Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LDAP Search / Active Directory App Monitor Changes

ntripp_element
Explorer
‎07-28-2020 01:12 PM

How can I use Splunk to alert / run reports on group member changes?

Currently I have something I wrote that reads group members from AD, stores in DB then runs a differential.  Seems like splunk would be ideal for this. Is there a way to run a search and diff from the previous run?

Labels (2)
Labels
0 Karma
Reply

ntripp_element
Explorer
‎07-31-2020 07:57 AM

bump?

0 Karma
Reply

shivanshu1593
Builder
‎08-05-2020 11:39 AM

Yes you can. You can bring your AD logs to Splunk using the following app

Splunk App For Windows 

Using ldapsearch command, and with a bit of SPL magic, you can customise the data that you want to pull from AD.

Since Splunk will store your old, as well as new data, you can easily compare them and schedule alerts, reports, create tickets in a ITSM ticketing tool like Servicenow, Remedy etc and much more.

Hope this helps,

S

Note: If it helped, please mark this as an accepted answer.

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

ntripp_element
Explorer
‎08-05-2020 11:41 AM

yes i already was able to pull the information. the other things you referenced I do not follow. I'm really trying to get a little more information on the how ...

0 Karma
Reply

shivanshu1593
Builder
‎08-05-2020 12:07 PM

If you can give some sample data, which has the data of pre and post group changes, we can help you to build the search.

I believe an EventCode is being generated, everytime there's some changes in the OU. Like 4727 for a group creation, 4728 when a member is added, 4729 if a member is removed and so on.

If that's the case, I'd look out for those eventcodes and use the table command to pipe the required values in tabular format.

Again, some sample data and more light on what you want to achieve will be helpful.

Thanks,

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and stall ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...