Getting Data In

GPO GUID Resolve

faiq1999
Explorer

Hi everyone.

Is there any way to resolve GPO GUID or SID within Windows Security Logs? For instance, when we change any GPO in the domain it is logged under EventCode 5136. There is a CN name inside the log that can be used for getting the Display name of GPO. 

Thanks 

Labels (1)
Tags (1)
0 Karma
1 Solution

tscroggins
Influencer

First, install and configure Splunk Supporting Add-on for Active Directory on your search head or search head cluster. If you're using Splunk Cloud, you'll need connectivity to a directory replica, i.e. a domain controller, through a cloud-to-cloud private link or some other connection.

Note that Splunk does not index the Object DN field value correctly when renderXml = false (sourcetype=WinEventLog). There is a missing comma between the first and second RDNs.

This:

	DN:	CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8}CN=POLICIES,CN=SYSTEM,DC=EXAMPLEDOMAIN,DC=LOCAL

should be this:

	DN:	CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8},CN=POLICIES,CN=SYSTEM,DC=EXAMPLEDOMAIN,DC=LOCAL

with a comma between CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8} and CN=POLICIES.

We can fix the extracted DN field in our search:

| eval DN=replace(DN, "(?i)\\}CN=", "},CN=")

Assuming Splunk Supporting Add-on for Active Directory is configured and working, we can add the ldapfetch command to our search to fetch additional LDAP attributes using the DN field value:

| ldapfetch dn=DN attrs="displayName"

If a group policy object is deleted, it will no longer be in the directory, and ldapfetch will not return a displayName.

To allow for those cases, you can schedule a search to periodically fetch group policy objects and store attributes in a lookup file:

| ldapsearch search="(objectClass=groupPolicyContainer)" attrs="whenChanged,distinguishedName,displayName" basedn="CN=Policies,CN=System,DC=EXAMPLEDOMAIN,DC=LOCAL"
| eval _time=strptime(whenChanged, "%Y-%m-%d %H:%M:%S%z")
| table _time distinguishedName displayName
| sort 0 - _time
| inputlookup append=true group_policy_object_lookup
| dedup distinguishedName
| outputlookup group_policy_object_lookup

Note that whenChanged is not a replicated attribute, and its value won't be precise. Its use here allows to store the most recent displayName value available from the directory server in our lookup. The lookup should be defined with case-sensitivity disabled (case_sensitive_match = false).

With a lookup cache available, we can use the lookup command in place of ldapfetch:

| lookup group_policy_object_lookup distinguishedName as DN output displayName

While it's not relevant to Splunk, I like to note when I see it used that the .local TLD is reserved for use by multicast DNS. I normally use example.com for general purpose documentation, contoso.com for Microsoft documentation, and occasionally buttercupgames.com for Splunk documentation. ICANN recently proposed defining a private-use TLD, although not specifically .internal as many have reported. (I can only assume the reporters didn't actually read the proposal.) I hope the proposal is adopted!

 

View solution in original post

0 Karma

tscroggins
Influencer

Hi @faiq1999,

The ObjectDN data element should contain the distinguished name of the object. If that's not present in your data, can you provide a deidentified example of the event?

0 Karma

faiq1999
Explorer

Here is. If I use the CN name value with Powershell's Get-GPO cmdlet then it returns me the Display Name of the GPO but I want to get it from Splunk results.

02/10/2024 11:30:27 AM
LogName=Security
EventCode=5136
EventType=0
ComputerName=DC-01.EXAMPLEDOMAIN.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=26135
Keywords=Audit Success
TaskCategory=Directory Service Changes
OpCode=Info
Message=A directory service object was modified.

Subject:
Security ID: EXAMPLEDOMAIN\administrator
Account Name: Administrator
Account Domain: EXAMPLEDOMAIN
Logon ID: 0x92B8F

Directory Service:
Name: exampledomain.local
Type: Active Directory Domain Services

Object:
DN: CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8}CN=POLICIES,CN=SYSTEM,DC=EXAMPLEDOMAIN,DC=LOCAL
GUID: CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8}CN=Policies,CN=System,DC=exampledomain,DC=local
Class: groupPolicyContainer

Attribute:
LDAP Display Name: versionNumber
Syntax (OID): 2.5.5.9
Value: 196611

Operation:
Type: Value Added
Correlation ID: {8eaedf1e-827a-4ee8-8118-2b8e0ddb1133}
Application Correlation ID: -

  

0 Karma

tscroggins
Influencer

First, install and configure Splunk Supporting Add-on for Active Directory on your search head or search head cluster. If you're using Splunk Cloud, you'll need connectivity to a directory replica, i.e. a domain controller, through a cloud-to-cloud private link or some other connection.

Note that Splunk does not index the Object DN field value correctly when renderXml = false (sourcetype=WinEventLog). There is a missing comma between the first and second RDNs.

This:

	DN:	CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8}CN=POLICIES,CN=SYSTEM,DC=EXAMPLEDOMAIN,DC=LOCAL

should be this:

	DN:	CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8},CN=POLICIES,CN=SYSTEM,DC=EXAMPLEDOMAIN,DC=LOCAL

with a comma between CN={CFD494B1-9D7F-448B-AF8F-3B7B3ABF1AA8} and CN=POLICIES.

We can fix the extracted DN field in our search:

| eval DN=replace(DN, "(?i)\\}CN=", "},CN=")

Assuming Splunk Supporting Add-on for Active Directory is configured and working, we can add the ldapfetch command to our search to fetch additional LDAP attributes using the DN field value:

| ldapfetch dn=DN attrs="displayName"

If a group policy object is deleted, it will no longer be in the directory, and ldapfetch will not return a displayName.

To allow for those cases, you can schedule a search to periodically fetch group policy objects and store attributes in a lookup file:

| ldapsearch search="(objectClass=groupPolicyContainer)" attrs="whenChanged,distinguishedName,displayName" basedn="CN=Policies,CN=System,DC=EXAMPLEDOMAIN,DC=LOCAL"
| eval _time=strptime(whenChanged, "%Y-%m-%d %H:%M:%S%z")
| table _time distinguishedName displayName
| sort 0 - _time
| inputlookup append=true group_policy_object_lookup
| dedup distinguishedName
| outputlookup group_policy_object_lookup

Note that whenChanged is not a replicated attribute, and its value won't be precise. Its use here allows to store the most recent displayName value available from the directory server in our lookup. The lookup should be defined with case-sensitivity disabled (case_sensitive_match = false).

With a lookup cache available, we can use the lookup command in place of ldapfetch:

| lookup group_policy_object_lookup distinguishedName as DN output displayName

While it's not relevant to Splunk, I like to note when I see it used that the .local TLD is reserved for use by multicast DNS. I normally use example.com for general purpose documentation, contoso.com for Microsoft documentation, and occasionally buttercupgames.com for Splunk documentation. ICANN recently proposed defining a private-use TLD, although not specifically .internal as many have reported. (I can only assume the reporters didn't actually read the proposal.) I hope the proposal is adopted!

 

0 Karma

faiq1999
Explorer

Thank you for your answer.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...