Security

A member was added to a security-enabled local group

rashid47010
Communicator

a source user added one users to local admin group of server.
in event Security ID is S-x-x-xx-xxxxxxxxxxx8-7xxxxxx4-1xxx for both subject, member and group.
in event we can see that actually who made this change but there is no such information that "which user" get added to which local security group. only we I can see the SID or UID. how can we fix this issue

alt text

Tags (1)
0 Karma
1 Solution

lakshman239
Influencer

One way would be to use the Subject - Login ID's value to search against 4624 (logon) to find the user.

Ideally, you would need to check with AD admin on what they did, as Subject -Security ID should also capture the domain name matching the value in Account domain. Also, member security ID should have the domain name and the actual user/object added to the Group under Group - Security ID.

0 Karma

rashid47010
Communicator
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...