Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display a modification on the active directory?

episano
New Member
‎10-09-2019 02:09 AM

Hello, I want to display a table with the different modifications made on AD ( group add, user creation/removing, etc..) with the details of the operation but I cannot find the details in the logs.

I prefer to have a solution without using a ldapsearch because I need a real-time search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-09-2019 02:55 AM

Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :

Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4727 A Security-enabled Global Group was created
  • Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4728 A member was added to a security-enabled Global group
  • Event 4729 A member was removed from a security-enabled Global group
  • Event 4730 A Security-enabled Global Group was removed
  • Event 4754 A Security-enabled Universal Group was created
  • Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4756 A member was added to a security-enabled Universal group
  • Event 4757 A member was removed from a security-enabled Universal group
  • Event 4758 A Security-enabled Universal Group was removed
  • Event 4731 A Security-enabled Local Group was created
  • Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4732 A member was added to a security-enabled Domain Local group
  • Event 4733 A member was removed from a security-enabled Domain Local group
  • Event 4734 A Security-enabled Domain Local Group was removed
  • Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
  • Event 4764 Group Change Type

Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4720 A user account was created
  • Event 4724 An attempt was made to reset an account Password
  • Event 4738 A User account was changed
  • Event 4725 A user account was disabled
  • Event 4722 A user account was enabled
  • Event 4726 A user account was deleted

Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-09-2019 02:55 AM

Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :

Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4727 A Security-enabled Global Group was created
  • Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4728 A member was added to a security-enabled Global group
  • Event 4729 A member was removed from a security-enabled Global group
  • Event 4730 A Security-enabled Global Group was removed
  • Event 4754 A Security-enabled Universal Group was created
  • Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4756 A member was added to a security-enabled Universal group
  • Event 4757 A member was removed from a security-enabled Universal group
  • Event 4758 A Security-enabled Universal Group was removed
  • Event 4731 A Security-enabled Local Group was created
  • Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4732 A member was added to a security-enabled Domain Local group
  • Event 4733 A member was removed from a security-enabled Domain Local group
  • Event 4734 A Security-enabled Domain Local Group was removed
  • Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
  • Event 4764 Group Change Type

Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4720 A user account was created
  • Event 4724 An attempt was made to reset an account Password
  • Event 4738 A User account was changed
  • Event 4725 A user account was disabled
  • Event 4722 A user account was enabled
  • Event 4726 A user account was deleted

Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

episano
New Member
‎10-17-2019 12:09 AM

Thanks for your clarity !

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...