Pretty new to all this.
I've got a Splunk 6.5.1 environment gathering data from Windows servers/desktops and Active Directory (AD). Need to create a search that will show me all login attempts and successes by members of the Domain Admins group. I can search data about the logins and I can get group membership via SA-LDAPSearch. How do I make the info about the Domain Admin group members available to the logins search?
Thanks for this. I've looked through it and it will get me the info I want based on the current Domain Admins group. I am hoping there's a way to update the information from Domain Admins each time I run the query.
to search login,logout and logfail events you have to insert in your search (eventually using a lookup) the following EventIds:
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4771, 17055, 18450, 18451, 18452, 18453, 18454, 18455, 18456, 18457, 18458, 18459, 18460, 18461, 24001, 24002, 24003 (the last ones are for Exchange and SQL Server).
Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.