Splunk Search

Active Directory auditing: What's the best way to get it done?

Niro
Explorer

Hello,

I'm trying to figure out the best way to report/alert on active directory change events. I have admon/event forwarding set up on our DCs (admon on just one).

I need to be able to alert on group changes - which is relatively easy to set up alerts for However I also need to be able to alert when someone moves one of a specific list of users from one OU to another. What I make a change like that, I can see the event in splunk from admon, but it just lists the objects properties. I can figure out what changed by looking previous event for the object and compare a field with streamstats - but that's assuming I know what to compare, and I won't always know what changed.

So what's the best way to get this done? How can I alert that "x admin moved y user from OU-A to OU-B"?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Niro,

the first step i identify the Windows EventCodes you wan, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

So if you ant an lert when a Group is created, you have to run a search like this:

index=wineventlog EventCode=4727

and then display the fields you want.

As usual the most important job in Splunk is outside Splunk itself: you have to know what to search and what to display, how to do it is a secondary and easier thing.

So if you want to know when a User is added to a group you have to search for the EventCode 4728 and it's removed EventCode 4729.

Now you can create a search like the following:

index=wineventlog EventCode IN (4728,4729)
| stats 
   values(eval(if(EventCode=4728),host,"")) AS new_host
   values(eval(if(EventCode=4729),host,"")) AS old_host
   BY user

Obviously you can customize your search as you like.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...