Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitoring User Activity in Active Directory

linuxprophet
New Member
‎04-24-2012 09:04 AM

How do I monitor user account creation in AD?

I need to accomplish the following:

  1. Who created the user?
  2. What privileges were given to the new user?
  3. What did the user do with the account once the account was created?

Thank you.

Tags (1)
0 Karma
Reply

carltonflintoff
New Member
‎07-16-2014 02:53 AM

Could you please confirm about your windows server environment ? You can configure the auditing policy to track all the activities made in active directory by users. Please refer to this link that will assist you in right direction about how to enable auditing policy in active directory : http://support.microsoft.com/kb/814595

In addition, you can have a look at this automated solution available at (www.lepide.com/active-directory-audit/) that seems to be more suitable option and can be a better alternative approach that covers all the aspects you have mentioned in your description. It monitor all the activities made in active directory at granular level and alerts instantly by sending customized email report of all critical changes with real time monitoring.

0 Karma
Reply

dolejh76
Communicator
‎01-13-2015 09:39 AM

If Splunk can do all this - why would you invest in another 3rd party solution?

JD

0 Karma
Reply

clymbouris
Path Finder
‎05-03-2012 12:48 PM

Just monitoring your DCs security logs while executing the tasks will help you figure out the event codes you need to index. Note that win2003 and win2008 security logs have different event codes

For account changes in 2k8 DC (created,deleted,disabled etc) look for the events 4722,4725,4720,4726,4740,4767.

If you're short on bandwidth then be warned that AD security log is huge so rex your winsecurity logs in the transforms.conf and allow only eventcodes you want to get through.

You should try infigo's windows security app also

Reply

sdaniels
Splunk Employee
Splunk Employee
‎04-24-2012 09:43 AM

This will help you get started with AD monitoring.

http://docs.splunk.com/Documentation/Splunk/latest/Data/AuditActiveDirectory

Splunk is also working on a Splunk for Microsoft Active Directory application as well.

Reply

linuxprophet
New Member
‎04-24-2012 02:17 PM

Thank you.
I had read the documentation severally prior to posting.
I however am not a Windows man and could use some help.

The *nix app is fine for telling me who logged in, lastlog parsing and so on, but I need to be able to forward only what I specified in the initial post to the indexer.
The Windows deployment is set up as a heavy forwarder.

Any Windows gurus out there?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...