Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I monitor Active Directory GPO changes on splunk enterprise?

alvaroveiga
New Member
‎02-20-2018 07:59 AM

I am running Splunk 7.0.2 and I would like to monitor Active Directory GPO changes on splunk enterprise.
What is the best way to do that?
Is there any recommended app?

Thanks in advance.

0 Karma
Reply

alvaroveiga
New Member
‎02-21-2018 06:40 AM

The logs are already forwarded to splunk, but i really need to create an alert when a GPO is modified, created etc.
Is there a way to do it?

0 Karma
Reply

adonio
Ultra Champion
‎02-21-2018 04:37 PM

look for EventCode=4735 for group changes, EventCode=4732 OR eventCode=4733 for user change
i use this website to verify what the event codes in windows mean:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4735
put the needed event code at the end of url

hope it helps

0 Karma
Reply

alvaroveiga
New Member
‎02-23-2018 05:12 AM

This eventcode is only for group change, i need something for GPO.

0 Karma
Reply

adonio
Ultra Champion
‎02-23-2018 05:26 AM

are you looking for this?
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5137
ask your AD admin / owner what is the eventcoeds they are interested in, check you see it in splunk, write a search that answers your question

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...