Security

Audit windows group policy change

omershira
Explorer

Hey all,

a bit Microsoft question....

We do want to monitor windows Group Policy changes in our Domain. We have installed Splunk  Add-On and App for exchange and Active directory, and also the relevant content-packs containing some reports about this.

We do get event 😊😊

But.....

we have also an installed and configured AGPM (Advanced group Policy management, Microsoft Software).Under the terms of that software,

Microsoft Advanced Group Policy Management (AGPM) is a client/server application.
The AGPM Server stores Group Policy Objects (GPOs) offline in the archive that AGPM creates on the server's file system. Group Policy administrators use the AGPM snap-in for the Group Policy Management Console (GPMC) to work with GPOs on the server that hosts the archive.

and also a Few terms:

  • Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive.
  • Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM.

 

When you edit a GPO using the AGPM system, you work on a copy of the original GPO. As a result, the Windows Event logs in the Domain Controllers are reporting on a different Object. Thus, the Splunk reports and event types of group policy change can't figure out which GPO is being changed (since the AGPM renames it and create a "new" one)

So, after all these words....Is someone can help us find a proper application to monitor and view GPO changes via AGPM in splunk?  did someone encountered this before? Is such product exists? and if there is no other choice - help us to write new searches to catch up GPO changes in AGPM?

 Thankx

Auto Team

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...