Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I setup alerts when there are any additions on an Active Directory Group and when local administrative accounts are created?

kappalkamal
New Member
‎02-08-2018 08:51 AM

Alert when - Additions to critical Active Directory groups such as Domain Admins, Enterprise Admins, Key Management Groups, Network Administrators, Security Administrators, Remote Access are performed and ensure an authorization for the access is present.
I also want to set up an Alert when - local administrative accounts are created. Could someone help me on this?

Appreciate your response.

0 Karma
Reply

markhill1
Path Finder
‎11-18-2019 04:27 PM

Hi, We have a search running that does the same thing. Here is the base for it, add in any other groups you need to.
Or, convert it to use a lookup table of AD Groups instead,

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4728 (Target_User_Name="Domain Admins" OR Target_User_Name="Enterprise Admins" OR Target_User_Name="DHCP Administrators" OR Target_User_Name="DNSAdmins" OR  Target_User_Name="Schema Admins" OR Target_User_Name="Cert Publishers")

For local admin accounts, see this post
https://answers.splunk.com/answers/770820/example-of-a-new-local-admin-account-use-case.html

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...