All Apps and Add-ons

How to correlate the admin user with a GPO change?

Path Finder

Has anyone successfully created a working search that can correlate the username or admin account who made any change to a GPO in AD or created/deleted a GPO? The builtin Administrator Admin in Splunk Active Directory App or Windows Infrastructure App does not do anything, it's probably irrelevant by now and has obsolete field names (there is no more Object_Type field, but there is objectClass=top|container|groupPolicyContainer or objectCategory):
eventtype=msad-ad-access src_nt_domain="" src_user="" Object_Type="groupPolicyContainer" | eval srch=replace(Object_Name,"},CN=.","}") | transaction maxspan=5m session_id,host,srch | lookup tSessions local=true session_id OUTPUTNEW login_username,login_domain,login_host
I tried with subsearches and transactions but still cannot get to the admin user who actually makes a GPO change. If only Microsoft included that field in the GPO event...
Thanks in either case.


Try this

index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=*DOM* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
|convert ctime(_time) as Time 
|table _time Security_ID EventCodeDescription action gpo_guid displayName

DOM= your domain name

0 Karma

Path Finder

Hey guys, this thread is a bit old but it's the only that came close to what I was looking for.
So I ran this search with a little modification to match my domain name and basically came up with nothing. I tested it line-by-line and the only time I can get any results is when the following line is ommited:
|ldapfilter domain=MyDomainName search="(&(Objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName={}*)))" attrs="displayName"

I am trying to get in my results, the name name of GPOs being created/modified/deleted, etc and who made the changes

Please let me know if anyone has any solutions. Thanks

0 Karma


I had the same issue, I initially thought it was the ldapfilter but then I realized the issue is with the field extraction. The field extraction of: |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\," is extracting after the "cn=" character up to the comma, which in my case included extra stuff. So I changed the field extraction to "(?i)CN\={(?<gpo_guid>.*?)\}" that is going to extract everything inside the curly brackets, but then the ldapfilter needs curly brackets to I added them back using gpo_guid="{".gpo_guid."}", it would be cleaner to extract what is inside the curly bracket and including the brackets with a single regex but I couldn't figure that out, so this work around did the trick. Once that is extracted properly the same ldap filter command posted works. 

Path Finder

Oops, should read: The builtin Administrator Audit...

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!