I'm looking for a way to run a report within Splunk against my Active Directory that'll show me all the users that were created, modified, and deleted from the last 24 hours and who did it. If it was modified, then if it could also report back with a brief description on what was modified too.
I'm running the Splunk App for Windows Infrastructure and it's currently indexing my Active Directory events, but the information I mentioned above requires me to go into multiple places within Splunk to get it. Other programs such as Netwrix Active Directory Change Reporter does this very well, but I would like to see if there's a way I can get Splunk to report back in a similar fashion. Please let me know if you have any questions.
Versions are:
Splunk Supporting Add-on for Active Directory - 2.1.3
Splunk App for Windows Infrastructure - 1.2.1
Search & Reporting - 6.3.3
Splunk Add-on for Microsoft Windows - 4.8.3
Thank you,
Robert
Have you seen admon?
It is specifically design to monitor for AD changes and if I remember correctly you don't need any other apps, just a Windows server running Splunk.
Hope that helps
Thank you for your response, but are you able to provide a search command / string that will yield me the results I'm looking for? Please let me know if you have any questions.
Thank you,
Robert
First of all you need to configure your forwarder to read admon data. See the examples section here.
Once you've done that and your data is coming (see output examples again here) you can run queries such as:
# Any updates
index=foobar sourcetype=ActiveDirectory admonEventType=Update earliest=-24h
# Just deletions
index=foobar sourcetype=ActiveDirectory admonEventType=Update isDeleted=true earliest=-24h
Hope that makes sense.