Splunk Search

Active Directory security group changes

tkerr1357
Path Finder

Hello all, 

I could use some help here with creating a search. Ultimately I would like to know if a user is added to a specific set of security groups what security groups if any were removed from that same user. 

Here is a search for security group removal:

index=wineventlog EventCode=4729 EventCodeDescription="A member was removed from a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time

Here is a search for security group added:

index=wineventlog EventCode=4728 EventCodeDescription="A member was Added to a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time

additional search info:

EventCode=4728 Added
EventCode=4729 Removed
Group_Name - security group
Subject_Account_Name - prov sentry
member - user

security groups, I would like to monitor users being added to:

RDSUSers_GRSQCP01

RDSUSers_GROQCP01

RDSUSers_BRSQCP01

RDSUSers_BROQCP01

RDSUSers_VRSQCP01

RDSUSers_VROQCP01

Again I am looking to monitor if a user was added to any of the above 6 security groups were they within a few hours before and ahead of the event removed from any other groups. let me know if I can provide any additional info and as always thank you for the help.

Labels (3)
0 Karma

hoangs
Explorer

 try below search   

EventCode=4728 OR EventCode=4729 Account_Name="*" | stats count by Account_Name user_group signature_id name _time 
0 Karma

tkerr1357
Path Finder

That didn't work. Also, I don't think you can count by multiple fields.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Yes, you can split your count by how many fields you want.

2. "This doesn't work" is not a very constructive comment. Remember that it's you who asks for help.

3.

index=wineventlog EvenCode IN (4728,4729)

This will find all the events where a user was either added or removed to a security-enabled group. That's a start. But you want to find situations if a user was removed from another group and added to one of those you seek. So you want something like this

index=wineventlog ((EventCode=4728 Group_Name IN (RDSUSers_GRSQCP01, RDSUSers_GROQCP01, RDSUSers_BRSQCP01, RDSUSers_BROQCP01, RDSUSers_VRSQCP01, RDSUSers_VROQCP01)) OR (EventCode=4729 NOT Group_Name IN (RDSUSers_GRSQCP01, RDSUSers_GROQCP01, RDSUSers_BRSQCP01, RDSUSers_BROQCP01, RDSUSers_VRSQCP01, RDSUSers_VROQCP01))

Looks a bit uglier, doesn't it. But it will give you all potentially interesting events. Now you have to find if they fit your criteria.

Since we will need to reverse the order of the events (by default Splunk returns events in reverse chronological order which is a bit inconvenient for us here), you might need to only limit further processed data to the relevant fields (but if you have just a bunch of events this is an optional step)

| fields EventCode Group_Name Subject_Account_Name
| fields - _raw

(Notice that I didn't explicitly include _time because it is added by default)

Now we need to sort by _time so the earliest events are processed first

| sort _time

As the default order is a reverse chronological order doing just

| reverse

instead should work as well.

Now we create a field containing timestamp for removal from a group and a name of a group a user was removed from

| eval remstamp=if(EventCode=4729,_time,null())
| eval remgroup=if(EventCode=4729,Group_Name,null())

So now we can do streamstats to see when and from which groups the users were removed

| streamstats last(remstamp) as last_removed last(remgroup) as removed_from by Subject_Account_Name

This will propagate the information of a user's removal from a group to the next event regarding the same user.

Now we need to find matching events. For 3 hours window it will be

| where _time-last_removed<10800

Be aware that it will only find last removal for a given user. Tweaking the streamstats you can probably aggregate all removals but it's too late for me to think about it now 😉

 

Get Updates on the Splunk Community!

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...