Getting Data In

How to monitor specific Active Directory user groups, and set up a search to alert when members of these groups perform a login?

arkonner
Path Finder

I am looking to monitor specific AD user groups and want to create a search that alerts me to when the members of these group perform a login. How do I pull that information?

0 Karma

arkonner
Path Finder

Sorry, my question was not clear - Active Directory user group perform login on Windows

0 Karma

javiergn
Super Champion

See my answer below and let me know if that helps

0 Karma

javiergn
Super Champion

Perform a login in Splunk or perform a login on a Windows machine?

If Splunk:

  • Use the internal logs to monitor when a login success happens

    index=_internal sourcetype=splunk_web_service user=* action="login" status="success"

  • Find if the user belongs to those groups via the ldap commands

If Windows:

  • Collect Security event logs from required hosts
  • Run a search in Splunk using the right Event Code for your Windows domain level. Also keep in mind logons can be interactive, remote, local, batch, etc so you need to use the Logon Type field too.
  • Once you have the user, correlate with AD in the same way as above via the ldap commands in order to find out the user group membership

Useful links:

Hope that helps.

Thanks,
J

0 Karma

arkonner
Path Finder

How to monitor specific Active Directory user groups, and set up a search to alert when members of these groups perform a login on Active Directory

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...