Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitoring User Activity in Active Directory

linuxprophet
New Member
‎04-24-2012 09:04 AM

How do I monitor user account creation in AD?

I need to accomplish the following:

  1. Who created the user?
  2. What privileges were given to the new user?
  3. What did the user do with the account once the account was created?

Thank you.

Tags (1)
0 Karma
Reply

carltonflintoff
New Member
‎07-16-2014 02:53 AM

Could you please confirm about your windows server environment ? You can configure the auditing policy to track all the activities made in active directory by users. Please refer to this link that will assist you in right direction about how to enable auditing policy in active directory : http://support.microsoft.com/kb/814595

In addition, you can have a look at this automated solution available at (www.lepide.com/active-directory-audit/) that seems to be more suitable option and can be a better alternative approach that covers all the aspects you have mentioned in your description. It monitor all the activities made in active directory at granular level and alerts instantly by sending customized email report of all critical changes with real time monitoring.

0 Karma
Reply

dolejh76
Communicator
‎01-13-2015 09:39 AM

If Splunk can do all this - why would you invest in another 3rd party solution?

JD

0 Karma
Reply

clymbouris
Path Finder
‎05-03-2012 12:48 PM

Just monitoring your DCs security logs while executing the tasks will help you figure out the event codes you need to index. Note that win2003 and win2008 security logs have different event codes

For account changes in 2k8 DC (created,deleted,disabled etc) look for the events 4722,4725,4720,4726,4740,4767.

If you're short on bandwidth then be warned that AD security log is huge so rex your winsecurity logs in the transforms.conf and allow only eventcodes you want to get through.

You should try infigo's windows security app also

Reply

sdaniels
Splunk Employee
Splunk Employee
‎04-24-2012 09:43 AM

This will help you get started with AD monitoring.

http://docs.splunk.com/Documentation/Splunk/latest/Data/AuditActiveDirectory

Splunk is also working on a Splunk for Microsoft Active Directory application as well.

Reply

linuxprophet
New Member
‎04-24-2012 02:17 PM

Thank you.
I had read the documentation severally prior to posting.
I however am not a Windows man and could use some help.

The *nix app is fine for telling me who logged in, lastlog parsing and so on, but I need to be able to forward only what I specified in the initial post to the indexer.
The Windows deployment is set up as a heavy forwarder.

Any Windows gurus out there?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...