Splunk Enterprise

How to check "what" changed in a GPO

rahulkumarfgf
Explorer

Hello Everyone,

I have searched for this everywhere but have not found any suitable answer. I have Splunk App for Windows Infrastructure installed and I can see the group policy changes in it. However, it only shows the name of the GPO and the user who changed it. I also need to know which GPO attribute was changed by the user. I am not sure how to achieve that using Splunk. I also tried the app "MS Windows AD Objects" but that too doesn't show any relevant information.

I have checked the following link for answers: 
https://community.splunk.com/t5/Archive/Query-for-Checking-GPO-Changes/m-p/384810/highlight/false

https://community.splunk.com/t5/Security/How-to-identify-an-admin-who-made-a-change-in-GPO/m-p/46998...

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-correlate-the-admin-user-with-a-GPO-chan...
and all the links within this answer thread.

It would be great if someone can please assist me with this as it's very important for the Organization.

 

Thanks,

Rahul

 

Labels (1)
0 Karma

rahulkumarfgf
Explorer

Hello Everyone,

It would be great if someone could provide any feedback on this request. Thank You!

0 Karma

rahulkumarfgf
Explorer

@woodcock : Hi! I apologize for tagging you without permission. I have not received any response on this and your answers have helped me a lot in learning about Splunk, so would really appreciate if you could shed some light on my query. Thank you and have a great day!

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...