- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to display a modification on the active direct...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I want to display a table with the different modifications made on AD ( group add, user creation/removing, etc..) with the details of the operation but I cannot find the details in the logs.
I prefer to have a solution without using a ldapsearch because I need a real-time search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :
“Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:
- Event 4727 A Security-enabled Global Group was created
- Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
- Event 4728 A member was added to a security-enabled Global group
- Event 4729 A member was removed from a security-enabled Global group
- Event 4730 A Security-enabled Global Group was removed
- Event 4754 A Security-enabled Universal Group was created
- Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
- Event 4756 A member was added to a security-enabled Universal group
- Event 4757 A member was removed from a security-enabled Universal group
- Event 4758 A Security-enabled Universal Group was removed
- Event 4731 A Security-enabled Local Group was created
- Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
- Event 4732 A member was added to a security-enabled Domain Local group
- Event 4733 A member was removed from a security-enabled Domain Local group
- Event 4734 A Security-enabled Domain Local Group was removed
- Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
- Event 4764 Group Change Type
“Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:
- Event 4720 A user account was created
- Event 4724 An attempt was made to reset an account Password
- Event 4738 A User account was changed
- Event 4725 A user account was disabled
- Event 4722 A user account was enabled
- Event 4726 A user account was deleted
“Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :
“Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:
- Event 4727 A Security-enabled Global Group was created
- Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
- Event 4728 A member was added to a security-enabled Global group
- Event 4729 A member was removed from a security-enabled Global group
- Event 4730 A Security-enabled Global Group was removed
- Event 4754 A Security-enabled Universal Group was created
- Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
- Event 4756 A member was added to a security-enabled Universal group
- Event 4757 A member was removed from a security-enabled Universal group
- Event 4758 A Security-enabled Universal Group was removed
- Event 4731 A Security-enabled Local Group was created
- Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
- Event 4732 A member was added to a security-enabled Domain Local group
- Event 4733 A member was removed from a security-enabled Domain Local group
- Event 4734 A Security-enabled Domain Local Group was removed
- Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
- Event 4764 Group Change Type
“Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:
- Event 4720 A user account was created
- Event 4724 An attempt was made to reset an account Password
- Event 4738 A User account was changed
- Event 4725 A user account was disabled
- Event 4722 A user account was enabled
- Event 4726 A user account was deleted
“Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your clarity !
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
