Using the built-in Splunk admon indexing, is there a way to monitor additions or removals to AD groups?
I'm using the following to pull latest membership and format each member as a record;
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | table cn splitted _time
This gives the following output;
Group_cn_1,member1,_time1
Group_cn_1,member2,_time1
Group_cn_1,member3,_time1
Group_cn_2,member1,_time2
Group_cn_2,member2,_time2
My first thought was to compare two time windows as;
set diff [ latest(_time)] [ _time < _time - 24h]
However it appears the admon input is on a rising tail mechanism and latest(_time) varies on the last update of the group. I feel like I'm over thinking this. Perhaps I just create an alert to show any group with an _time within the last 24 hours, then somehow compare that to the previous record?
Any advice?
I have something working as a scheduled alert;
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | fields - _raw | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Latest" | table cn splitted Zone _time
| append [ | search index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bat,DC=com" | fields - _raw | eventstats latest(_time) AS latest_timestamp by cn | eval prev_timestamp = strftime(_time, "%Y-%m-%d %I:%M:%S %p") | where _time < latest_timestamp | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Previous" | table cn splitted Zone _time latest_timestamp ]
| stats values(cn) AS cn, values(Zone) as Zone, values(_time) as Timestamp, values(latest_timestamp) AS latest_timestamp by splitted
| nomv Zone
| search Zone="Previous"
| eval t=now()
| eval t_earliest = (t - 86400 * 1)
| where latest_timestamp>t_earliest
It can likely be cleaned up, but this is working for both removals and additions of accounts. The query as is only pulls removals with the "Zone" field set to "Previous". It's set as a scheduled alert around 6am, and if results are > 0.
You can do this over the Windows Log.
Eventcodes
Well aware of this, however I'd rather use the built in AD monitoring over deploying a forwarder on multiple domain controllers.
I've made some progress in that I can now compare deltas of the latest event vs. the prior event;
This grabs the event prior to the latest:
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | table cn _time | eventstats latest(_time) AS lasttime | where _time < lasttime | dedup cn
I'm now formatting a 'set diff' query to compare the two.