Splunk Search

Index based search for user being added to multiple windows groups?

john-doe
Engager

Hello Folks,

Needed help with index based search for any user being added to multiple windows groups (preferably more then count of 5) in a time span of 15 mins .

Thank you

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @john-doe,

you can add the time factor:

if you want an alert: defining the time monitoring period, e.g. every 15 minutes using the search you shared.

if instead you want to trace the distinct count of Subject_Accoun_Names registered in more groups, depending on time (e.g. every hour), you could use:

index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" 
| bin span=1h _time
| chart dc(Group_Name) AS Group_Name_count BY _time Subject_Account_Name 
| where Group_Name_count>= 20 

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @john-doe,

at first, you have to check if your Domain Controller is logging EventCodes 4728 (A member was added to a security-enabled global group) and 4732 (A member was added to a security-enabled local group) and you're taking these EventCodes in your Splunk.

If yes, you can run a simple search like the following:

index=wineventlog EventCode IN (4728,4732)
| stats count dc(ComputerName) AS ComputerName_count BY user
| where ComputerName_count>1

Obviously you can choose a different threeshold in the last row.

Ciao.

Giuseppe

john-doe
Engager

Thanks @gcusello

I think your query will give me user added in particular groups on distinct hosts.

For checking if a user was added in multiple groups in15 min time span how can I modify your query ?  How can I use span or maxspan ?

 

I was working on something like this below. Not sure how to add the time factor check in there..

 

index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" | stats count values(Group_Name) by Subject_Account_Name, Member_Security_ID | where count >= 20 

 

 

 

 

 

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @john-doe,

you can add the time factor:

if you want an alert: defining the time monitoring period, e.g. every 15 minutes using the search you shared.

if instead you want to trace the distinct count of Subject_Accoun_Names registered in more groups, depending on time (e.g. every hour), you could use:

index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" 
| bin span=1h _time
| chart dc(Group_Name) AS Group_Name_count BY _time Subject_Account_Name 
| where Group_Name_count>= 20 

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...