Splunk Search

Need a search to tell me who deleted an OU object in Active Directory

maverick
Splunk Employee
Splunk Employee

I have Windows Security events that tell me when a user logged on and I have an ActiveDirectory event that tells me that an OU object was deleted, but I cannot figure out how to correlate the two events together without a common unique "id" field (value) to link them.

Is there a configuration within AD or within Windows that will log some sort of common ID or GUID to both events so I can use tie them together into a "this person deleted this OU object" in a report?

Or, am I out of luck and maybe there is some search that will get me close to correlating these two semi-related events in such a way that I can get an approximate report along these lines?

1 Solution

Ledio_Ago
Splunk Employee
Splunk Employee

Maverick, in the deleted AD event, under the "Object details" look for the objectGUID field. It will look like:

objectGUID=4afba9d3-6d77-b140-3591-0f45dc297f66

The same GUID will show up in the Security event related to the deletion of the OU. The field name in the Seurity event is different, but the value is the same.

I tried it myself, I deleted a user account in the DC. The ActiveDirectory event showed up in Splunk together with the WinEventLog Security event with EventCode=630. Both events had that same GUID.

In the Security event the GUID looked like:

Target Account ID: John Doe
DEL:4afba9d3-6d77-b140-3591-0f45dc297f66

So you can run searches to look for a ActiveDirectory isDeleted=TRUE, which then shares that objectGUID field value in the Security events.

Another thing you can do is to look for specific EventCodes related to object deletions:

http://support.microsoft.com/kb/174074

Event ID: 638
Type: Success Audit
Description: Local Group Deleted:

Event ID: 634
Type: Success Audit
Description: Global Group Deleted:

Event ID: 630
Type: Success Audit
Description: User Account Deleted:

Event ID: 564
Type: Success Audit
Description: Object Deleted:

View solution in original post

Ledio_Ago
Splunk Employee
Splunk Employee

Maverick, in the deleted AD event, under the "Object details" look for the objectGUID field. It will look like:

objectGUID=4afba9d3-6d77-b140-3591-0f45dc297f66

The same GUID will show up in the Security event related to the deletion of the OU. The field name in the Seurity event is different, but the value is the same.

I tried it myself, I deleted a user account in the DC. The ActiveDirectory event showed up in Splunk together with the WinEventLog Security event with EventCode=630. Both events had that same GUID.

In the Security event the GUID looked like:

Target Account ID: John Doe
DEL:4afba9d3-6d77-b140-3591-0f45dc297f66

So you can run searches to look for a ActiveDirectory isDeleted=TRUE, which then shares that objectGUID field value in the Security events.

Another thing you can do is to look for specific EventCodes related to object deletions:

http://support.microsoft.com/kb/174074

Event ID: 638
Type: Success Audit
Description: Local Group Deleted:

Event ID: 634
Type: Success Audit
Description: Global Group Deleted:

Event ID: 630
Type: Success Audit
Description: User Account Deleted:

Event ID: 564
Type: Success Audit
Description: Object Deleted:

Ledio_Ago
Splunk Employee
Splunk Employee

Nice, good stuff.

0 Karma

maverick
Splunk Employee
Splunk Employee

Got it to work, finally. I can NOW see the events after enabling local admin auditing as well as group auditing. (log into the domain controller -> administrative tools -> Domain Controller Security Settings and enable the auditing from there.

0 Karma

maverick
Splunk Employee
Splunk Employee

Okay, I see the Windows Security events when I delete group objects now that I've enabled AD auditing. However, when I delete a top most OU object itself, I do NOT see any Windows Security event generated for that. I do see the ActiveDirectory DEL event, but it does not tell me which user made the deletion.

0 Karma

maverick
Splunk Employee
Splunk Employee

I only see EventCode=630. I do not have any of the other EventCodes you mention above, although I DO see my ActiveDirectory events saying isDeleted=TRUE for when a group object was deleted.
How do I turn on Win security auditing of group deletes so I can get the 638 and 634 EventCodes generated?

0 Karma

Ledio_Ago
Splunk Employee
Splunk Employee

Correct! If you have problems getting the search right, let me know, I can help with that.

0 Karma

maverick
Splunk Employee
Splunk Employee

Thanks!, This makes sense because we can use field aliasing to map the two different fields together as one common name and user that to match on, or transaction on. or we could use rex to normalize both field values into one common field name as well.

0 Karma

Ledio_Ago
Splunk Employee
Splunk Employee

I'll look into this and see if I can come up with something... I'm not sure if it's possible either.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...