Security

LDAP Search / Active Directory App Monitor Changes

ntripp_element
Explorer

How can I use Splunk to alert / run reports on group member changes?

Currently I have something I wrote that reads group members from AD, stores in DB then runs a differential.  Seems like splunk would be ideal for this. Is there a way to run a search and diff from the previous run?

Labels (2)
0 Karma

ntripp_element
Explorer

bump?

0 Karma

shivanshu1593
Contributor

Yes you can. You can bring your AD logs to Splunk using the following app

Splunk App For Windows 

Using ldapsearch command, and with a bit of SPL magic, you can customise the data that you want to pull from AD.

Since Splunk will store your old, as well as new data, you can easily compare them and schedule alerts, reports, create tickets in a ITSM ticketing tool like Servicenow, Remedy etc and much more.

Hope this helps,

S

Note: If it helped, please mark this as an accepted answer.

 

0 Karma

ntripp_element
Explorer

yes i already was able to pull the information. the other things you referenced I do not follow. I'm really trying to get a little more information on the how ...

0 Karma

shivanshu1593
Contributor

If you can give some sample data, which has the data of pre and post group changes, we can help you to build the search.

I believe an EventCode is being generated, everytime there's some changes in the OU. Like 4727 for a group creation, 4728 when a member is added, 4729 if a member is removed and so on.

If that's the case, I'd look out for those eventcodes and use the table command to pipe the required values in tabular format.

Again, some sample data and more light on what you want to achieve will be helpful.

Thanks,

S

0 Karma