topic List of computers extracted from the computer in Splunk Search

List of computers extracted from the computer

magun — Fri, 08 Mar 2019 13:27:56 GMT

Scenario: In a way, the local admin user can be retrieved, the computer to remove the domain, and without the domain to list the list of people who use the computer

Re: List of computers extracted from the computer

FrankVl — Fri, 08 Mar 2019 13:46:25 GMT

And your question is???

Re: List of computers extracted from the computer

nickhills — Fri, 08 Mar 2019 13:47:46 GMT

Can you phrase your question another way?
I'm not sure i understand what you are asking.

Re: List of computers extracted from the computer

magun — Fri, 08 Mar 2019 13:51:33 GMT

How do I tell if local admin removes a computer from a domain

Re: List of computers extracted from the computer

magun — Fri, 08 Mar 2019 13:51:38 GMT

How do I tell if local admin removes a computer from a domain

Re: List of computers extracted from the computer

magun — Fri, 08 Mar 2019 13:56:27 GMT

1- Do I find a list of local admin users
2- How do I find out which local host is logged in?
3- How do I find the list of hosts removed from these hosts in login

Re: List of computers extracted from the computer

FrankVl — Fri, 08 Mar 2019 14:03:19 GMT

That's a windows security question, not a splunk question, so you might be better of asking this on some windows user community or so. But perhaps someone comes by here who has experience with this specific use case.

Re: List of computers extracted from the computer

nickhills — Fri, 08 Mar 2019 14:13:34 GMT

Ok, a few terminology clarifications:

A local admin can not remove a computer from a domain.
A local admin however, can switch a local computer account to a workgroup.

This is problematic, because I do not believe the local system records if a workgroup membership is changed, and the domain controllers will be unaware that this change has been made.

On the other hand, if the user was a domain admin, the DCs would log Event ID 4743.

Your follow up questions:
You can run a script (via a UF) to enumerate the users of the local admins group and index this data. You could collect this data daily and then monitor for changes to this membership.

Once you have a list of the user accounts with local admin rights, you can then look for 4624 events which mention these users to see when they login - these will be local events - again not shared with the DC

Finding a list of computers removed - that's super complicated!
My best guess is that you want to query ldap for a list of all computer accounts and record their last login date (you will need to collect this from ALL domain controllers, because lastlogin is not replicated)
Then you need to compare this list to all computers which are sending events to Splunk. If something is sending data to Splunk, more than 24 hours after the last computer account domain login, you could 'guess' that it had been removed from the domain.

There are a lot of if's (and buts) in the above, and Splunk is probably not the correct tool on its own for this.
I could ramble on about how no-one should have local admin rights, and other policy/technical limitations, but bottom line is if your users are doing things they should not be doing - you need to address that by removing their ability to do so.