- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to correlate the admin user with a GPO change?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to correlate the admin user with a GPO change?
Has anyone successfully created a working search that can correlate the username or admin account who made any change to a GPO in AD or created/deleted a GPO? The builtin Administrator Admin in Splunk Active Directory App or Windows Infrastructure App does not do anything, it's probably irrelevant by now and has obsolete field names (there is no more Object_Type field, but there is objectClass=top|container|groupPolicyContainer or objectCategory):
eventtype=msad-ad-access src_nt_domain="" src_user="" Object_Type="groupPolicyContainer" | eval srch=replace(Object_Name,"},CN=.","}") | transaction maxspan=5m session_id,host,srch | lookup tSessions local=true session_id OUTPUTNEW login_username,login_domain,login_host
I tried with subsearches and transactions but still cannot get to the admin user who actually makes a GPO change. If only Microsoft included that field in the GPO event...
Anyone?
Thanks in either case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=*DOM* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"
|convert ctime(_time) as Time
|table _time Security_ID EventCodeDescription action gpo_guid displayName
DOM= your domain name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys, this thread is a bit old but it's the only that came close to what I was looking for.
So I ran this search with a little modification to match my domain name and basically came up with nothing. I tested it line-by-line and the only time I can get any results is when the following line is ommited:
|ldapfilter domain=MyDomainName search="(&(Objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName={}*)))" attrs="displayName"
I am trying to get in my results, the name name of GPOs being created/modified/deleted, etc and who made the changes
Please let me know if anyone has any solutions. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same issue, I initially thought it was the ldapfilter but then I realized the issue is with the field extraction. The field extraction of: |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\," is extracting after the "cn=" character up to the comma, which in my case included extra stuff. So I changed the field extraction to "(?i)CN\={(?<gpo_guid>.*?)\}" that is going to extract everything inside the curly brackets, but then the ldapfilter needs curly brackets to I added them back using gpo_guid="{".gpo_guid."}", it would be cleaner to extract what is inside the curly bracket and including the brackets with a single regex but I couldn't figure that out, so this work around did the trick. Once that is extracted properly the same ldap filter command posted works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oops, should read: The builtin Administrator Audit...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
