Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a report that shows Active Directory activity carried out?

DanAlexander
Communicator
‎06-06-2022 03:18 AM

Hi all,

I need some assistance please,

I am trying to create a report which shows all Active Directory activities carried out. Should contain columns as follows: Login, Account, Domain, Group, iHost and Date. The Group column shows the name of the Add group which has been added or removed and the Host is the Domain Controler. The Account column is the asset number of the machine.

 

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 05:01 AM

Hi @DanAlexander,

this is a different question and not related to Splunk because you need to know which are the EventCodes related to the events you want to monitor.

Anyway, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

  • 1. Account Granted (Account Added to Group):

    • 4732
    • 4746
    • 4751
    • 4756
    • 4761
    • 4785
    • 4787

  •  

    2. Account Revoked (Account Removed from Group)

    • 4733
    • 4747
    • 4752
    • 4757
    • 4762
    • 4786
    • 4788

  •  

    1. Account Deleted (Group Deleted)

    • do you mean account Deleted by a Group or Group deletion?

Anyway in the above url you can find all the needed EventCodes.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

DanAlexander
Communicator
‎06-06-2022 05:17 AM

Sorry, never used it before... 🙂 will know from now on. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 03:44 AM

Hi @DanAlexander,

some little question to better understand your needs?

  • did you already ingested logs from your Domain Controllers?
  • do you know that in Windows each login activity generates more than 10 login events?
  • you want to register each login event log or only the real accesses?

the first question is the most important, if you didn't  do it, see at:

https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/HowtogetWindowsdataintoSplunk

https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-windows.html

If you already have them in you Splunk pass to the other question.

The second question is related to the target of your question: do need to gegister each login event for compliance scopes or you want the real accesses to you systems?

If you need to register all events, it's easy, you have to run a simple search like the following:

index=wineventlog EventCode=4624
| table _time Account_name Domain_name Computername

check if the field names are correct on your windows.

If instead you want the real accesses to your systems, you have to filter your results excluding many events:

  • Account_name="*$"
  • Account_name="SYSTEM"
  • Account_name="-"

than you have top dedup your events using something like this:

index=wineventlog EventCode=4624 (Logon_Type=2 OR Logon_Type=10) NOT Account_name IN ("*$","SYSTEM","-")
| dedup _time host NOMEUTENTE
| table _time Account_name Domain_name Computername

Ciao.

Giuseppe

 

 

Reply
Solved! Jump to solution

DanAlexander
Communicator
‎06-06-2022 04:14 AM

Hi,

Thanks for the reply @gcusello 

I have index=windows_server sourcetype=XmlWinEventLog

I need the output for the following:

1. Account Granted (Account Added to Group)

2. Account Revoked (Account Removed from Group)

1. Account Deleted (Group Deleted)

Cheers

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 05:01 AM

Hi @DanAlexander,

this is a different question and not related to Splunk because you need to know which are the EventCodes related to the events you want to monitor.

Anyway, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

  • 1. Account Granted (Account Added to Group):

    • 4732
    • 4746
    • 4751
    • 4756
    • 4761
    • 4785
    • 4787

  •  

    2. Account Revoked (Account Removed from Group)

    • 4733
    • 4747
    • 4752
    • 4757
    • 4762
    • 4786
    • 4788

  •  

    1. Account Deleted (Group Deleted)

    • do you mean account Deleted by a Group or Group deletion?

Anyway in the above url you can find all the needed EventCodes.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

DanAlexander
Communicator
‎06-06-2022 05:16 AM

Thanks for the guidance, @gcusello 

Much appreciated!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 05:16 AM

Hi @DanAlexander ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...