Does anyone have a group of security audits already in place and can make recommendations on using Splunk to monitor Active Directory?


I have just been handed the Splunk application for our organization. I've been asked to work with our security team to create some audit ability that can monitor changes to sensitive groups, changes to privileged accounts, changes to GPO's, all servers accessed by specific user in last x days, all changes that a given user has made in AD in x days, etc. We are still defining what we want audited with Splunk, but I just wondered if anyone have a group of security audits already in place that can make some recommendations.

New Member

make sure you review 4624 and 4625 events and correlate them. e.g. if 4625 is coming from same source but to multiple accounts, somebody is most likely attempting password guessing.

0 Karma

Path Finder

At my previous company, I implemented the "splunk app for active directory" . The security team used it daily in monitoring Active Directory and some of the things you referenced. I would start there.

0 Karma

Splunk Employee
Splunk Employee

Hi Josh,

Check out the blog post,

The document they reference, , is thorough, but may be overwhelming. Of particular interest is Appendix L, which provides a list of the event codes to monitor. That should get you started into which EventCodes you can use to build your alerts and dashboards.




We just added SkyFormation into Splunkbase approved apps, you can see it here -

SkyFormation currently provides you with Discover and governance for your cloud application usage, but we are definitely planning on providing business cloud app policies similar to the ones you mention above.

If your company use business cloud apps such as sales force I'd be happy to learn more about your needs.

Nimrod Bar-Zeav


0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!