Getting Data In

How can I monitor Active Directory GPO changes on splunk enterprise?

alvaroveiga
New Member

I am running Splunk 7.0.2 and I would like to monitor Active Directory GPO changes on splunk enterprise.
What is the best way to do that?
Is there any recommended app?

Thanks in advance.

0 Karma

alvaroveiga
New Member

The logs are already forwarded to splunk, but i really need to create an alert when a GPO is modified, created etc.
Is there a way to do it?

0 Karma

adonio
Ultra Champion

look for EventCode=4735 for group changes, EventCode=4732 OR eventCode=4733 for user change
i use this website to verify what the event codes in windows mean:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4735
put the needed event code at the end of url

hope it helps

0 Karma

alvaroveiga
New Member

This eventcode is only for group change, i need something for GPO.

0 Karma

adonio
Ultra Champion

are you looking for this?
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5137
ask your AD admin / owner what is the eventcoeds they are interested in, check you see it in splunk, write a search that answers your question

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...