0% found this document useful (0 votes)
150 views

Splunk - Custom Search Queries

The document describes searches and macros to monitor account creation and deletion in Active Directory, identify users added to groups, retrieve latest and previous group membership, and build a table of Active Directory user objects incrementally.

Uploaded by

santoshs2002848
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
150 views

Splunk - Custom Search Queries

The document describes searches and macros to monitor account creation and deletion in Active Directory, identify users added to groups, retrieve latest and previous group membership, and build a table of Active Directory user objects incrementally.

Uploaded by

santoshs2002848
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Searh queries for o monitoring when users create accounts and then within a given time window

delete the account.

sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR


EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account
Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction
user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 |
where duration < 3600

OR try this

index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex


field=_raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion",
EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720,
"Account Creation") |transaction user startswith=status="Account Creation"
endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval
Account_Created_Time=mvindex(time,0)|eval
Account_Deleted_Time=mvindex(time,1) |eval Created_Account_EventCode =mvindex(EventCode,0)|
eval Deleted_Account_EventCode =mvindex(EventCode,1)|eval Account_Created_By
=mvindex(src_user,0)|eval Account_Deleted_By=mvindex(src_user,1) | table Account_Created_Time
Account_Created_By Created_Account_EventCode user
Account_Deleted_Time Deleted_Account_EventCode Account_Deleted_By | eval
Account_Deleted_By=if(isnull(Account_Deleted_By),Account_Created_By,Account_Deleted_By) |
Rename user as Account_Created_And_Deleted |

To identofy admin added to groups

(EventCode=4728 OR EventCode=4732 OR EventCode=4756) a_* (Group_Name= OR Group_Name= OR


Group_Name=Group_Name3>

For LDAP group reporting

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs=* | table


sAMAccountName memberOf

To pull latest membership and format each member as a record

index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | dedup


cn | eval splitted=split(member, "|") | mvexpand splitted | table cn splitted _time

OR

1. index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" |
fields - _raw | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval
Zone="Latest" | table cn splitted Zone _time
2.
3. | append [ | search index=ad_*
objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bat,DC=com" | fields - _raw
| eventstats latest(_time) AS latest_timestamp by cn | eval prev_timestamp =
strftime(_time, "%Y-%m-%d %I:%M:%S %p") | where _time < latest_timestamp | dedup cn | eval
splitted=split(member, "|") | mvexpand splitted | eval Zone="Previous" | table cn splitted
Zone _time latest_timestamp ]
4.
5. | stats values(cn) AS cn, values(Zone) as Zone, values(_time) as Timestamp,
values(latest_timestamp) AS latest_timestamp by splitted
6.
7. | nomv Zone
8.
9. | search Zone="Previous"
10.
11. | eval t=now()
12. | eval t_earliest = (t - 86400 * 1)
13.
14. | where latest_timestamp>t_earliest

index=*index_name* (EventCode=4728 OR EventCode=4729) earliest=-5m latest=now


(Group_Name="*Domain Admins*" OR Group_Name="*Group2*")

| rename src_user AS "Actioned By", src_user_first AS "First Name" src_user_last AS "Last


Name" name as "Action Taken"

| rex mode=sed field="Account_Name" "s/CN=//g"

| rex mode=sed field="Account_Name" "s/cn=//g"

| rex mode=sed field="Account_Name" "s/,OU.*//g"

| rex mode=sed field="Account_Name" "s/\\\//g"

| table "Actioned By" "First Name" "Last Name" Account_Name "Action Taken" Group_Name
Account_Domain _time

| sort - _time

Test this first

eventtype=ms_ad_obj_msad_data (admonEventType=Sync) (objectClass="top|person|


organizationalPerson|user") NOT ([| inputlookup AD_User_LDAP_list| fields objectGUID| table
objectGUID| format])

| head 50000
If the above completes within reasonable time, then try the following steps to:

Clone the macro "ms_ad_obj_admon_user_base_list" and rename it to


"ms_ad_obj_admon_user_base_temp"

Update the original "ms_ad_obj_admon_user_base_list" macro by adding in the following after


the (objectClass="top|person|organizationalPerson|user") text:

NOT ([| inputlookup AD_User_LDAP_list| fields objectGUID| table objectGUID| format]) | head
50000

Also, remove the search text OR admonEventType=Update OR admonEventType=Deleted so only the


Sync data is initially loaded.

Save the changes, and then run the following search from the search view in the MS Windows AD
Objects application, selecting the appropriate time window for your ActiveDirectory "Sync"
data, you can try All-time first:

|`ms_ad_obj_sched_sync_objects_base("User","user")`

You will need to run this multiple times, probably about 5 times for your environment.

You can check the count of objects in the AD_User_LDAP_list by running | inputlookup
AD_User_LDAP_list | stats count

After you have the table built then you can add back to the text OR admonEventType=Update OR
admonEventType=Deleted to the "ms_ad_obj_admon_user_base_list" macro, then rerun the step 1
searches to capture the updates and deleted events.

After you have the table built remove the NOT ([| inputlookup AD_User_LDAP_list| fields
objectGUID| table objectGUID| format]) | head 50000 text from the
"ms_ad_obj_admon_user_base_list"

You might also like