Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to monitor specific Active Directory user grou...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to monitor specific Active Directory user groups, and set up a search to alert when members of these groups perform a login?
arkonner
Path Finder
12-17-2015
12:46 AM
I am looking to monitor specific AD user groups and want to create a search that alerts me to when the members of these group perform a login. How do I pull that information?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arkonner
Path Finder
12-18-2015
02:39 AM
Sorry, my question was not clear - Active Directory user group perform login on Windows
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
12-18-2015
02:54 AM
See my answer below and let me know if that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
12-17-2015
08:03 AM
Perform a login in Splunk or perform a login on a Windows machine?
If Splunk:
Use the internal logs to monitor when a login success happens
index=_internal sourcetype=splunk_web_service user=* action="login" status="success"
Find if the user belongs to those groups via the ldap commands
If Windows:
- Collect Security event logs from required hosts
- Run a search in Splunk using the right Event Code for your Windows domain level. Also keep in mind logons can be interactive, remote, local, batch, etc so you need to use the Logon Type field too.
- Once you have the user, correlate with AD in the same way as above via the ldap commands in order to find out the user group membership
Useful links:
- https://answers.splunk.com/answers/127012/how-can-i-use-windows-events-to-monitor-logon-sessions.htm...
- https://answers.splunk.com/answers/39731/how-can-i-index-login-events-to-the-web-gui.html
- https://splunkbase.splunk.com/app/1151/
- http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
- https://answers.splunk.com/answers/127012/how-can-i-use-windows-events-to-monitor-logon-sessions.htm...
- http://www.windowsecurity.com/articles-tutorials/misc_network_security/Logon-Types.html
Hope that helps.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arkonner
Path Finder
12-18-2015
02:35 AM
How to monitor specific Active Directory user groups, and set up a search to alert when members of these groups perform a login on Active Directory
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Announcing the General Availability of Splunk Enterprise Security 8.1!
We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
