Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Active Directory auditing: What's the best way to get it done?

Niro
Explorer
‎08-04-2023 11:17 PM

Hello,

I'm trying to figure out the best way to report/alert on active directory change events. I have admon/event forwarding set up on our DCs (admon on just one).

I need to be able to alert on group changes - which is relatively easy to set up alerts for However I also need to be able to alert when someone moves one of a specific list of users from one OU to another. What I make a change like that, I can see the event in splunk from admon, but it just lists the objects properties. I can figure out what changed by looking previous event for the object and compare a field with streamstats - but that's assuming I know what to compare, and I won't always know what changed.

So what's the best way to get this done? How can I alert that "x admin moved y user from OU-A to OU-B"?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-05-2023 01:52 AM

Hi @Niro,

the first step i identify the Windows EventCodes you wan, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

So if you ant an lert when a Group is created, you have to run a search like this:

index=wineventlog EventCode=4727

and then display the fields you want.

As usual the most important job in Splunk is outside Splunk itself: you have to know what to search and what to display, how to do it is a secondary and easier thing.

So if you want to know when a User is added to a group you have to search for the EventCode 4728 and it's removed EventCode 4729.

Now you can create a search like the following:

index=wineventlog EventCode IN (4728,4729)
| stats 
   values(eval(if(EventCode=4728),host,"")) AS new_host
   values(eval(if(EventCode=4729),host,"")) AS old_host
   BY user

Obviously you can customize your search as you like.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top