Getting Data In

How can I monitor Active Directory GPO changes on splunk enterprise?

alvaroveiga
New Member

I am running Splunk 7.0.2 and I would like to monitor Active Directory GPO changes on splunk enterprise.
What is the best way to do that?
Is there any recommended app?

Thanks in advance.

0 Karma

alvaroveiga
New Member

The logs are already forwarded to splunk, but i really need to create an alert when a GPO is modified, created etc.
Is there a way to do it?

0 Karma

adonio
Ultra Champion

look for EventCode=4735 for group changes, EventCode=4732 OR eventCode=4733 for user change
i use this website to verify what the event codes in windows mean:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4735
put the needed event code at the end of url

hope it helps

0 Karma

alvaroveiga
New Member

This eventcode is only for group change, i need something for GPO.

0 Karma

adonio
Ultra Champion

are you looking for this?
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5137
ask your AD admin / owner what is the eventcoeds they are interested in, check you see it in splunk, write a search that answers your question

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...