Security

Audit windows group policy change

omershira
Explorer

Hey all,

a bit Microsoft question....

We do want to monitor windows Group Policy changes in our Domain. We have installed Splunk  Add-On and App for exchange and Active directory, and also the relevant content-packs containing some reports about this.

We do get event 😊😊

But.....

we have also an installed and configured AGPM (Advanced group Policy management, Microsoft Software).Under the terms of that software,

Microsoft Advanced Group Policy Management (AGPM) is a client/server application.
The AGPM Server stores Group Policy Objects (GPOs) offline in the archive that AGPM creates on the server's file system. Group Policy administrators use the AGPM snap-in for the Group Policy Management Console (GPMC) to work with GPOs on the server that hosts the archive.

and also a Few terms:

  • Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive.
  • Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM.

 

When you edit a GPO using the AGPM system, you work on a copy of the original GPO. As a result, the Windows Event logs in the Domain Controllers are reporting on a different Object. Thus, the Splunk reports and event types of group policy change can't figure out which GPO is being changed (since the AGPM renames it and create a "new" one)

So, after all these words....Is someone can help us find a proper application to monitor and view GPO changes via AGPM in splunk?  did someone encountered this before? Is such product exists? and if there is no other choice - help us to write new searches to catch up GPO changes in AGPM?

 Thankx

Auto Team

Labels (1)
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...