Reporting

Active Directory: Alert When a Group is Added to a User

itsmevic
Communicator

I need to create a report that alerts on the following:

I'd like to know when and by who added a specific group to a user in AD.

Any insight or help is greatly appreciated.

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust
0 Karma

itsmevic
Communicator

Hi Giuseppe, we capture the following Group event codes in our environment. I just need the SPL that identifies the alert on my initial question. Thanks.

Event 4727 A Security-enabled Global Group was created

Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)

Event 4728 A member was added to a security-enabled Global group

Event 4729 A member was removed from a security-enabled Global group

Event 4730 A Security-enabled Global Group was removed

Event 4754 A Security-enabled Universal Group was created

Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)

Event 4756 A member was added to a security-enabled Universal group

Event 4757 A member was removed from a security-enabled Universal group

Event 4758 A Security-enabled Universal Group was removed

Event 4731 A Security-enabled Local Group was created

Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)

Event 4732 A member was added to a security-enabled Domain Local group

Event 4733 A member was removed from a security-enabled Domain Local group

Event 4734 A Security-enabled Domain Local Group was removed

Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)

Event 4764 Group Change Type

0 Karma

gcusello
SplunkTrust
SplunkTrust
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @itsmevic,
the search could be something like this:

index=wineventlog (EventCode=4728 OR EventCode=4756)
| table _time Account_name EventCode EventDescription

please check the Account_name field, it could be different (e.g. user)

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...