- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Active Directory Group Membership Alerts?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Active Directory Group Membership Alerts?
Using the built-in Splunk admon indexing, is there a way to monitor additions or removals to AD groups?
I'm using the following to pull latest membership and format each member as a record;
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | table cn splitted _time
This gives the following output;
Group_cn_1,member1,_time1
Group_cn_1,member2,_time1
Group_cn_1,member3,_time1
Group_cn_2,member1,_time2
Group_cn_2,member2,_time2
My first thought was to compare two time windows as;
set diff [ latest(_time)] [ _time < _time - 24h]
However it appears the admon input is on a rising tail mechanism and latest(_time) varies on the last update of the group. I feel like I'm over thinking this. Perhaps I just create an alert to show any group with an _time within the last 24 hours, then somehow compare that to the previous record?
Any advice?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have something working as a scheduled alert;
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | fields - _raw | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Latest" | table cn splitted Zone _time
| append [ | search index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bat,DC=com" | fields - _raw | eventstats latest(_time) AS latest_timestamp by cn | eval prev_timestamp = strftime(_time, "%Y-%m-%d %I:%M:%S %p") | where _time < latest_timestamp | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Previous" | table cn splitted Zone _time latest_timestamp ]
| stats values(cn) AS cn, values(Zone) as Zone, values(_time) as Timestamp, values(latest_timestamp) AS latest_timestamp by splitted
| nomv Zone
| search Zone="Previous"
| eval t=now()
| eval t_earliest = (t - 86400 * 1)
| where latest_timestamp>t_earliest
It can likely be cleaned up, but this is working for both removals and additions of accounts. The query as is only pulls removals with the "Zone" field set to "Previous". It's set as a scheduled alert around 6am, and if results are > 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do this over the Windows Log.
Eventcodes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well aware of this, however I'd rather use the built in AD monitoring over deploying a forwarder on multiple domain controllers.
I've made some progress in that I can now compare deltas of the latest event vs. the prior event;
This grabs the event prior to the latest:
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | table cn _time | eventstats latest(_time) AS lasttime | where _time < lasttime | dedup cn
I'm now formatting a 'set diff' query to compare the two.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
