Splunk Search

Search for user additions to Active Directory privileged groups


I would like to run a query for any user additions to privileged Active Directory groups. I am storing the AD groups of interest in Lookup file titled DomainPrivilegedGroups.csv. The definition has also been defined with the same name of DomainPrivilegedGroups.csv. At this time, the Lookup file contains 16 rows and this is likely to grow in the future. The Lookup file contains one column titled GroupName

My eventual search will look for any events where EventID=4728 OR EventID=4732 OR EventID=4756. For now, I'm just trying to get the basic search working and therefore I am running the below: 



sourcetype="XmlWinEventLog"      [ |  inputlookup DomainPrivilegedGroups.csv      |  rename GroupName as Group_Name ]



I'm performing the rename action because I know that the events store the group name in an attribute titled Group_Name.

I know that there are events containing one of the group names so I am expecting results to return. 

Is there anything glaringly obvious I'm doing wrong here? 

Another consideration is whether or not a Lookup file is the best option. From what I can see, there is no way to update a Lookup file and instead, when wanting to make any additions I would need to delete and re-create the Lookup file & definition. Is this correct? 

Thanks in advance!

Labels (2)
Tags (1)
0 Karma