All Apps and Add-ons

How to correlate the admin user with a GPO change?

cgisplunk
Path Finder

Has anyone successfully created a working search that can correlate the username or admin account who made any change to a GPO in AD or created/deleted a GPO? The builtin Administrator Admin in Splunk Active Directory App or Windows Infrastructure App does not do anything, it's probably irrelevant by now and has obsolete field names (there is no more Object_Type field, but there is objectClass=top|container|groupPolicyContainer or objectCategory):
eventtype=msad-ad-access src_nt_domain="" src_user="" Object_Type="groupPolicyContainer" | eval srch=replace(Object_Name,"},CN=.","}") | transaction maxspan=5m session_id,host,srch | lookup tSessions local=true session_id OUTPUTNEW login_username,login_domain,login_host
I tried with subsearches and transactions but still cannot get to the admin user who actually makes a GPO change. If only Microsoft included that field in the GPO event...
Anyone?
Thanks in either case.

kabobb
Explorer

Try this

index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=*DOM* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
|convert ctime(_time) as Time 
|table _time Security_ID EventCodeDescription action gpo_guid displayName

DOM= your domain name

0 Karma

dharveynswccd
Path Finder

Hey guys, this thread is a bit old but it's the only that came close to what I was looking for.
So I ran this search with a little modification to match my domain name and basically came up with nothing. I tested it line-by-line and the only time I can get any results is when the following line is ommited:
|ldapfilter domain=MyDomainName search="(&(Objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName={}*)))" attrs="displayName"

I am trying to get in my results, the name name of GPOs being created/modified/deleted, etc and who made the changes

Please let me know if anyone has any solutions. Thanks

0 Karma

leslytrinidad
Engager

I had the same issue, I initially thought it was the ldapfilter but then I realized the issue is with the field extraction. The field extraction of: |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\," is extracting after the "cn=" character up to the comma, which in my case included extra stuff. So I changed the field extraction to "(?i)CN\={(?<gpo_guid>.*?)\}" that is going to extract everything inside the curly brackets, but then the ldapfilter needs curly brackets to I added them back using gpo_guid="{".gpo_guid."}", it would be cleaner to extract what is inside the curly bracket and including the brackets with a single regex but I couldn't figure that out, so this work around did the trick. Once that is extracted properly the same ldap filter command posted works. 

cgisplunk
Path Finder

Oops, should read: The builtin Administrator Audit...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...