Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Active Directory auditing: What's the best way to get it done?

Niro
Explorer
‎08-04-2023 11:17 PM

Hello,

I'm trying to figure out the best way to report/alert on active directory change events. I have admon/event forwarding set up on our DCs (admon on just one).

I need to be able to alert on group changes - which is relatively easy to set up alerts for However I also need to be able to alert when someone moves one of a specific list of users from one OU to another. What I make a change like that, I can see the event in splunk from admon, but it just lists the objects properties. I can figure out what changed by looking previous event for the object and compare a field with streamstats - but that's assuming I know what to compare, and I won't always know what changed.

So what's the best way to get this done? How can I alert that "x admin moved y user from OU-A to OU-B"?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-05-2023 01:52 AM

Hi @Niro,

the first step i identify the Windows EventCodes you wan, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

So if you ant an lert when a Group is created, you have to run a search like this:

index=wineventlog EventCode=4727

and then display the fields you want.

As usual the most important job in Splunk is outside Splunk itself: you have to know what to search and what to display, how to do it is a secondary and easier thing.

So if you want to know when a User is added to a group you have to search for the EventCode 4728 and it's removed EventCode 4729.

Now you can create a search like the following:

index=wineventlog EventCode IN (4728,4729)
| stats 
   values(eval(if(EventCode=4728),host,"")) AS new_host
   values(eval(if(EventCode=4729),host,"")) AS old_host
   BY user

Obviously you can customize your search as you like.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...