Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Active Directory auditing: What's the best way to get it done?

Niro
Explorer
‎08-04-2023 11:17 PM

Hello,

I'm trying to figure out the best way to report/alert on active directory change events. I have admon/event forwarding set up on our DCs (admon on just one).

I need to be able to alert on group changes - which is relatively easy to set up alerts for However I also need to be able to alert when someone moves one of a specific list of users from one OU to another. What I make a change like that, I can see the event in splunk from admon, but it just lists the objects properties. I can figure out what changed by looking previous event for the object and compare a field with streamstats - but that's assuming I know what to compare, and I won't always know what changed.

So what's the best way to get this done? How can I alert that "x admin moved y user from OU-A to OU-B"?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-05-2023 01:52 AM

Hi @Niro,

the first step i identify the Windows EventCodes you wan, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

So if you ant an lert when a Group is created, you have to run a search like this:

index=wineventlog EventCode=4727

and then display the fields you want.

As usual the most important job in Splunk is outside Splunk itself: you have to know what to search and what to display, how to do it is a secondary and easier thing.

So if you want to know when a User is added to a group you have to search for the EventCode 4728 and it's removed EventCode 4729.

Now you can create a search like the following:

index=wineventlog EventCode IN (4728,4729)
| stats 
   values(eval(if(EventCode=4728),host,"")) AS new_host
   values(eval(if(EventCode=4729),host,"")) AS old_host
   BY user

Obviously you can customize your search as you like.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...