- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Alert on group membership changes under OU
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all.
First of all I have inherited our Splunk implementation and only have limited experience. Be gentle....
We currently have an alert configured that is monitoring forwarded events for group membership changes.
The query for the alert has the group names to be monitored hard coded. This most definitely does not scale.
What we would ideally like is to monitor any membership changes of all groups under one or more AD organisational units (recursive). By looking over Splunk documentation and this forum I suspect this would mean setting up one or more and AD Monitors and pointing them to the targeted OU's.
1.) Am I on the right track looking at an AD monitor.
2.) If so can someone point me in the general direction for how to set up an alert using the AD Monitor information.
Thanks in advance.
Jason.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're going to address your question about scalability first.
It's probably best for that kind of use case to create a lookup table for the groups you want to monitor. In that way, you can update the lookup using any desired method, and the alert will be updated (or, more accurately, will comply with the new list) automatically.
https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Lookup
https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html
In terms of building your lookup table, you would set up a search that reads your AD tables and does whatever recursive processing you want to build the full list. We can't speak to the hierarchy in your organization, but if you'd like to post a new question that shows the format of the records, with non-confidential example data, then we can help you write the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello DalJeanis.
Thanks for the reply. I will investigate setting up and Active Directory lookup table and see how I go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're going to address your question about scalability first.
It's probably best for that kind of use case to create a lookup table for the groups you want to monitor. In that way, you can update the lookup using any desired method, and the alert will be updated (or, more accurately, will comply with the new list) automatically.
https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Lookup
https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html
In terms of building your lookup table, you would set up a search that reads your AD tables and does whatever recursive processing you want to build the full list. We can't speak to the hierarchy in your organization, but if you'd like to post a new question that shows the format of the records, with non-confidential example data, then we can help you write the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome! This is not stack overflow. We are always gentle here, or at least we aspire to be.
Index This | Divide 100 by half. What do you get?
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
