How can I setup alerts when there are any addition...

kappalkamal · ‎02-08-2018

Alert when - Additions to critical Active Directory groups such as Domain Admins, Enterprise Admins, Key Management Groups, Network Administrators, Security Administrators, Remote Access are performed and ensure an authorization for the access is present.
I also want to set up an Alert when - local administrative accounts are created. Could someone help me on this?

Appreciate your response.

markhill1 · ‎11-18-2019

Hi, We have a search running that does the same thing. Here is the base for it, add in any other groups you need to.
Or, convert it to use a lookup table of AD Groups instead,

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4728 (Target_User_Name="Domain Admins" OR Target_User_Name="Enterprise Admins" OR Target_User_Name="DHCP Administrators" OR Target_User_Name="DNSAdmins" OR  Target_User_Name="Schema Admins" OR Target_User_Name="Cert Publishers")

For local admin accounts, see this post
https://answers.splunk.com/answers/770820/example-of-a-new-local-admin-account-use-case.html

How can I setup alerts when there are any additions on an Active Directory Group and when local administrative accounts are created?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)