Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to identify an admin who made a change in GPO

rcastello
Explorer
‎02-10-2020 02:01 PM

Hello,

Someone made changes to GPO that negatively impacted devices in our environment. I searched event code 4733, but I haven't been able to link an admin account to the activity. I found this query below on another thread (https://answers.splunk.com/answers/172845/how-to-correlate-the-admin-user-with-a-gpo-change.html) but there seems to be an issue with the ldap portion. Would anyone know what the issue is and/or know something better I can use? Thank you. 

 index=* EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
 |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
 |eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
 |ldapfilter domain=*DOMAIN* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
 |convert ctime(_time) as Time 
 |table _time Security_ID EventCodeDescription action gpo_guid displayName
Tags (3)
0 Karma
Reply

nickhills
Ultra Champion
‎02-11-2020 03:42 AM

As @gcusello says you may not have this enabled, specifically the policy you need to enable is:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration> Audit Policies/DS Access > Audit Directory Service Changes

One limitation is that it will tell you "Who" changed it, but not "What" was changed.
Following that you should see events for 5136

If my comment helps, please give it a thumbs up!
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2020 11:28 PM

Hi @rcastello,
what's your problem: have you events with EventCode=5137 OR EventCode=5136 OR EventCode=5141 or not?
if not, did you checked if GPO events are logged (by default this logging is disabled!)?
If instead you have events, check if the problem in in the match with ldapfilter (in other words, see what result you have without ldapfilter).

In addition, for my knoledge, the EventCode for policy changes is 4719.

At least, usually WinEventLog:Security events are in the wineventlog index, so you don't need to search in all indexes (your search is slower!).

Ciao.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...