Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Active Directory auditing: What's the best way to get it done?

Niro
Explorer
‎08-04-2023 11:17 PM

Hello,

I'm trying to figure out the best way to report/alert on active directory change events. I have admon/event forwarding set up on our DCs (admon on just one).

I need to be able to alert on group changes - which is relatively easy to set up alerts for However I also need to be able to alert when someone moves one of a specific list of users from one OU to another. What I make a change like that, I can see the event in splunk from admon, but it just lists the objects properties. I can figure out what changed by looking previous event for the object and compare a field with streamstats - but that's assuming I know what to compare, and I won't always know what changed.

So what's the best way to get this done? How can I alert that "x admin moved y user from OU-A to OU-B"?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-05-2023 01:52 AM

Hi @Niro,

the first step i identify the Windows EventCodes you wan, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

So if you ant an lert when a Group is created, you have to run a search like this:

index=wineventlog EventCode=4727

and then display the fields you want.

As usual the most important job in Splunk is outside Splunk itself: you have to know what to search and what to display, how to do it is a secondary and easier thing.

So if you want to know when a User is added to a group you have to search for the EventCode 4728 and it's removed EventCode 4729.

Now you can create a search like the following:

index=wineventlog EventCode IN (4728,4729)
| stats 
   values(eval(if(EventCode=4728),host,"")) AS new_host
   values(eval(if(EventCode=4729),host,"")) AS old_host
   BY user

Obviously you can customize your search as you like.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...