All Apps and Add-ons

How to correlate the admin user with a GPO change?

Path Finder

Has anyone successfully created a working search that can correlate the username or admin account who made any change to a GPO in AD or created/deleted a GPO? The builtin Administrator Admin in Splunk Active Directory App or Windows Infrastructure App does not do anything, it's probably irrelevant by now and has obsolete field names (there is no more Object_Type field, but there is objectClass=top|container|groupPolicyContainer or objectCategory):
eventtype=msad-ad-access src_nt_domain="" src_user="" Object_Type="groupPolicyContainer" | eval srch=replace(Object_Name,"},CN=.","}") | transaction maxspan=5m session_id,host,srch | lookup tSessions local=true session_id OUTPUTNEW login_username,login_domain,login_host
I tried with subsearches and transactions but still cannot get to the admin user who actually makes a GPO change. If only Microsoft included that field in the GPO event...
Thanks in either case.


Try this

index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=*DOM* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
|convert ctime(_time) as Time 
|table _time Security_ID EventCodeDescription action gpo_guid displayName

DOM= your domain name

0 Karma

Path Finder

Hey guys, this thread is a bit old but it's the only that came close to what I was looking for.
So I ran this search with a little modification to match my domain name and basically came up with nothing. I tested it line-by-line and the only time I can get any results is when the following line is ommited:
|ldapfilter domain=MyDomainName search="(&(Objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName={}*)))" attrs="displayName"

I am trying to get in my results, the name name of GPOs being created/modified/deleted, etc and who made the changes

Please let me know if anyone has any solutions. Thanks

0 Karma


I had the same issue, I initially thought it was the ldapfilter but then I realized the issue is with the field extraction. The field extraction of: |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\," is extracting after the "cn=" character up to the comma, which in my case included extra stuff. So I changed the field extraction to "(?i)CN\={(?<gpo_guid>.*?)\}" that is going to extract everything inside the curly brackets, but then the ldapfilter needs curly brackets to I added them back using gpo_guid="{".gpo_guid."}", it would be cleaner to extract what is inside the curly bracket and including the brackets with a single regex but I couldn't figure that out, so this work around did the trick. Once that is extracted properly the same ldap filter command posted works. 

Path Finder

Oops, should read: The builtin Administrator Audit...

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...