Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to identify an admin who made a change in GPO

rcastello
Explorer
‎02-10-2020 02:01 PM

Hello,

Someone made changes to GPO that negatively impacted devices in our environment. I searched event code 4733, but I haven't been able to link an admin account to the activity. I found this query below on another thread (https://answers.splunk.com/answers/172845/how-to-correlate-the-admin-user-with-a-gpo-change.html) but there seems to be an issue with the ldap portion. Would anyone know what the issue is and/or know something better I can use? Thank you. 

 index=* EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
 |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
 |eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
 |ldapfilter domain=*DOMAIN* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
 |convert ctime(_time) as Time 
 |table _time Security_ID EventCodeDescription action gpo_guid displayName
Tags (3)
0 Karma
Reply

nickhills
Ultra Champion
‎02-11-2020 03:42 AM

As @gcusello says you may not have this enabled, specifically the policy you need to enable is:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration> Audit Policies/DS Access > Audit Directory Service Changes

One limitation is that it will tell you "Who" changed it, but not "What" was changed.
Following that you should see events for 5136

If my comment helps, please give it a thumbs up!
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2020 11:28 PM

Hi @rcastello,
what's your problem: have you events with EventCode=5137 OR EventCode=5136 OR EventCode=5141 or not?
if not, did you checked if GPO events are logged (by default this logging is disabled!)?
If instead you have events, check if the problem in in the match with ldapfilter (in other words, see what result you have without ldapfilter).

In addition, for my knoledge, the EventCode for policy changes is 4719.

At least, usually WinEventLog:Security events are in the wineventlog index, so you don't need to search in all indexes (your search is slower!).

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...