Anyone help me on below,
1) Login
2) Logoff
3) Un-successful login
4) Modify authentication mechanisms
5) Create user account
6) Modify user account
7) Create role
8) Modify role
9) Grant/revoke user privileges
10) Grant/revoke role privileges
11) Privileged commands
12) Modify audit and logging
13) Objects Create/Modify/Delete
14) Modify configuration settings
I checked and confirmed, Splunk TA is installed in all windows machines and Splunk TA is installed for Active directory server.
Thanks in advance.
I am not very sure what you are expecting in the answer. I suppose you want to monitor the enlisted events.
Windows OS, log every event with an Event ID associated with it. So every activity on the Windows has an Event ID assigned and the same is stored along with the details of the event. Below I am providing a list of event IDs associated with every event in windows. You can get help from that.
Event ID and Respective Event
4616 The system time was changed.
4624 An account was successfully logged on
4625 An account failed to log on
4634 An account was logged off
4647 User initiated logoff
4648 A logon was attempted using explicit credentials
4662 An operation was performed on an object
4670 Permissions on an object were changed
4672 Special privileges assigned to new logon
4688 A new process has been created
4689 A process has exited
4702 A scheduled task was updated
4719 System audit policy was changed
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account's password
4724 An attempt was made to reset an accounts password
4725 A user account was disabled
4726 A user account was deleted
4727 A security-enabled global group was created
4731 A security-enabled local group was created
4732 A member was added to a security-enabled local group
4733 A member was removed from a security-enabled local group
4735 A security-enabled local group was changed
4738 A user account was changed
4768 A Kerberos authentication ticket (TGT) was requested
4769 A Kerberos service ticket was requested
4770 A Kerberos service ticket was renewed
4771 Kerberos pre-authentication failed
4776 The domain controller attempted to validate the credentials for an account
4779 A session was disconnected from a Window Station
4904 An attempt was made to register a security event source
4905 An attempt was made to unregister a security event source
5058 Key file operation
5061 Cryptographic operation
5136 A directory service object was modified
Hope this help.
Please elaborate your exact question so that I can answer.