Getting Data In

How can I monitor Active Directory GPO changes on splunk enterprise?

alvaroveiga
New Member

I am running Splunk 7.0.2 and I would like to monitor Active Directory GPO changes on splunk enterprise.
What is the best way to do that?
Is there any recommended app?

Thanks in advance.

0 Karma

alvaroveiga
New Member

The logs are already forwarded to splunk, but i really need to create an alert when a GPO is modified, created etc.
Is there a way to do it?

0 Karma

adonio
Ultra Champion

look for EventCode=4735 for group changes, EventCode=4732 OR eventCode=4733 for user change
i use this website to verify what the event codes in windows mean:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4735
put the needed event code at the end of url

hope it helps

0 Karma

alvaroveiga
New Member

This eventcode is only for group change, i need something for GPO.

0 Karma

adonio
Ultra Champion

are you looking for this?
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5137
ask your AD admin / owner what is the eventcoeds they are interested in, check you see it in splunk, write a search that answers your question

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...