All Apps and Add-ons

Splunk for Active Directory scheduled chg_users report with options selected

dbylertbg
Path Finder

I'm looking to generate a daily report of any changes made to specific users. The obvious dashboard to use seems to be the 'Change Management -> User Record Changes' (chg_users).

This works for searching manually for changes to a single specific user, but I don't see a way to schedule PDF delivery of the dashboard with any of the search options already selected. If you visit the dashboard and choose 'Actions -> Schedule PDF Delivery', it just runs the dashboard with the default options of * for the user. This obviously produces a report of changes for all users, not just the one(s) I want to monitor specifically.

0 Karma
1 Solution

skylasam_splunk
Splunk Employee
Splunk Employee

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

View solution in original post

skylasam_splunk
Splunk Employee
Splunk Employee

Hi,
Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps.

Search string -

eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user|msad-changed-attributes|session-to-host|ip-to-host|fix-localhost|table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes"

dbylertbg
Path Finder

I'll award this as an answer because it is a successful workaround.

However, I feel this should be part of the basic GUI functionality -- end users should not have to learn to write/manipulate Splunk searches to create custom dashboards to be able to schedule a pre-build dashboard for delivery with their specific options selected.

0 Karma
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...