Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Index based search for user being added to multiple windows groups?

john-doe
Engager
‎06-20-2023 03:42 AM

Hello Folks,

Needed help with index based search for any user being added to multiple windows groups (preferably more then count of 5) in a time span of 15 mins .

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2023 04:56 AM

Hi @john-doe,

you can add the time factor:

if you want an alert: defining the time monitoring period, e.g. every 15 minutes using the search you shared.

if instead you want to trace the distinct count of Subject_Accoun_Names registered in more groups, depending on time (e.g. every hour), you could use:

index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" 
| bin span=1h _time
| chart dc(Group_Name) AS Group_Name_count BY _time Subject_Account_Name 
| where Group_Name_count>= 20

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2023 03:53 AM

Hi @john-doe,

at first, you have to check if your Domain Controller is logging EventCodes 4728 (A member was added to a security-enabled global group) and 4732 (A member was added to a security-enabled local group) and you're taking these EventCodes in your Splunk.

If yes, you can run a simple search like the following:

index=wineventlog EventCode IN (4728,4732)
| stats count dc(ComputerName) AS ComputerName_count BY user
| where ComputerName_count>1

Obviously you can choose a different threeshold in the last row.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

john-doe
Engager
‎06-20-2023 04:28 AM

Thanks @gcusello

I think your query will give me user added in particular groups on distinct hosts.

For checking if a user was added in multiple groups in15 min time span how can I modify your query ?  How can I use span or maxspan ?

 

I was working on something like this below. Not sure how to add the time factor check in there..

 

index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" | stats count values(Group_Name) by Subject_Account_Name, Member_Security_ID | where count >= 20

 

 

 

 

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2023 04:56 AM

Hi @john-doe,

you can add the time factor:

if you want an alert: defining the time monitoring period, e.g. every 15 minutes using the search you shared.

if instead you want to trace the distinct count of Subject_Accoun_Names registered in more groups, depending on time (e.g. every hour), you could use:

index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" 
| bin span=1h _time
| chart dc(Group_Name) AS Group_Name_count BY _time Subject_Account_Name 
| where Group_Name_count>= 20

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...