Alerting

Active Directory Group Membership Alerts?

mcrawford44
Communicator

Using the built-in Splunk admon indexing, is there a way to monitor additions or removals to AD groups?

I'm using the following to pull latest membership and format each member as a record;

index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | table cn splitted _time

This gives the following output;

Group_cn_1,member1,_time1
Group_cn_1,member2,_time1
Group_cn_1,member3,_time1
Group_cn_2,member1,_time2
Group_cn_2,member2,_time2

My first thought was to compare two time windows as;

set diff [ latest(_time)] [ _time < _time - 24h]

However it appears the admon input is on a rising tail mechanism and latest(_time) varies on the last update of the group. I feel like I'm over thinking this. Perhaps I just create an alert to show any group with an _time within the last 24 hours, then somehow compare that to the previous record?

Any advice?

0 Karma

mcrawford44
Communicator

I have something working as a scheduled alert;

index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | fields - _raw | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Latest" | table cn splitted Zone _time

| append [ | search index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bat,DC=com" | fields - _raw | eventstats latest(_time) AS latest_timestamp by cn | eval prev_timestamp = strftime(_time, "%Y-%m-%d %I:%M:%S %p") | where _time < latest_timestamp | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Previous" | table cn splitted Zone _time latest_timestamp ]

| stats values(cn) AS cn, values(Zone) as Zone, values(_time) as Timestamp, values(latest_timestamp) AS latest_timestamp by splitted

| nomv Zone

| search Zone="Previous"

| eval t=now()
| eval t_earliest = (t - 86400 * 1)

| where latest_timestamp>t_earliest

It can likely be cleaned up, but this is working for both removals and additions of accounts. The query as is only pulls removals with the "Zone" field set to "Previous". It's set as a scheduled alert around 6am, and if results are > 0.

0 Karma

PPape
Contributor

You can do this over the Windows Log.
Eventcodes

0 Karma

mcrawford44
Communicator

Well aware of this, however I'd rather use the built in AD monitoring over deploying a forwarder on multiple domain controllers.

I've made some progress in that I can now compare deltas of the latest event vs. the prior event;

This grabs the event prior to the latest:

index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | table cn _time | eventstats latest(_time) AS lasttime | where _time < lasttime | dedup cn

I'm now formatting a 'set diff' query to compare the two.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...