Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to identify an admin who made a change in GPO

rcastello
Explorer
‎02-10-2020 02:01 PM

Hello,

Someone made changes to GPO that negatively impacted devices in our environment. I searched event code 4733, but I haven't been able to link an admin account to the activity. I found this query below on another thread (https://answers.splunk.com/answers/172845/how-to-correlate-the-admin-user-with-a-gpo-change.html) but there seems to be an issue with the ldap portion. Would anyone know what the issue is and/or know something better I can use? Thank you. 

 index=* EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
 |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
 |eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
 |ldapfilter domain=*DOMAIN* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
 |convert ctime(_time) as Time 
 |table _time Security_ID EventCodeDescription action gpo_guid displayName
Tags (3)
0 Karma
Reply

nickhills
Ultra Champion
‎02-11-2020 03:42 AM

As @gcusello says you may not have this enabled, specifically the policy you need to enable is:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration> Audit Policies/DS Access > Audit Directory Service Changes

One limitation is that it will tell you "Who" changed it, but not "What" was changed.
Following that you should see events for 5136

If my comment helps, please give it a thumbs up!
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2020 11:28 PM

Hi @rcastello,
what's your problem: have you events with EventCode=5137 OR EventCode=5136 OR EventCode=5141 or not?
if not, did you checked if GPO events are logged (by default this logging is disabled!)?
If instead you have events, check if the problem in in the match with ldapfilter (in other words, see what result you have without ldapfilter).

In addition, for my knoledge, the EventCode for policy changes is 4719.

At least, usually WinEventLog:Security events are in the wineventlog index, so you don't need to search in all indexes (your search is slower!).

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...