=630. Both events had that same GUID.</P> <P>In the Security event the GUID looked like:</P> <P>Target Account ID: John Doe<BR /> DEL:4afba9d3-6d77-b140-3591-0f45dc297f66</P> <P>So you can run searches to look for a ActiveDirectory isDeleted=TRUE, which then shares that objectGUID field value in the Security events.</P> <P>Another thing you can do is to look for specific EventCodes related to object deletions:</P> <P><A href="http://support.microsoft.com/kb/174074" rel="nofollow">http://support.microsoft.com/kb/174074</A></P> <P>Event ID: 638<BR /> Type: Success Audit<BR /> Description: Local Group Deleted: </P> <P>Event ID: 634<BR /> Type: Success Audit<BR /> Description: Global Group Deleted: </P> <P>Event ID: 630<BR /> Type: Success Audit<BR /> Description: User Account Deleted: </P> <P>Event ID: 564<BR /> Type: Success Audit<BR /> Description: Object Deleted: </P> Fri, 21 May 2010 00:16:18 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13892#M1400 Ledio_Ago 2010-05-21T00:16:18Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13893#M1401 <P>Thanks!, This makes sense because we can use field aliasing to map the two different fields together as one common name and user that to match on, or transaction on. or we could use rex to normalize both field values into one common field name as well.</P> Fri, 21 May 2010 03:32:36 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13893#M1401 maverick 2010-05-21T03:32:36Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13894#M1402 <P>Correct! If you have problems getting the search right, let me know, I can help with that.</P> Fri, 21 May 2010 03:52:25 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13894#M1402 Ledio_Ago 2010-05-21T03:52:25Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13895#M1403 <P>I only see EventCode=630. I do not have any of the other EventCodes you mention above, although I DO see my ActiveDirectory events saying isDeleted=TRUE for when a group object was deleted. <BR /> How do I turn on Win security auditing of group deletes so I can get the 638 and 634 EventCodes generated?</P> Fri, 21 May 2010 09:40:07 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13895#M1403 maverick 2010-05-21T09:40:07Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13896#M1404 <P>Okay, I see the Windows Security events when I delete group objects now that I've enabled AD auditing. However, when I delete a top most OU object itself, I do NOT see any Windows Security event generated for that. I do see the ActiveDirectory DEL event, but it does not tell me which user made the deletion.</P> Tue, 25 May 2010 22:06:09 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13896#M1404 maverick 2010-05-25T22:06:09Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13897#M1405 <P>Got it to work, finally. I can NOW see the events after enabling local admin auditing as well as group auditing. (log into the domain controller -&gt; administrative tools -&gt; Domain Controller Security Settings and enable the auditing from there.</P> Thu, 03 Jun 2010 04:47:08 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13897#M1405 maverick 2010-06-03T04:47:08Z https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13898#M1406 <P>Nice, good stuff.</P> Mon, 07 Jun 2010 00:07:11 GMT https://community.splunk.com/t5/Splunk-Search/Need-a-search-to-tell-me-who-deleted-an-OU-object-in-Active/m-p/13898#M1406 Ledio_Ago 2010-06-07T00:07:11Z