Splunk query for privileged group modification in Active Directory

Here’s a Splunk query to list any changes to privileged Active Directory groups:

[code]sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757)
(user_group=”Domain Admins” OR user_group=”Enterprise Admins” OR user_group=”Administrators” OR user_group=”Schema Admins” OR user_group=”Account Operators”
OR user_group=”Backup Operators” OR user_group=”Cert Publishers” OR user_group=”Cryptographic Operators” OR user_group=”DHCP Administrators”
OR user_group=”DnsAdmins” OR user_group=”Domain Controllers” OR user_group=”Read-only Domain Controllers” OR user_group=”Network Configuration Operators”) |
table EventCode, EventCodeDescription, user_group, user, src_user |
rename EventCodeDescription as “Description”, user_group as “Group Changed”, user as “User Added/Removed”, src_user as “Changed By”[/code]

I have this setup as both an alert and monthly report to catch any undocumented changes to these groups.  You may also want to consider a monthly listing of these groups as well.