Splunk Search

Search for user additions to Active Directory privileged groups

jlph
Loves-to-Learn

I would like to run a query for any user additions to privileged Active Directory groups. I am storing the AD groups of interest in Lookup file titled DomainPrivilegedGroups.csv. The definition has also been defined with the same name of DomainPrivilegedGroups.csv. At this time, the Lookup file contains 16 rows and this is likely to grow in the future. The Lookup file contains one column titled GroupName

My eventual search will look for any events where EventID=4728 OR EventID=4732 OR EventID=4756. For now, I'm just trying to get the basic search working and therefore I am running the below: 

 

 

sourcetype="XmlWinEventLog"      [ |  inputlookup DomainPrivilegedGroups.csv      |  rename GroupName as Group_Name ]

 

 

I'm performing the rename action because I know that the events store the group name in an attribute titled Group_Name.

I know that there are events containing one of the group names so I am expecting results to return. 

Is there anything glaringly obvious I'm doing wrong here? 

Another consideration is whether or not a Lookup file is the best option. From what I can see, there is no way to update a Lookup file and instead, when wanting to make any additions I would need to delete and re-create the Lookup file & definition. Is this correct? 

Thanks in advance!

Labels (2)
Tags (1)
0 Karma

maciep
Champion

Nothing stands out as wrong with that search.  I'd suggest reviewing the job inspector, maybe the keywords or remotesearch fields (Job -> Inspect Job, expand search properties) - that should give you an idea if the subsearch is working as you expect.

I think a lookup is fine approach.  If you have the ability, you could install the Lookup Editor app, which provides an excel-like experience for modifying lookups. 

Or you could use the outputlookup command overwrite the lookup.  Typically that would involve using inputlookup to get the events, using where/append/etc to modify the results, then using outputlookup to write it back.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...