Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: Receiving different results from directories

romulusc
New Member
‎07-29-2019 08:41 AM

Hi,

For some reason when running one of the preset Active Directory searches like 'Group Changes' for instance I do not seem to get results but when I run the same thing under the report "Active Directory Update Group Lookup" I seem to get results that I could not find using the Active Directory search.

I've accompanied screenshots of what I am facing:
alt text

This is what I am getting when using the Active Directory Search. Note the "Previous business week" Search scope (on the rightmost part)

alt text
This is running the same kind of lookup using the Core Views report named "Active Directory: Update Group Lookup" (performing the same Search scope of 'Previous business week'

Shouldn't I get the same results in both of them? The reason why I want to see it in the first search is that I want to see the changes (the accounts added/removed) instead of it just telling me what groups had a change with no further details in the second search.

If anyone has any insight why the 'Group Changes' search does not work or produce the results I want

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

Nahra
New Member
‎07-30-2019 04:56 AM

I believe each of those panels will allow you to look at the full Search string. I would start there and see what the differences are between the two searches, it may just be a simple update to a field on the first panel.

0 Karma
Reply

romulusc
New Member
‎07-30-2019 07:29 AM

Hi Nahra,

I went ahead and did what you suggested, so for the the one that is working you can see it in the screenshot:
`admon-group-lookup-update'

The search commands for the two panels in the 'Group Changes' AD search are very different from the report version I think this is because there is much more detail in terms of what members were added/removed:

eventtype=msad-group-changes (host="") user_group="" MSADGroupType="" MSADGroupClass=""|eval adminuser=src_nt_domain."\".src_user|search adminuser="*"|table _time,adminuser,msad_action,MSADGroupClass,MSADGroupType,src_nt_domain,user_group|rename adminuser as "Administrator",msad_action as "Action",user_group as "Group", MSADGroupClass as "Type", MSADGroupType as "Scope",src_nt_domain as "Domain"

This one is for the "Group Changes" panel

eventtype=msad-groupmembership-changes (host="") user_group="" MSADGroupType="" MSADGroupClass="" member="" | eval adminuser=src_nt_domain."\".src_user | search adminuser="" | table _time,adminuser,MSADGroupClass,MSADGroupType,src_nt_domain,user_group,msad_action,member | rename adminuser as "Administrator",MSADGroupClass as "Type",MSADGroupType as "Scope",src_nt_domain as "Domain",user_group as "Group",msad_action as "Action",member as "Member"

This one is for the "Membership Changes" panel

I also looked up the eventtype=msad-groupmembership-changes and eventtype=msad-group-changes and confirmed those event types do exist as well. I performed searches based on those event IDs too and was able to pull data.

0 Karma
Reply
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...