Splunk Enterprise

How to check "what" changed in a GPO

rahulkumarfgf
Explorer

Hello Everyone,

I have searched for this everywhere but have not found any suitable answer. I have Splunk App for Windows Infrastructure installed and I can see the group policy changes in it. However, it only shows the name of the GPO and the user who changed it. I also need to know which GPO attribute was changed by the user. I am not sure how to achieve that using Splunk. I also tried the app "MS Windows AD Objects" but that too doesn't show any relevant information.

I have checked the following link for answers: 
https://community.splunk.com/t5/Archive/Query-for-Checking-GPO-Changes/m-p/384810/highlight/false

https://community.splunk.com/t5/Security/How-to-identify-an-admin-who-made-a-change-in-GPO/m-p/46998...

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-correlate-the-admin-user-with-a-GPO-chan...
and all the links within this answer thread.

It would be great if someone can please assist me with this as it's very important for the Organization.

 

Thanks,

Rahul

 

Labels (1)
0 Karma

rahulkumarfgf
Explorer

Hello Everyone,

It would be great if someone could provide any feedback on this request. Thank You!

0 Karma

rahulkumarfgf
Explorer

@woodcock : Hi! I apologize for tagging you without permission. I have not received any response on this and your answers have helped me a lot in learning about Splunk, so would really appreciate if you could shed some light on my query. Thank you and have a great day!

0 Karma
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...