Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for user additions to Active Directory privileged groups

jlph
Loves-to-Learn
‎04-07-2021 02:11 PM

I would like to run a query for any user additions to privileged Active Directory groups. I am storing the AD groups of interest in Lookup file titled DomainPrivilegedGroups.csv. The definition has also been defined with the same name of DomainPrivilegedGroups.csv. At this time, the Lookup file contains 16 rows and this is likely to grow in the future. The Lookup file contains one column titled GroupName

My eventual search will look for any events where EventID=4728 OR EventID=4732 OR EventID=4756. For now, I'm just trying to get the basic search working and therefore I am running the below: 

 

 

sourcetype="XmlWinEventLog"      [ |  inputlookup DomainPrivilegedGroups.csv      |  rename GroupName as Group_Name ]

 

 

I'm performing the rename action because I know that the events store the group name in an attribute titled Group_Name.

I know that there are events containing one of the group names so I am expecting results to return. 

Is there anything glaringly obvious I'm doing wrong here? 

Another consideration is whether or not a Lookup file is the best option. From what I can see, there is no way to update a Lookup file and instead, when wanting to make any additions I would need to delete and re-create the Lookup file & definition. Is this correct? 

Thanks in advance!

Labels (2)
Labels
Tags (1)
0 Karma
Reply

maciep
Champion
‎04-17-2021 06:26 AM

Nothing stands out as wrong with that search.  I'd suggest reviewing the job inspector, maybe the keywords or remotesearch fields (Job -> Inspect Job, expand search properties) - that should give you an idea if the subsearch is working as you expect.

I think a lookup is fine approach.  If you have the ability, you could install the Lookup Editor app, which provides an excel-like experience for modifying lookups. 

Or you could use the outputlookup command overwrite the lookup.  Typically that would involve using inputlookup to get the events, using where/append/etc to modify the results, then using outputlookup to write it back.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...