All Apps and Add-ons

How to run a daily report against my Active Directory show all user and group changes?

rwiltzius
Explorer

I'm looking for a way to run a report within Splunk against my Active Directory that'll show me all the users that were created, modified, and deleted from the last 24 hours and who did it. If it was modified, then if it could also report back with a brief description on what was modified too.

I'm running the Splunk App for Windows Infrastructure and it's currently indexing my Active Directory events, but the information I mentioned above requires me to go into multiple places within Splunk to get it. Other programs such as Netwrix Active Directory Change Reporter does this very well, but I would like to see if there's a way I can get Splunk to report back in a similar fashion. Please let me know if you have any questions.

Versions are:
Splunk Supporting Add-on for Active Directory - 2.1.3
Splunk App for Windows Infrastructure - 1.2.1
Search & Reporting - 6.3.3
Splunk Add-on for Microsoft Windows - 4.8.3

Thank you,

Robert

0 Karma

javiergn
SplunkTrust
SplunkTrust

Have you seen admon?
It is specifically design to monitor for AD changes and if I remember correctly you don't need any other apps, just a Windows server running Splunk.

Hope that helps

0 Karma

rwiltzius
Explorer

Thank you for your response, but are you able to provide a search command / string that will yield me the results I'm looking for? Please let me know if you have any questions.

Thank you,

Robert

0 Karma

javiergn
SplunkTrust
SplunkTrust

First of all you need to configure your forwarder to read admon data. See the examples section here.

Once you've done that and your data is coming (see output examples again here) you can run queries such as:

# Any updates
index=foobar sourcetype=ActiveDirectory admonEventType=Update earliest=-24h

# Just deletions
index=foobar sourcetype=ActiveDirectory admonEventType=Update isDeleted=true earliest=-24h

Hope that makes sense.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...