Splunk Search

How to display a modification on the active directory?

New Member

Hello, I want to display a table with the different modifications made on AD ( group add, user creation/removing, etc..) with the details of the operation but I cannot find the details in the logs.

I prefer to have a solution without using a ldapsearch because I need a real-time search.

0 Karma
1 Solution

Legend

Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :

Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4727 A Security-enabled Global Group was created
  • Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4728 A member was added to a security-enabled Global group
  • Event 4729 A member was removed from a security-enabled Global group
  • Event 4730 A Security-enabled Global Group was removed
  • Event 4754 A Security-enabled Universal Group was created
  • Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4756 A member was added to a security-enabled Universal group
  • Event 4757 A member was removed from a security-enabled Universal group
  • Event 4758 A Security-enabled Universal Group was removed
  • Event 4731 A Security-enabled Local Group was created
  • Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4732 A member was added to a security-enabled Domain Local group
  • Event 4733 A member was removed from a security-enabled Domain Local group
  • Event 4734 A Security-enabled Domain Local Group was removed
  • Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
  • Event 4764 Group Change Type

Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4720 A user account was created
  • Event 4724 An attempt was made to reset an account Password
  • Event 4738 A User account was changed
  • Event 4725 A user account was disabled
  • Event 4722 A user account was enabled
  • Event 4726 A user account was deleted

Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.

Bye.
Giuseppe

View solution in original post

0 Karma

Legend

Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :

Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4727 A Security-enabled Global Group was created
  • Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4728 A member was added to a security-enabled Global group
  • Event 4729 A member was removed from a security-enabled Global group
  • Event 4730 A Security-enabled Global Group was removed
  • Event 4754 A Security-enabled Universal Group was created
  • Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4756 A member was added to a security-enabled Universal group
  • Event 4757 A member was removed from a security-enabled Universal group
  • Event 4758 A Security-enabled Universal Group was removed
  • Event 4731 A Security-enabled Local Group was created
  • Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
  • Event 4732 A member was added to a security-enabled Domain Local group
  • Event 4733 A member was removed from a security-enabled Domain Local group
  • Event 4734 A Security-enabled Domain Local Group was removed
  • Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
  • Event 4764 Group Change Type

Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

  • Event 4720 A user account was created
  • Event 4724 An attempt was made to reset an account Password
  • Event 4738 A User account was changed
  • Event 4725 A user account was disabled
  • Event 4722 A user account was enabled
  • Event 4726 A user account was deleted

Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.

Bye.
Giuseppe

View solution in original post

0 Karma

New Member

Thanks for your clarity !

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!