Splunk query for privileged group modification in Active Directory

Here’s a Splunk query to list any changes to privileged Active Directory groups:

sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757) 
(user_group="Domain Admins" OR user_group="Enterprise Admins" OR user_group="Administrators" OR user_group="Schema Admins" OR user_group="Account Operators" 
OR user_group="Backup Operators" OR user_group="Cert Publishers" OR user_group="Cryptographic Operators" OR user_group="DHCP Administrators" 
OR user_group="DnsAdmins" OR user_group="Domain Controllers" OR user_group="Read-only Domain Controllers" OR user_group="Network Configuration Operators") | 
table EventCode, EventCodeDescription, user_group, user, src_user | 
rename EventCodeDescription as "Description", user_group as "Group Changed", user as "User Added/Removed", src_user as "Changed By"

I have this setup as both an alert and monthly report to catch any undocumented changes to these groups.  You may also want to consider a monthly listing of these groups as well.

Leave a Comment

Your email address will not be published. Required fields are marked *