Re: How can I monitor Active Directory GPO changes...

alvaroveiga · ‎02-20-2018

I am running Splunk 7.0.2 and I would like to monitor Active Directory GPO changes on splunk enterprise.
What is the best way to do that?
Is there any recommended app?

Thanks in advance.

adonio · ‎02-20-2018

hello there,

please read here:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorActiveDirectoryctory
many answers also in this portal:
https://answers.splunk.com/answers/507943/what-is-the-best-way-to-monitor-active-directory-g-1.html
https://answers.splunk.com/answers/443278/monitor-active-directory.html
https://answers.splunk.com/answers/43780/active-directory-monitoring.html

hope it helps

alvaroveiga · ‎02-21-2018

The logs are already forwarded to splunk, but i really need to create an alert when a GPO is modified, created etc.
Is there a way to do it?

adonio · ‎02-21-2018

look for EventCode=4735 for group changes, EventCode=4732 OR eventCode=4733 for user change
i use this website to verify what the event codes in windows mean:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4735
put the needed event code at the end of url

hope it helps

alvaroveiga · ‎02-23-2018

This eventcode is only for group change, i need something for GPO.

adonio · ‎02-23-2018

are you looking for this?
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5137
ask your AD admin / owner what is the eventcoeds they are interested in, check you see it in splunk, write a search that answers your question

How can I monitor Active Directory GPO changes on splunk enterprise?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?