- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Active Directory auditing: What's the best way to get it done?
Hello,
I'm trying to figure out the best way to report/alert on active directory change events. I have admon/event forwarding set up on our DCs (admon on just one).
I need to be able to alert on group changes - which is relatively easy to set up alerts for However I also need to be able to alert when someone moves one of a specific list of users from one OU to another. What I make a change like that, I can see the event in splunk from admon, but it just lists the objects properties. I can figure out what changed by looking previous event for the object and compare a field with streamstats - but that's assuming I know what to compare, and I won't always know what changed.
So what's the best way to get this done? How can I alert that "x admin moved y user from OU-A to OU-B"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @Niro,
the first step i identify the Windows EventCodes you wan, here you can find all the Windows EventCodes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
So if you ant an lert when a Group is created, you have to run a search like this:
index=wineventlog EventCode=4727
and then display the fields you want.
As usual the most important job in Splunk is outside Splunk itself: you have to know what to search and what to display, how to do it is a secondary and easier thing.
So if you want to know when a User is added to a group you have to search for the EventCode 4728 and it's removed EventCode 4729.
Now you can create a search like the following:
index=wineventlog EventCode IN (4728,4729)
| stats
values(eval(if(EventCode=4728),host,"")) AS new_host
values(eval(if(EventCode=4729),host,"")) AS old_host
BY user
Obviously you can customize your search as you like.
Ciao.
Giuseppe
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)