Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for user additions to Active Directory privileged groups

jlph
Loves-to-Learn
‎04-07-2021 02:11 PM

I would like to run a query for any user additions to privileged Active Directory groups. I am storing the AD groups of interest in Lookup file titled DomainPrivilegedGroups.csv. The definition has also been defined with the same name of DomainPrivilegedGroups.csv. At this time, the Lookup file contains 16 rows and this is likely to grow in the future. The Lookup file contains one column titled GroupName

My eventual search will look for any events where EventID=4728 OR EventID=4732 OR EventID=4756. For now, I'm just trying to get the basic search working and therefore I am running the below: 

 

 

sourcetype="XmlWinEventLog"      [ |  inputlookup DomainPrivilegedGroups.csv      |  rename GroupName as Group_Name ]

 

 

I'm performing the rename action because I know that the events store the group name in an attribute titled Group_Name.

I know that there are events containing one of the group names so I am expecting results to return. 

Is there anything glaringly obvious I'm doing wrong here? 

Another consideration is whether or not a Lookup file is the best option. From what I can see, there is no way to update a Lookup file and instead, when wanting to make any additions I would need to delete and re-create the Lookup file & definition. Is this correct? 

Thanks in advance!

Labels (2)
Labels
Tags (1)
0 Karma
Reply

maciep
Champion
‎04-17-2021 06:26 AM

Nothing stands out as wrong with that search.  I'd suggest reviewing the job inspector, maybe the keywords or remotesearch fields (Job -> Inspect Job, expand search properties) - that should give you an idea if the subsearch is working as you expect.

I think a lookup is fine approach.  If you have the ability, you could install the Lookup Editor app, which provides an excel-like experience for modifying lookups. 

Or you could use the outputlookup command overwrite the lookup.  Typically that would involve using inputlookup to get the events, using where/append/etc to modify the results, then using outputlookup to write it back.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...