Security

How to identify an admin who made a change in GPO

rcastello
Explorer

Hello,

Someone made changes to GPO that negatively impacted devices in our environment. I searched event code 4733, but I haven't been able to link an admin account to the activity. I found this query below on another thread (https://answers.splunk.com/answers/172845/how-to-correlate-the-admin-user-with-a-gpo-change.html) but there seems to be an issue with the ldap portion. Would anyone know what the issue is and/or know something better I can use? Thank you.

 index=* EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
 |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
 |eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
 |ldapfilter domain=*DOMAIN* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
 |convert ctime(_time) as Time 
 |table _time Security_ID EventCodeDescription action gpo_guid displayName
Tags (3)
0 Karma

nickhills
Ultra Champion

As @gcusello says you may not have this enabled, specifically the policy you need to enable is:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration> Audit Policies/DS Access > Audit Directory Service Changes

One limitation is that it will tell you "Who" changed it, but not "What" was changed.
Following that you should see events for 5136

If my comment helps, please give it a thumbs up!
0 Karma

gcusello
Esteemed Legend

Hi @rcastello,
what's your problem: have you events with EventCode=5137 OR EventCode=5136 OR EventCode=5141 or not?
if not, did you checked if GPO events are logged (by default this logging is disabled!)?
If instead you have events, check if the problem in in the match with ldapfilter (in other words, see what result you have without ldapfilter).

In addition, for my knoledge, the EventCode for policy changes is 4719.

At least, usually WinEventLog:Security events are in the wineventlog index, so you don't need to search in all indexes (your search is slower!).

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...