Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I setup alerts when there are any additions on an Active Directory Group and when local administrative accounts are created?

kappalkamal
New Member
‎02-08-2018 08:51 AM

Alert when - Additions to critical Active Directory groups such as Domain Admins, Enterprise Admins, Key Management Groups, Network Administrators, Security Administrators, Remote Access are performed and ensure an authorization for the access is present.
I also want to set up an Alert when - local administrative accounts are created. Could someone help me on this?

Appreciate your response.

0 Karma
Reply

markhill1
Path Finder
‎11-18-2019 04:27 PM

Hi, We have a search running that does the same thing. Here is the base for it, add in any other groups you need to.
Or, convert it to use a lookup table of AD Groups instead,

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4728 (Target_User_Name="Domain Admins" OR Target_User_Name="Enterprise Admins" OR Target_User_Name="DHCP Administrators" OR Target_User_Name="DNSAdmins" OR  Target_User_Name="Schema Admins" OR Target_User_Name="Cert Publishers")

For local admin accounts, see this post
https://answers.splunk.com/answers/770820/example-of-a-new-local-admin-account-use-case.html

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...