Splunk Search

Is there a forensic-type report that handles AD user account properties for PCI and SSAE compliance?

dhaertel
Path Finder

Hello,
I'm looking for a way to track total property changes within an AD user's account. As an example, per PCI and SSAE requirements, user accounts must not be permanent, they must be set to expire in 89 days or fewer.

I was able to run the report that showed me a dozen or so users that were set to "not expire" which is great. I'd like to know however whether this user was setup that way originally or if another sysadmin had changed this status for whatever reason.

This brought up other uses, like tracking if a sysadmin has reset a password rather than having the user use our self help password reset portal, and obviously there are many more options to consider.

Basically we're looking for a forensic type report that handles AD user account properties. Is there something already that does this? Or would it mean writing my own?

0 Karma
1 Solution

dhaertel
Path Finder

Ok, so I'll add this to my original post. I found a pretty basic and generic search which I then created a report based on the windows event ID.

eventtype="wineventlog_windows" sourcetype="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="1102" Type="*"

I then just used this as a base, modified the EventCode to the ID I was tracking and voila, solid report for that function.

I found this very handy list of event codes and generated the ones I needed to see like user account lockouts, user deletions and creations, alert logs cleared (above code) and others that fit into my daily security checklist.

List of Event Codes

View solution in original post

0 Karma

dhaertel
Path Finder

Ok, so I'll add this to my original post. I found a pretty basic and generic search which I then created a report based on the windows event ID.

eventtype="wineventlog_windows" sourcetype="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="1102" Type="*"

I then just used this as a base, modified the EventCode to the ID I was tracking and voila, solid report for that function.

I found this very handy list of event codes and generated the ones I needed to see like user account lockouts, user deletions and creations, alert logs cleared (above code) and others that fit into my daily security checklist.

List of Event Codes

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@dhaertel - List of Event Codes?

here's a list of windows ones... https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

0 Karma

dhaertel
Path Finder

Yea, I posted a link but am too new, it stripped out the actual address. That one I found was very good also.

But in the end, I setup a great set of daily reports and I just plow through them first thing in the morning and make my notes based on the reports.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...