Splunk query for privileged group modification in Active Directory
Here’s a Splunk query to list any changes to privileged Active Directory groups:
sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757)<br /> (user_group="Domain Admins" OR user_group="Enterprise Admins" OR user_group="Administrators" OR user_group="Schema Admins" OR user_group="Account Operators"<br /> OR user_group="Backup Operators" OR user_group="Cert Publishers" OR user_group="Cryptographic Operators" OR user_group="DHCP Administrators"<br /> OR user_group="DnsAdmins" OR user_group="Domain Controllers" OR user_group="Read-only Domain Controllers" OR user_group="Network Configuration Operators") |<br /> table EventCode, EventCodeDescription, user_group, user, src_user |<br /> rename EventCodeDescription as "Description", user_group as "Group Changed", user as "User Added/Removed", src_user as "Changed By"
I have this setup as both an alert and monthly report to catch any undocumented changes to these groups. You may also want to consider a monthly listing of these groups as well.
