Splunk Enterprise Security

How can I setup alerts when there are any additions on an Active Directory Group and when local administrative accounts are created?

New Member

Alert when - Additions to critical Active Directory groups such as Domain Admins, Enterprise Admins, Key Management Groups, Network Administrators, Security Administrators, Remote Access are performed and ensure an authorization for the access is present.
I also want to set up an Alert when - local administrative accounts are created. Could someone help me on this?

Appreciate your response.

0 Karma

Path Finder

Hi, We have a search running that does the same thing. Here is the base for it, add in any other groups you need to.
Or, convert it to use a lookup table of AD Groups instead,

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4728 (Target_User_Name="Domain Admins" OR Target_User_Name="Enterprise Admins" OR Target_User_Name="DHCP Administrators" OR Target_User_Name="DNSAdmins" OR  Target_User_Name="Schema Admins" OR Target_User_Name="Cert Publishers")

For local admin accounts, see this post

0 Karma
Get Updates on the Splunk Community!

Should our Deployment Servers have the Search Head server role on them?

all of our stuff is on premcurrently our dedicated Deployment Servers also have the Search Head role on them, ...

About the drill down time range

I want to create a drilldown that searches for the timezone displayed by the Timechart command.<BR />How ...

About Time picker tokens

I would like to search from 600 seconds before to 600 seconds after the time specified in the time picker on ...